Merge pull request #19790 from hvitved/rust/new-mad-format

Rust: Add new MaD format based on QL-computed canonical paths

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll

@@ -44,24 +44,3 @@ private module Input implements InputSig<Location, RustDataFlow> {
 
 import MakeConsistency<Location, RustDataFlow, RustTaintTracking, Input>
 private import codeql.rust.dataflow.internal.ModelsAsData
-
-query predicate missingMadSummaryCanonicalPath(string crate, string path, Addressable a) {
-  summaryModel(crate, path, _, _, _, _, _) and
-  a.getCrateOrigin() = crate and
-  a.getExtendedCanonicalPath() = path and
-  not exists(a.getCanonicalPath())
-}
-
-query predicate missingMadSourceCanonicalPath(string crate, string path, Addressable a) {
-  sourceModel(crate, path, _, _, _, _) and
-  a.getCrateOrigin() = crate and
-  a.getExtendedCanonicalPath() = path and
-  not exists(a.getCanonicalPath())
-}
-
-query predicate missingMadSinkCanonicalPath(string crate, string path, Addressable a) {
-  sinkModel(crate, path, _, _, _, _) and
-  a.getCrateOrigin() = crate and
-  a.getExtendedCanonicalPath() = path and
-  not exists(a.getCanonicalPath())
-}

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -31,6 +31,11 @@ module Input implements InputSig<Location, RustDataFlow> {
         crate = ""
       )
     }
+
+    /** Holds if the associated call resolves to `path`. */
+    final predicate callResolvesTo(string path) {
+      path = this.getCall().getStaticTarget().(Addressable).getCanonicalPath()
+    }
   }
 
   abstract class SourceBase extends SourceSinkBase { }

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -4,21 +4,19 @@
  * The extensible relations have the following columns:
  *
  * - Sources:
- *   `crate; path; output; kind; provenance`
+ *   `path; output; kind; provenance`
  * - Sinks:
- *   `crate; path; input; kind; provenance`
+ *   `path; input; kind; provenance`
  * - Summaries:
- *   `crate; path; input; output; kind; provenance`
+ *   `path; input; output; kind; provenance`
  *
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
  *
- * 1. The `crate` column selects a crate.
- * 2. The `path` column selects a function with the given canonical path within
- *    the crate.
- * 3. The `input` column specifies how data enters the element selected by the
- *    first 2 columns, and the `output` column specifies how data leaves the
- *    element selected by the first 2 columns. Both `input` and `output` are
+ * 1. The `path` column selects a function with the given canonical path.
+ * 2. The `input` column specifies how data enters the element selected by the
+ *    first column, and the `output` column specifies how data leaves the
+ *    element selected by the first column. Both `input` and `output` are
  *    `.`-separated lists of "access path tokens" to resolve, starting at the
  *    selected function.
  *
@@ -34,12 +32,12 @@
  *     - `Field[t(i)]`: position `i` inside the variant/struct with canonical path `v`, for example
  *                      `Field[core::option::Option::Some(0)]`.
  *     - `Field[i]`: the `i`th element of a tuple.
- * 4. The `kind` column is a tag that can be referenced from QL to determine to
+ * 3. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources `"remote"` indicates a default remote flow source, and for summaries
  *    `"taint"` indicates a default additional taint step and `"value"` indicates a
  *    globally applicable value-preserving step.
- * 5. The `provenance` column is mainly used internally, and should be set to `"manual"` for
+ * 4. The `provenance` column is mainly used internally, and should be set to `"manual"` for
  *    all custom models.
  */
 
@@ -50,6 +48,8 @@ private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprBaseImpl
 
 /**
+ * DEPRECATED: Do not use.
+ *
  * Holds if in a call to the function with canonical path `path`, defined in the
  * crate `crate`, the value referred to by `output` is a flow source of the given
  * `kind`.
@@ -59,12 +59,27 @@ private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprB
  * For more information on the `kind` parameter, see
  * https://github.com/github/codeql/blob/main/docs/codeql/reusables/threat-model-description.rst.
  */
-extensible predicate sourceModel(
+extensible predicate sourceModelDeprecated(
   string crate, string path, string output, string kind, string provenance,
   QlBuiltins::ExtensionId madId
 );
 
