Merge pull request #153 from microsoft/revert-152-dilan/rust-exclude-broken-queries

dilanbhalla · web-flow · commit faa5554ea7b6 · 2024-12-19T10:21:08.000-08:00
Revert "Remove Broken Rust Queries" + Stub DataflowStack required Interface
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll
@@ -5,7 +5,6 @@
 import csharp
 private import semmle.code.csharp.controlflow.Guards
 private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
-private import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 abstract private class AbstractSanitizerMethod extends Method { }
 
@@ -453,26 +452,14 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
-}
-
-/**
- * A taint tracking module for Zip Slip.
- */
-module ZipSlip = TaintTracking::Global<ZipSlipConfig>;
-
-deprecated class TaintTrackingConfiguration extends TaintTracking::Configuration {
-  TaintTrackingConfiguration() { this = "ZipSlipTaintTrackingConfiguration" }
 
-  override predicate isSource(DataFlow::Node node) { node instanceof Source }
-
-  override predicate isSink(DataFlow::Node node) { node instanceof Sink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    super.isAdditionalTaintStep(pred, succ)
-    or
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     // If the sink is a method call, and the source is an argument to that method call
     exists(MethodCall mc | succ.asExpr() = mc and pred.asExpr() = mc.getAnArgument())
   }
+}
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-}
+/**
+ * A taint tracking module for Zip Slip.
+ */
+module ZipSlip = TaintTracking::Global<ZipSlipConfig>;
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected
@@ -11,30 +11,45 @@
 | ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | file system operation |
 edges
 | ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | provenance |  |
-| ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | provenance |  |
 | ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | ZipSlip.cs:15:24:15:40 | access to local variable fullPath_relative : String | provenance |  |
+| ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | provenance | Config |
 | ZipSlip.cs:15:61:15:74 | access to property FullName : String | ZipSlip.cs:15:44:15:75 | call to method GetFullPath : String | provenance | MaD:2 |
-| ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | provenance |  |
+| ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | provenance |  |
 | ZipSlip.cs:18:53:18:66 | access to property FullName : String | ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | provenance |  |
+| ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | provenance |  |
 | ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | ZipSlip.cs:23:41:23:52 | access to local variable destFileName | provenance |  |
 | ZipSlip.cs:22:43:22:97 | call to method Combine : String | ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | provenance |  |
+| ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:43:22:97 | call to method Combine : String | provenance | Config |
 | ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | ZipSlip.cs:22:43:22:97 | call to method Combine : String | provenance | MaD:1 |
 | ZipSlip.cs:30:28:30:39 | access to local variable destFilePath : String | ZipSlip.cs:31:41:31:52 | access to local variable destFilePath | provenance |  |
 | ZipSlip.cs:30:43:30:88 | call to method Combine : String | ZipSlip.cs:30:28:30:39 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:30:43:30:88 | call to method Combine : String | provenance | Config |
 | ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:30:43:30:88 | call to method Combine : String | provenance | MaD:1 |
+| ZipSlip.cs:30:71:30:87 | access to local variable fullPath_relative : String | ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | provenance |  |
 | ZipSlip.cs:35:28:35:56 | access to local variable destFilePath_notCanonicalized : String | ZipSlip.cs:39:45:39:73 | access to local variable destFilePath_notCanonicalized | provenance |  |
 | ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | ZipSlip.cs:62:33:62:40 | access to local variable fullpath | provenance |  |
-| ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | provenance |  |
+| ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | provenance |  |
 | ZipSlip.cs:58:31:58:75 | call to method Combine : String | ZipSlip.cs:58:20:58:27 | access to local variable fullpath : String | provenance |  |
+| ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:58:31:58:75 | call to method Combine : String | provenance | Config |
 | ZipSlip.cs:58:61:58:74 | access to property FullName : String | ZipSlip.cs:58:31:58:75 | call to method Combine : String | provenance | MaD:1 |
-| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | provenance |  |
-| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | provenance |  |
-| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | provenance |  |
-| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | provenance |  |
+| ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | provenance |  |
+| ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | provenance |  |
+| ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | provenance |  |
+| ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | provenance |  |
 | ZipSlip.cs:105:47:105:86 | call to method Combine : String | ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:105:47:105:86 | call to method Combine : String | provenance | Config |
 | ZipSlip.cs:105:72:105:85 | access to property FullName : String | ZipSlip.cs:105:47:105:86 | call to method Combine : String | provenance | MaD:1 |
+| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | provenance |  |
+| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | provenance |  |
+| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | provenance |  |
+| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | provenance |  |
+| ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | provenance |  |
 | ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | provenance |  |
 | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | provenance |  |
+| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | provenance | Config |
 | ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | provenance | MaD:1 |
 models
 | 1 | Summary: System.IO; Path; false; Combine; (System.String,System.String); ; Argument[1]; ReturnValue; taint; manual |
@@ -45,6 +60,7 @@ nodes
 | ZipSlip.cs:15:61:15:74 | access to property FullName : String | semmle.label | access to property FullName : String |
 | ZipSlip.cs:18:24:18:49 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
 | ZipSlip.cs:18:53:18:66 | access to property FullName : String | semmle.label | access to property FullName : String |
+| ZipSlip.cs:19:43:19:68 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
 | ZipSlip.cs:22:28:22:39 | access to local variable destFileName : String | semmle.label | access to local variable destFileName : String |
 | ZipSlip.cs:22:43:22:97 | call to method Combine : String | semmle.label | call to method Combine : String |
 | ZipSlip.cs:22:71:22:96 | access to local variable file_badDirectoryTraversal : String | semmle.label | access to local variable file_badDirectoryTraversal : String |
@@ -59,13 +75,21 @@ nodes
 | ZipSlip.cs:58:31:58:75 | call to method Combine : String | semmle.label | call to method Combine : String |
 | ZipSlip.cs:58:61:58:74 | access to property FullName : String | semmle.label | access to property FullName : String |
 | ZipSlip.cs:62:33:62:40 | access to local variable fullpath | semmle.label | access to local variable fullpath |
+| ZipSlip.cs:62:33:62:40 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
+| ZipSlip.cs:64:29:64:36 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
+| ZipSlip.cs:69:30:69:37 | access to local variable fullpath : String | semmle.label | access to local variable fullpath : String |
 | ZipSlip.cs:71:37:71:44 | access to local variable fullpath | semmle.label | access to local variable fullpath |
 | ZipSlip.cs:105:32:105:43 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
 | ZipSlip.cs:105:47:105:86 | call to method Combine : String | semmle.label | call to method Combine : String |
 | ZipSlip.cs:105:72:105:85 | access to property FullName : String | semmle.label | access to property FullName : String |
+| ZipSlip.cs:107:73:107:84 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
 | ZipSlip.cs:112:74:112:85 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
+| ZipSlip.cs:114:71:114:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
 | ZipSlip.cs:119:71:119:82 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
+| ZipSlip.cs:119:71:119:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
+| ZipSlip.cs:121:71:121:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
 | ZipSlip.cs:126:57:126:68 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
+| ZipSlip.cs:129:71:129:82 | access to local variable destFilePath : String | semmle.label | access to local variable destFilePath : String |
 | ZipSlip.cs:134:58:134:69 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
 | ZipSlipBad.cs:9:16:9:27 | access to local variable destFileName : String | semmle.label | access to local variable destFileName : String |
 | ZipSlipBad.cs:9:31:9:73 | call to method Combine : String | semmle.label | call to method Combine : String |
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -14,6 +14,7 @@ private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
 
