Merge pull request github#16665 from geoffw0/yml

C++: Support for extension models (.yml)

Author: MathiasVP

cpp/ql/lib/change-notes/2024-06-14-boost-asio.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A partial model for the `Boost.Asio` network library has been added. This includes sources, sinks and summaries for certain functions in `Boost.Asio`, such as `read_until` and `write`.

cpp/ql/lib/change-notes/2024-06-14-models-as-data-yml-extensions.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Data models can now be added with data extensions. In this way source, sink and summary models can be added in extension `.model.yml` files, rather than by writing classes in QL code. New models should be added in the `lib/ext` folder.

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -0,0 +1,26 @@
+extensions:
+  # partial model of the Boost::Asio network library
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["boost::asio", "", False, "read", "", "", "Argument[*1]", "remote", "manual"]
+      - ["boost::asio", "", False, "read_at", "", "", "Argument[*2]", "remote", "manual"]
+      - ["boost::asio", "", False, "read_until", "", "", "Argument[*1]", "remote", "manual"]
+      - ["boost::asio", "", False, "async_read", "", "", "Argument[*1]", "remote", "manual"]
+      - ["boost::asio", "", False, "async_read_at", "", "", "Argument[*2]", "remote", "manual"]
+      - ["boost::asio", "", False, "async_read_until", "", "", "Argument[*1]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["boost::asio", "", False, "write", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["boost::asio", "", False, "write_at", "", "", "Argument[*2]", "remote-sink", "manual"]
+      - ["boost::asio", "", False, "async_write", "", "", "Argument[*1]", "remote-sink", "manual"]
+      - ["boost::asio", "", False, "async_write_at", "", "", "Argument[*2]", "remote-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["boost::asio", "", False, "buffer", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

cpp/ql/lib/ext/empty.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  # Make sure that the extensible model predicates have at least one definition
+  # to avoid errors about undefined extensionals.
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: []

cpp/ql/lib/qlpack.yml

@@ -14,4 +14,6 @@ dependencies:
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
   codeql/xml: ${workspace}
+dataExtensions:
+  - ext/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -78,6 +78,7 @@ private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
+private import internal.ExternalFlowExtensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
 private import codeql.util.Unit
 
@@ -138,6 +139,9 @@ predicate sourceModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
+    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
@@ -158,6 +162,8 @@ predicate sinkModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
 /** Holds if a summary model exists for the given parameters. */
@@ -179,6 +185,9 @@ predicate summaryModel(
     row.splitAt(";", 8) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+    provenance, _)
 }
 
 private predicate relevantNamespace(string namespace) {
@@ -323,10 +332,10 @@ module CsvValidation {
       or
       summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
-      not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
+      not namespace.regexpMatch("[a-zA-Z0-9_\\.:]*") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
       or
-      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]+") and
+      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]*") and
       result = "Dubious type \"" + type + "\" in " + pred + " model."
       or
       not name.regexpMatch("[a-zA-Z0-9_<>,]*") and

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -0,0 +1,27 @@
+/**
+ * This module provides extensible predicates for defining MaD models.
+ */
+
+/**
+ * Holds if an external source model exists for the given parameters.
+ */
+extensible predicate sourceModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if an external sink model exists for the given parameters.
+ */
+extensible predicate sinkModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if an external summary model exists for the given parameters.
+ */
+extensible predicate summaryModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);

cpp/ql/test/library-tests/dataflow/external-models/asio_streams.cpp

@@ -0,0 +1,107 @@
+
+// --- stub library headers ---
+
+namespace std {
+	typedef unsigned long size_t;
+	#define SIZE_MAX 0xFFFFFFFF
+
+	template <class T> class allocator {
+	};
+
+	template<class charT> struct char_traits {
+	};
+
+	template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+	class basic_string {
+	public:
+		basic_string(const charT* s, const Allocator& a = Allocator());
+	};
+
+	typedef basic_string<char> string;
+};
+
+namespace boost {
+	namespace system {
+		class error_code {
+		public:
+			operator bool() const;
+		};
+	};
+	
+	namespace asio {
+		template<typename Protocol/*, typename Executor*/>
+		class basic_stream_socket /*: public basic_socket<Protocol, Executor>*/ {
+		};
+
+		namespace ip {
+			class tcp {
+			public:
+				typedef basic_stream_socket<tcp> socket;
+			};
+		};
+
+		template<typename Allocator = std::allocator<char>> class basic_streambuf {
+		public:
+			basic_streambuf(
+				std::size_t maximum_size = SIZE_MAX,
+				const Allocator &allocator = Allocator());
+		};
+
+		typedef basic_streambuf<> streambuf;
+
+		class mutable_buffer {
+		};
+
+		template<typename Elem, typename Traits, typename Allocator>
+		mutable_buffer buffer(std::basic_string<Elem, Traits, Allocator> & data);
+
+		template<typename SyncReadStream, typename Allocator> std::size_t read_until(
+			SyncReadStream &s,
+			asio::basic_streambuf<Allocator> &b,
+			char delim,
+			boost::system::error_code &ec);
+
+		template<typename SyncWriteStream, typename ConstBufferSequence> std::size_t write(
+			SyncWriteStream &s,
+			const ConstBufferSequence &buffers,
+			boost::system::error_code &ec,
+			int constraint = 0); // simplified
+	};
+};
+
+// --- test code ---
+
+char *source();
+void sink(char *);
+void sink(std::string);
+void sink(boost::asio::streambuf);
+void sink(boost::asio::mutable_buffer);
+
+char *getenv(const char *name);
+int send(int, const void*, int, int);
+
+void test(boost::asio::ip::tcp::socket &socket) {
+	boost::asio::streambuf recv_buffer;
+	boost::system::error_code error;
+
+	boost::asio::read_until(socket, recv_buffer, '\0', error);
+	if (error) {
+		// ...
+	}
+	sink(recv_buffer); // $ ir
+
+	boost::asio::write(socket, recv_buffer, error); // $ ir
+
+	// ---
+
+	std::string send_str = std::string(source());
+	sink(send_str); // $ ir
+
+	boost::asio::mutable_buffer send_buffer = boost::asio::buffer(send_str);
+	sink(send_buffer); // $ ir
+
+	boost::asio::write(socket, send_buffer, error); // $ ir
+	if (error) {
+		// ...
+	}
+}

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "ymlSource", "", "", "ReturnValue", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "ymlSink", "", "", "Argument[0]", "test-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "ymlStep", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]