 /**
+ * Holds if in a call to the function with canonical path `path`, the value referred
+ * to by `output` is a flow source of the given `kind`.
+ *
+ * `output = "ReturnValue"` simply means the result of the call itself.
+ *
+ * For more information on the `kind` parameter, see
+ * https://github.com/github/codeql/blob/main/docs/codeql/reusables/threat-model-description.rst.
+ */
+extensible predicate sourceModel(
+  string path, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * DEPRECATED: Do not use.
+ *
  * Holds if in a call to the function with canonical path `path`, defined in the
  * crate `crate`, the value referred to by `input` is a flow sink of the given
  * `kind`.
@@ -75,52 +90,95 @@ extensible predicate sourceModel(
  *
  * - `sql-injection`: a flow sink for SQL injection.
  */
-extensible predicate sinkModel(
+extensible predicate sinkModelDeprecated(
   string crate, string path, string input, string kind, string provenance,
   QlBuiltins::ExtensionId madId
 );
 
 /**
+ * Holds if in a call to the function with canonical path `path`, the value referred
+ * to by `input` is a flow sink of the given `kind`.
+ *
+ * For example, `input = Argument[0]` means the first argument of the call.
+ *
+ * The following kinds are supported:
+ *
+ * - `sql-injection`: a flow sink for SQL injection.
+ */
+extensible predicate sinkModel(
+  string path, string input, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * DEPRECATED: Do not use.
+ *
  * Holds if in a call to the function with canonical path `path`, defined in the
  * crate `crate`, the value referred to by `input` can flow to the value referred
  * to by `output`.
  *
  * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving
  * steps, respectively.
  */
-extensible predicate summaryModel(
+extensible predicate summaryModelDeprecated(
   string crate, string path, string input, string output, string kind, string provenance,
   QlBuiltins::ExtensionId madId
 );
 
+/**
+ * Holds if in a call to the function with canonical path `path`, the value referred
+ * to by `input` can flow to the value referred to by `output`.
+ *
+ * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving
+ * steps, respectively.
+ */
+extensible predicate summaryModel(
+  string path, string input, string output, string kind, string provenance,
+  QlBuiltins::ExtensionId madId
+);
+
 /**
  * Holds if the given extension tuple `madId` should pretty-print as `model`.
  *
  * This predicate should only be used in tests.
  */
 predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   exists(string crate, string path, string output, string kind |
-    sourceModel(crate, path, kind, output, _, madId) and
+    sourceModelDeprecated(crate, path, output, kind, _, madId) and
     model = "Source: " + crate + "; " + path + "; " + output + "; " + kind
   )
   or
+  exists(string path, string output, string kind |
+    sourceModel(path, output, kind, _, madId) and
+    model = "Source: " + path + "; " + output + "; " + kind
+  )
+  or
   exists(string crate, string path, string input, string kind |
-    sinkModel(crate, path, kind, input, _, madId) and
+    sinkModelDeprecated(crate, path, input, kind, _, madId) and
     model = "Sink: " + crate + "; " + path + "; " + input + "; " + kind
   )
   or
+  exists(string path, string input, string kind |
+    sinkModel(path, input, kind, _, madId) and
+    model = "Sink: " + path + "; " + input + "; " + kind
+  )
+  or
   exists(string type, string path, string input, string output, string kind |
-    summaryModel(type, path, input, output, kind, _, madId) and
+    summaryModelDeprecated(type, path, input, output, kind, _, madId) and
     model = "Summary: " + type + "; " + path + "; " + input + "; " + output + "; " + kind
   )
+  or
+  exists(string path, string input, string output, string kind |
+    summaryModel(path, input, output, kind, _, madId) and
+    model = "Summary: " + path + "; " + input + "; " + output + "; " + kind
+  )
 }
 
-private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+private class SummarizedCallableFromModelDeprecated extends SummarizedCallable::Range {
   private string crate;
   private string path;
 
-  SummarizedCallableFromModel() {
-    summaryModel(crate, path, _, _, _, _, _) and
+  SummarizedCallableFromModelDeprecated() {
+    summaryModelDeprecated(crate, path, _, _, _, _, _) and
     exists(CallExprBase call, Resolvable r |
       call.getStaticTarget() = this and
       r = CallExprBaseImpl::getCallResolvable(call) and
@@ -133,7 +191,7 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModel(crate, path, input, output, kind, _, madId) and
+      summaryModelDeprecated(crate, path, input, output, kind, _, madId) and
       model = "MaD:" + madId.toString()
     |
       kind = "value" and
@@ -145,35 +203,91 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
   }
 }
 