+
 /**
  * A return kind. A return kind describes how a value can be returned from a
  * callable.
@@ -45,6 +46,10 @@ final class DataFlowCallable extends TDataFlowCallable {
 
   /** Gets the location of this callable. */
   Location getLocation() { result = this.asCfgScope().getLocation() }
+
+  //** TODO JB1: Move to subclass, monkey patching for #153 */
+  int totalorder(){ none() }
+  //** TODO JB1: end stubs for #153 */
 }
 
 final class DataFlowCall extends TDataFlowCall {
@@ -86,6 +91,12 @@ final class DataFlowCall extends TDataFlowCall {
   }
 
   Location getLocation() { result = this.asCallBaseExprCfgNode().getLocation() }
+
+  //** TODO JB1: Move to subclass, monkey patching for #153 */
+  DataFlowCallable getARuntimeTarget(){ none() }
+  Node::ArgumentNode getAnArgumentNode(){ none() }
+  int totalorder(){ none() }
+  //** TODO JB1: end stubs for #153 */
 }
 
 /**
@@ -989,6 +1000,10 @@ module RustDataFlow implements InputSig<Location> {
     string toString() { result = "NodeRegion" }
 
     predicate contains(Node n) { none() }
+
+    //** TODO JB1: Move to subclass, monkey patching for #153 */
+    int totalOrder(){ none() }
+    //** TODO JB1: end stubs for #153 */
   }
 
