Introduce shared taint tracking library

jketema · jketema · commit bdd64ce86d9d · 2023-08-04T22:51:55.000+02:00
diff --git a/config/identical-files.json b/config/identical-files.json
@@ -34,8 +34,6 @@
     "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll"
   ],
   "TaintTracking Java/C++/C#/Go/Python/Ruby/Swift": [
-    "cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTracking.qll",
     "go/ql/lib/semmle/go/dataflow/internal/tainttracking1/TaintTracking.qll",
     "java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTracking.qll",
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll
@@ -25,6 +25,10 @@ import semmle.code.cpp.dataflow.DataFlow2
  * global (inter-procedural) taint-tracking analyses.
  */
 deprecated module TaintTracking {
-  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
   import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingImplSpecific.qll
@@ -0,0 +1,10 @@
+/**
+ * Provides C++-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.dataflow.TaintTrackingParameter
+private import DataFlowImplSpecific
+
+module CppOldTaintTracking implements TaintTrackingParameter<CppOldDataFlow> {
+  import TaintTrackingUtil
+}
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -39,7 +39,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/new/TaintTracking.qll
@@ -23,6 +23,10 @@ import semmle.code.cpp.dataflow.new.DataFlow2
  * global (inter-procedural) taint-tracking analyses.
  */
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/TaintTracking.qll
@@ -19,6 +19,10 @@ import semmle.code.cpp.ir.dataflow.DataFlow
 import semmle.code.cpp.ir.dataflow.DataFlow2
 
 module TaintTracking {
-  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTracking
+  import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingParameter::Public
+  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+  private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<CppDataFlow, CppTaintTracking>
   import semmle.code.cpp.ir.dataflow.internal.tainttracking1.TaintTrackingImpl
 }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingImplSpecific.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingImplSpecific.qll
@@ -0,0 +1,10 @@
+/**
+ * Provides C++-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.dataflow.TaintTrackingParameter
+private import DataFlowImplSpecific
+
+module CppTaintTracking implements TaintTrackingParameter<CppDataFlow> {
+  import TaintTrackingUtil
+}
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -112,7 +112,7 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll
@@ -0,0 +1,84 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ */
+
+import DataFlow
+import DataFlowImpl
+import DataFlowParameter
+import TaintTrackingParameter
+
+module TaintFlowMake<
+  DataFlowParameter DataFlowLang, TaintTrackingParameter<DataFlowLang> TaintTrackingLang>
+{
+  private import DataFlowLang
+  private import TaintTrackingLang
+  private import DataFlowMake<DataFlowLang>
+  private import MakeImpl<DataFlowLang>
+
+  private module AddTaintDefaults<FullStateConfigSig Config> implements FullStateConfigSig {
+    import Config
+
+    predicate isBarrier(DataFlowLang::Node node) {
+      Config::isBarrier(node) or defaultTaintSanitizer(node)
+    }
+
+    predicate isAdditionalFlowStep(DataFlowLang::Node node1, DataFlowLang::Node node2) {
+      Config::isAdditionalFlowStep(node1, node2) or
+      defaultAdditionalTaintStep(node1, node2)
+    }
+
+    predicate allowImplicitRead(DataFlowLang::Node node, DataFlowLang::ContentSet c) {
+      Config::allowImplicitRead(node, c)
+      or
+      (
+        Config::isSink(node) or
+        Config::isSink(node, _) or
+        Config::isAdditionalFlowStep(node, _) or
+        Config::isAdditionalFlowStep(node, _, _, _)
+      ) and
+      defaultImplicitTaintRead(node, c)
+    }
+  }
+
+  /**
+   * Constructs a global taint tracking computation.
+   */
+  module Global<ConfigSig Config> implements GlobalFlowSig {
+    private module Config0 implements FullStateConfigSig {
+      import DefaultState<Config>
+      import Config
+    }
+
+    private module C implements FullStateConfigSig {
+      import AddTaintDefaults<Config0>
+    }
+
+    import Impl<C>
+  }
+
+  /** DEPRECATED: Use `Global` instead. */
+  deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+    import Global<Config>
+  }
+
+  /**
+   * Constructs a global taint tracking computation using flow state.
+   */
+  module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
+    private module Config0 implements FullStateConfigSig {
+      import Config
+    }
+
+    private module C implements FullStateConfigSig {
+      import AddTaintDefaults<Config0>
+    }
+
+    import Impl<C>
+  }
+
+  /** DEPRECATED: Use `GlobalWithState` instead. */
+  deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+    import GlobalWithState<Config>
+  }
+}
diff --git a/shared/dataflow/codeql/dataflow/TaintTrackingParameter.qll b/shared/dataflow/codeql/dataflow/TaintTrackingParameter.qll
@@ -0,0 +1,22 @@
+import DataFlowParameter
+
+signature module TaintTrackingParameter<DataFlowParameter Lang> {
+  /**
+   * Holds if `node` should be a sanitizer in all global taint flow configurations
+   * but not in local taint.
+   */
+  predicate defaultTaintSanitizer(Lang::Node node);
+
+  /**
+   * Holds if the additional step from `src` to `sink` should be included in all
+   * global taint flow configurations.
+   */
+  predicate defaultAdditionalTaintStep(Lang::Node src, Lang::Node sink);
+
+  /**
+   * Holds if taint flow configurations should allow implicit reads of `c` at sinks
+   * and inputs to additional taint steps.
+   */
+  bindingset[node]
+  predicate defaultImplicitTaintRead(Lang::Node node, Lang::ContentSet c);
+}