-private class FlowSourceFromModel extends FlowSource::Range {
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  private string path;
+
+  SummarizedCallableFromModel() {
+    summaryModel(path, _, _, _, _, _) and
+    this.getCanonicalPath() = path
+  }
+
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    exists(string kind, QlBuiltins::ExtensionId madId |
+      summaryModel(path, input, output, kind, _, madId) and
+      model = "MaD:" + madId.toString()
+    |
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
+  }
+}
+
+private class FlowSourceFromModelDeprecated extends FlowSource::Range {
   private string crate;
   private string path;
 
-  FlowSourceFromModel() {
-    sourceModel(crate, path, _, _, _, _) and
+  FlowSourceFromModelDeprecated() {
+    sourceModelDeprecated(crate, path, _, _, _, _) and
     this.callResolvesTo(crate, path)
   }
 
   override predicate isSource(string output, string kind, Provenance provenance, string model) {
     exists(QlBuiltins::ExtensionId madId |
-      sourceModel(crate, path, output, kind, provenance, madId) and
+      sourceModelDeprecated(crate, path, output, kind, provenance, madId) and
       model = "MaD:" + madId.toString()
     )
   }
 }
 
-private class FlowSinkFromModel extends FlowSink::Range {
+private class FlowSourceFromModel extends FlowSource::Range {
+  private string path;
+
+  FlowSourceFromModel() {
+    sourceModel(path, _, _, _, _) and
+    this.callResolvesTo(path)
+  }
+
+  override predicate isSource(string output, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      sourceModel(path, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}
+
+private class FlowSinkFromModelDeprecated extends FlowSink::Range {
   private string crate;
   private string path;
 
-  FlowSinkFromModel() {
-    sinkModel(crate, path, _, _, _, _) and
+  FlowSinkFromModelDeprecated() {
+    sinkModelDeprecated(crate, path, _, _, _, _) and
     this.callResolvesTo(crate, path)
   }
 
   override predicate isSink(string input, string kind, Provenance provenance, string model) {
     exists(QlBuiltins::ExtensionId madId |
-      sinkModel(crate, path, input, kind, provenance, madId) and
+      sinkModelDeprecated(crate, path, input, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}
+
+private class FlowSinkFromModel extends FlowSink::Range {
+  private string path;
+
+  FlowSinkFromModel() {
+    sinkModel(path, _, _, _, _) and
+    this.callResolvesTo(path)
+  }
+
+  override predicate isSink(string input, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      sinkModel(path, input, kind, provenance, madId) and
       model = "MaD:" + madId.toString()
     )
   }

rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml

@@ -1,16 +1,28 @@
 extensions:
   # Make sure that the extensible model predicates have at least one definition
   # to avoid errors about undefined extensionals.
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModelDeprecated
+    data: []
   - addsTo:
       pack: codeql/rust-all
       extensible: sourceModel
     data: []
 
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModelDeprecated
+    data: []
   - addsTo:
       pack: codeql/rust-all
       extensible: sinkModel
     data: []
 
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModelDeprecated
+    data: []
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

rust/ql/lib/codeql/rust/frameworks/async-rs.model.yml

@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
       pack: codeql/rust-all
-      extensible: sourceModel
+      extensible: sourceModelDeprecated
     data:
       - ["repo:https://github.com/async-rs/async-std:async-std", "<crate::net::tcp::stream::TcpStream>::connect", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "remote", "manual"]

rust/ql/lib/codeql/rust/frameworks/futures.model.yml

@@ -1,7 +1,7 @@
 extensions:
   - addsTo:
       pack: codeql/rust-all
-      extensible: summaryModel
+      extensible: summaryModelDeprecated
     data:
       - ["repo:https://github.com/rust-lang/futures-rs:futures-executor", "crate::local_pool::block_on", "Argument[0]", "ReturnValue", "value", "manual"]
       - ["repo:https://github.com/rust-lang/futures-rs:futures-util", "<crate::io::buf_reader::BufReader>::new", "Argument[0]", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/http.model.yml

@@ -1,7 +1,7 @@
 extensions:
   - addsTo:
       pack: codeql/rust-all
-      extensible: sourceModel
+      extensible: sourceModelDeprecated
     data:
       - ["repo:https://github.com/hyperium/hyper:hyper", "<crate::client::conn::http1::SendRequest>::send_request", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "remote", "manual"]
       - ["repo:https://github.com/hyperium/hyper:hyper", "<crate::client::conn::http2::SendRequest>::send_request", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "remote", "manual"]