   /**
diff --git a/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql b/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Data flow inconsistency counts
+ * @description Counts the number of data flow inconsistencies of each type.  This query is intended for internal use.
+ * @kind diagnostic
+ * @id rust/diagnostics/data-flow-consistency-counts
+ */
+
+import codeql.rust.dataflow.internal.DataFlowConsistency as Consistency
+
+// see also `rust/diagnostics/data-flow-consistency`, which lists the
+// individual inconsistency results.
+from string type, int num
+where num = Consistency::getInconsistencyCounts(type)
+select type, num
diff --git a/rust/ql/src/queries/security/CWE-089/SqlInjection.ql b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Building a database query from user-controlled sources is vulnerable to insertion of malicious code by attackers.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id rust/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.SqlInjectionExtensions
+import SqlInjectionFlow::PathGraph
+
+/**
+ * A taint configuration for tainted data that reaches a SQL sink.
+ */
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof SqlInjection::Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof SqlInjection::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof SqlInjection::Barrier }
+}
+
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
+
+from SqlInjectionFlow::PathNode sourceNode, SqlInjectionFlow::PathNode sinkNode
+where SqlInjectionFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This query depends on a $@.",
+  sourceNode.getNode(), "user-provided value"
diff --git a/rust/ql/src/queries/summary/LinesOfCode.ql b/rust/ql/src/queries/summary/LinesOfCode.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Total lines of Rust code in the database
+ * @description The total number of lines of Rust code across all files, including any libraries and auto-generated files that the extractor sees. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @id rust/summary/lines-of-code
+ * @tags summary
+ *       lines-of-code
+ *       telemetry
+ */
+
+import rust
+import Stats
+
+select getLinesOfCode()
diff --git a/rust/ql/src/queries/summary/LinesOfUserCode.ql b/rust/ql/src/queries/summary/LinesOfUserCode.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Total lines of user written Rust code in the database
+ * @description The total number of lines of Rust code from the source code directory. This query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @id rust/summary/lines-of-user-code
+ * @tags summary
+ *       lines-of-code
+ *       debug
+ */
+
+import rust
+import Stats
+
+select getLinesOfUserCode()
diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql
@@ -0,0 +1,54 @@
+/**
+ * @name Summary Statistics
+ * @description A table of summary statistics about a database.
+ * @kind metric
+ * @id rust/summary/summary-statistics
+ * @tags summary
+ */
+
+import rust
+import codeql.rust.Concepts
+import codeql.rust.Diagnostics
+import Stats
+
+from string key, int value
+where
+  key = "Elements extracted" and value = count(Element e | not e instanceof Unextracted)
+  or
+  key = "Elements unextracted" and value = count(Unextracted e)
+  or
+  key = "Extraction errors" and value = count(ExtractionError e)
+  or
+  key = "Extraction warnings" and value = count(ExtractionWarning w)
+  or
+  key = "Files extracted - total" and value = count(ExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Files extracted - with errors" and
+  value =
+    count(ExtractedFile f |
+      exists(f.getRelativePath()) and not f instanceof SuccessfullyExtractedFile
+    )
+  or
+  key = "Files extracted - without errors" and
+  value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Lines of code extracted" and value = getLinesOfCode()
+  or
+  key = "Lines of user code extracted" and value = getLinesOfUserCode()
+  or
+  key = "Inconsistencies - AST" and value = getTotalAstInconsistencies()
+  or
+  key = "Inconsistencies - CFG" and value = getTotalCfgInconsistencies()
+  or
+  key = "Inconsistencies - data flow" and value = getTotalDataFlowInconsistencies()
+  or
+  key = "Macro calls - total" and value = count(MacroCall mc)
+  or
+  key = "Macro calls - resolved" and value = count(MacroCall mc | mc.hasExpanded())
+  or
+  key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded())
+  or
+  key = "Taint sources - total" and value = count(ThreatModelSource s)
+  or
+  key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
+select key, value order by key
diff --git a/rust/ql/src/queries/summary/TaintSources.ql b/rust/ql/src/queries/summary/TaintSources.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Taint Sources
+ * @description List all sources of untrusted input that have been idenfitied
+ *              in the database.
+ * @kind problem
+ * @problem.severity info
+ * @id rust/summary/taint-sources
+ * @tags summary
+ */
+
+import rust
+import codeql.rust.Concepts
+
+from ThreatModelSource s, string defaultString
+where
+  if s instanceof ActiveThreatModelSource then defaultString = " (DEFAULT)" else defaultString = ""
+select s,
+  "Flow source '" + s.getSourceType() + "' of type " + s.getThreatModel() + defaultString + "."
