-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathConcepts.qll
More file actions
355 lines (305 loc) · 10 KB
/
Concepts.qll
File metadata and controls
355 lines (305 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
/**
* Provides abstract classes representing generic concepts such as file system
* access or system command execution, for which individual framework libraries
* provide concrete subclasses.
*/
private import codeql.rust.dataflow.DataFlow
private import codeql.threatmodels.ThreatModels
private import codeql.rust.Frameworks
private import codeql.rust.dataflow.FlowSource
private import codeql.rust.controlflow.ControlFlowGraph as Cfg
private import codeql.rust.controlflow.CfgNodes as CfgNodes
/**
* A data flow source for a specific threat-model.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `ThreatModelSource::Range` instead.
*/
final class ThreatModelSource = ThreatModelSource::Range;
/**
* Provides a class for modeling new sources for specific threat-models.
*/
module ThreatModelSource {
/**
* A data flow source, for a specific threat-model.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets a string that represents the source kind with respect to threat modeling.
*
* See
* - https://github.com/github/codeql/blob/main/docs/codeql/reusables/threat-model-description.rst
* - https://github.com/github/codeql/blob/main/shared/threat-models/ext/threat-model-grouping.model.yml
*/
abstract string getThreatModel();
/**
* Gets a string that describes the type of this threat-model source.
*/
abstract string getSourceType();
}
}
/**
* A data flow source that is enabled in the current threat model configuration.
*/
class ActiveThreatModelSource extends ThreatModelSource {
ActiveThreatModelSource() { currentThreatModel(this.getThreatModel()) }
}
/**
* A data flow source corresponding to the program's command line arguments or path.
*/
final class CommandLineArgsSource = CommandLineArgsSource::Range;
/**
* Provides a class for modeling new sources for the program's command line arguments or path.
*/
module CommandLineArgsSource {
/**
* A data flow source corresponding to the program's command line arguments or path.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "commandargs" }
override string getSourceType() { result = "CommandLineArgs" }
}
}
/**
* An externally modeled source for command line arguments.
*/
class ModeledCommandLineArgsSource extends CommandLineArgsSource::Range {
ModeledCommandLineArgsSource() { sourceNode(this, "commandargs") }
}
/**
* A data flow source corresponding to the program's environment.
*/
final class EnvironmentSource = EnvironmentSource::Range;
/**
* Provides a class for modeling new sources for the program's environment.
*/
module EnvironmentSource {
/**
* A data flow source corresponding to the program's environment.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "environment" }
override string getSourceType() { result = "EnvironmentSource" }
}
}
/**
* An externally modeled source for data from the program's environment.
*/
class ModeledEnvironmentSource extends EnvironmentSource::Range {
ModeledEnvironmentSource() { sourceNode(this, "environment") }
}
/**
* A data flow source corresponding to a file access.
*/
final class FileSource = FileSource::Range;
/**
* An externally modeled source for data from a file access.
*/
class ModeledFileSource extends FileSource::Range {
ModeledFileSource() { sourceNode(this, "file") }
}
/**
* Provides a class for modeling new sources for file accesses.
*/
module FileSource {
/**
* A data flow source corresponding to a file access.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "file" }
override string getSourceType() { result = "FileSource" }
}
}
/**
* A data flow source corresponding to standard input.
*/
final class StdInSource = StdInSource::Range;
/**
* An externally modeled source for data from standard input.
*/
class ModeledStdInSourceSource extends StdInSource::Range {
ModeledStdInSourceSource() { sourceNode(this, "stdin") }
}
/**
* Provides a class for modeling new sources for standard input.
*/
module StdInSource {
/**
* A data flow source corresponding to standard input.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "stdin" }
override string getSourceType() { result = "StdInSource" }
}
}
/**
* A data flow source corresponding to the program's database reads.
*/
final class DatabaseSource = DatabaseSource::Range;
/**
* Provides a class for modeling new sources for the program's database reads.
*/
module DatabaseSource {
/**
* A data flow source corresponding to the program's database reads.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "database" }
override string getSourceType() { result = "DatabaseSource" }
}
}
/**
* An externally modeled source for data from the program's database.
