Rust: Model std::env.

geoffw0 · geoffw0 · commit e64f139c9836 · 2024-11-22T09:13:44.000Z
diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -47,6 +47,32 @@ class ActiveThreatModelSource extends ThreatModelSource {
   ActiveThreatModelSource() { currentThreatModel(this.getThreatModel()) }
 }
 
+/**
+ * A data flow source corresponding to the program's command line arguments or path.
+ */
+class CommandLineArgsSource extends ThreatModelSource instanceof CommandLineArgsSource::Range { }
+
+module CommandLineArgsSource {
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "commandargs" }
+
+    override string getSourceType() { result = "CommandLineArgs" }
+  }
+}
+
+/**
+ * A data flow source corresponding to the program's environment.
+ */
+class EnvironmentSource extends ThreatModelSource instanceof EnvironmentSource::Range { }
+
+module EnvironmentSource {
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "environment" }
+
+    override string getSourceType() { result = "EnvironmentSource" }
+  }
+}
+
 /**
  * A data-flow node that constructs a SQL statement.
  *
diff --git a/rust/ql/lib/codeql/rust/Frameworks.qll b/rust/ql/lib/codeql/rust/Frameworks.qll
@@ -1,3 +1,5 @@
 /**
  * This file imports all models of frameworks and libraries.
  */
+
+private import codeql.rust.frameworks.stdlib.Env
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Env.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides modeling for the `std::env` library.
+ */
+
+private import rust
+private import codeql.rust.Concepts
+
+/**
+ * A call to `std::env::args` or `std::env::args_os`.
+ */
+private class StdEnvArgs extends CommandLineArgsSource::Range {
+  StdEnvArgs() {
+    this.asExpr().(CallExpr).getExpr().(PathExpr).getPath().getResolvedPath() = ["crate::env::args", "crate::env::args_os"]
+  }
+}
+
+/**
+ * A call to `std::env::current_dir`, `std::env::current_exe` or `std::env::home_dir`.
+ */
+private class StdEnvDir extends CommandLineArgsSource::Range {
+  StdEnvDir() {
+    this.asExpr().(CallExpr).getExpr().(PathExpr).getPath().getResolvedPath() = ["crate::env::current_dir", "crate::env::current_exe", "crate::env::home_dir"]
+  }
+}
+
+/**
+ * A call to `std::env::var`, `std::env::var_os`, `std::env::vars` or `std::env::vars_os`.
+ */
+private class StdEnvVar extends EnvironmentSource::Range {
+  StdEnvVar() {
+    this.asExpr().(CallExpr).getExpr().(PathExpr).getPath().getResolvedPath() = ["crate::env::var", "crate::env::var_os", "crate::env::vars", "crate::env::vars_os"]
+  }
+}
diff --git a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -0,0 +1,14 @@
+| test.rs:8:10:8:30 | CallExpr | EnvironmentSource (environment) |
+| test.rs:9:10:9:33 | CallExpr | EnvironmentSource (environment) |
+| test.rs:11:16:11:36 | CallExpr | EnvironmentSource (environment) |
+| test.rs:12:16:12:39 | CallExpr | EnvironmentSource (environment) |
+| test.rs:17:25:17:40 | CallExpr | EnvironmentSource (environment) |
+| test.rs:22:25:22:43 | CallExpr | EnvironmentSource (environment) |
+| test.rs:29:29:29:44 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:32:16:32:31 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:33:16:33:34 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:40:16:40:31 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:44:16:44:34 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:50:15:50:37 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:51:15:51:37 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:52:16:52:35 | CallExpr | CommandLineArgs (commandargs) |
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -5,51 +5,51 @@ fn sink<T>(_: T) { }
 // --- tests ---
 
 fn test_env_vars() {
-    sink(std::env::var("HOME")); // $ MISSING: Alert[rust/summary/taint-sources] hasTaintFlow
-    sink(std::env::var_os("PATH")); // $ MISSING: Alert[rust/summary/taint-sources] hasTaintFlow
+    sink(std::env::var("HOME")); // $ Alert[rust/summary/taint-sources] hasTaintFlow
+    sink(std::env::var_os("PATH")); // $ Alert[rust/summary/taint-sources] hasTaintFlow
 