*/
class ModeledDatabaseSource extends DatabaseSource::Range {
ModeledDatabaseSource() { sourceNode(this, "database") }
}
/**
* A data flow source for remote (network) data.
*/
final class RemoteSource = RemoteSource::Range;
/**
* Provides a class for modeling new sources of remote (network) data.
*/
module RemoteSource {
/**
* A data flow source for remote (network) data.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "remote" }
override string getSourceType() { result = "RemoteSource" }
}
}
/**
* An externally modeled source for remote (network) data.
*/
class ModeledRemoteSource extends RemoteSource::Range {
ModeledRemoteSource() { sourceNode(this, "remote") }
}
/**
* A data flow sink that is used in a query.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `QuerySink::Range` instead.
*/
final class QuerySink = QuerySink::Range;
/**
* Provides a class for modeling new query sinks.
*/
module QuerySink {
/**
* A data flow sink that is used in a query.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets a string that describes the type of this sink (usually the query it applies to).
*/
abstract string getSinkType();
}
}
/**
* A data flow node that constructs a SQL statement (for later execution).
*
* Often, it is worthy of an alert if a SQL statement is constructed such that
* executing it would be a security risk.
*
* If it is important that the SQL statement is executed, use `SqlExecution`.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `SqlConstruction::Range` instead.
*/
final class SqlConstruction = SqlConstruction::Range;
/**
* Provides a class for modeling new SQL execution APIs.
*/
module SqlConstruction {
/**
* A data flow node that constructs a SQL statement.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets the argument that specifies the SQL statements to be constructed.
*/
abstract DataFlow::Node getSql();
}
}
/**
* A data flow node that constructs and executes SQL statements.
*
* If the context of interest is such that merely constructing a SQL statement
* would be valuable to report, consider also using `SqlConstruction`.
*
* Extend this class to refine existing API models. If you want to model new APIs,
* extend `SqlExecution::Range` instead.
*/
final class SqlExecution = SqlExecution::Range;
/**
* Provides a class for modeling new SQL execution APIs.
*/
module SqlExecution {
/**
* A data flow node that executes SQL statements.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets the argument that specifies the SQL statements to be executed.
*/
abstract DataFlow::Node getSql();
}
}
/**
* A data flow node that performs SQL sanitization.
*/
final class SqlSanitization = SqlSanitization::Range;
/**
* Provides a class for modeling new SQL sanitization APIs.
*/
module SqlSanitization {
/**
* A data flow node that performs SQL sanitization.
*/
abstract class Range extends DataFlow::Node { }
}
/**
* Provides models for cryptographic things.
*/
module Cryptography {
private import codeql.rust.internal.ConceptsShared::Cryptography as SC
final class CryptographicOperation = SC::CryptographicOperation;
class EncryptionAlgorithm = SC::EncryptionAlgorithm;
class HashingAlgorithm = SC::HashingAlgorithm;
class PasswordHashingAlgorithm = SC::PasswordHashingAlgorithm;
module CryptographicOperation = SC::CryptographicOperation;
class BlockMode = SC::BlockMode;
class CryptographicAlgorithm = SC::CryptographicAlgorithm;
}
/** Provides classes for modeling path-related APIs. */
module Path {
final class PathNormalization = PathNormalization::Range;
/** Provides a class for modeling new path normalization APIs. */
module PathNormalization {
/**
* A data-flow node that performs path normalization. This is often needed in order
* to safely access paths.
*/
abstract class Range extends DataFlow::Node {
/** Gets an argument to this path normalization that is interpreted as a path. */
abstract DataFlow::Node getPathArg();
}
}
/** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
class SafeAccessCheck extends DataFlow::ExprNode {
SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
}
private predicate safeAccessCheck(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) {
g.(SafeAccessCheck::Range).checks(node, branch)
}
/** Provides a class for modeling new path safety checks. */
module SafeAccessCheck {
/** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
abstract class Range extends CfgNodes::AstCfgNode {
/** Holds if this guard validates `node` upon evaluating to `branch`. */
abstract predicate checks(Cfg::CfgNode node, boolean branch);
}
}
}