-    let var1 = std::env::var("HOME").expect("HOME not set"); // $ MISSING: Alert[rust/summary/taint-sources]
-    let var2 = std::env::var_os("PATH").unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
+    let var1 = std::env::var("HOME").expect("HOME not set"); // $ Alert[rust/summary/taint-sources]
+    let var2 = std::env::var_os("PATH").unwrap(); // $ Alert[rust/summary/taint-sources]
 
     sink(var1); // $ MISSING: hasTaintFlow
     sink(var2); // $ MISSING: hasTaintFlow
 
-    for (key, value) in std::env::vars() { // $ MISSING: Alert[rust/summary/taint-sources]
+    for (key, value) in std::env::vars() { // $ Alert[rust/summary/taint-sources]
         sink(key); // $ MISSING: hasTaintFlow
         sink(value); // $ MISSING: hasTaintFlow
     }
 
-    for (key, value) in std::env::vars_os() { // $ MISSING: Alert[rust/summary/taint-sources]
+    for (key, value) in std::env::vars_os() { // $ Alert[rust/summary/taint-sources]
         sink(key); // $ MISSING: hasTaintFlow
         sink(value); // $ MISSING: hasTaintFlow
     }
 }
 
 fn test_env_args() {
-    let args: Vec<String> = std::env::args().collect(); // $ MISSING: Alert[rust/summary/taint-sources]
+    let args: Vec<String> = std::env::args().collect(); // $ Alert[rust/summary/taint-sources]
     let my_path = &args[0];
     let arg1 = &args[1];
-    let arg2 = std::env::args().nth(2).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-    let arg3 = std::env::args_os().nth(3).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
+    let arg2 = std::env::args().nth(2).unwrap(); // $ Alert[rust/summary/taint-sources]
+    let arg3 = std::env::args_os().nth(3).unwrap(); // $ Alert[rust/summary/taint-sources]
 
     sink(my_path); // $ MISSING: hasTaintFlow
     sink(arg1); // $ MISSING: hasTaintFlow
     sink(arg2); // $ MISSING: hasTaintFlow
     sink(arg3); // $ MISSING: hasTaintFlow
 
-    for arg in std::env::args() { // $ MISSING: Alert[rust/summary/taint-sources]
+    for arg in std::env::args() { // $ Alert[rust/summary/taint-sources]
         sink(arg); // $ MISSING: hasTaintFlow
     }
 
-    for arg in std::env::args_os() { // $ MISSING: Alert[rust/summary/taint-sources]
+    for arg in std::env::args_os() { // $ Alert[rust/summary/taint-sources]
         sink(arg); // $ MISSING: hasTaintFlow
     }
 }
 
 fn test_env_dirs() {
-    let dir = std::env::current_dir().expect("FAILED"); // $ MISSING: Alert[rust/summary/taint-sources]
-    let exe = std::env::current_exe().expect("FAILED"); // $ MISSING: Alert[rust/summary/taint-sources]
-    let home = std::env::home_dir().expect("FAILED"); // $ MISSING: Alert[rust/summary/taint-sources]
+    let dir = std::env::current_dir().expect("FAILED"); // $ Alert[rust/summary/taint-sources]
+    let exe = std::env::current_exe().expect("FAILED"); // $ Alert[rust/summary/taint-sources]
+    let home = std::env::home_dir().expect("FAILED"); // $ Alert[rust/summary/taint-sources]
 
     sink(dir); // $ MISSING: hasTaintFlow
     sink(exe); // $ MISSING: hasTaintFlow

-Original file line number
+Diff line change
@@ @@ -1,3 +1,5 @@ @@
 /**
  * This file imports all models of frameworks and libraries.
  */
++
 +private import codeql.rust.frameworks.stdlib.Env