Rust: Add support for MaD sources and sinks with access paths

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/FlowSource.qll

@@ -0,0 +1,36 @@
+/** Provides classes and predicates for defining flow sources. */
+
+private import rust
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowImpl as DataFlowImpl
+
+// import all instances below
+private module Sources {
+  private import codeql.rust.Frameworks
+  private import codeql.rust.dataflow.internal.ModelsAsData
+}
+
+/** Provides the `Range` class used to define the extent of `FlowSource`. */
+module FlowSource {
+  /** A flow source. */
+  abstract class Range extends Impl::Public::SourceNode {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate isSource(
+      string output, string kind, Impl::Public::Provenance provenance, string model
+    ) {
+      this.isSource(output, kind) and provenance = "manual" and model = ""
+    }
+
+    /**
+     * Holds is this element is a flow source of kind `kind`, where data
+     * flows out as described by `output`.
+     */
+    predicate isSource(string output, string kind) { none() }
+  }
+}
+
+final class FlowSource = FlowSource::Range;
+
+predicate sourceNode = DataFlowImpl::sourceNode/2;

rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll

@@ -57,3 +57,5 @@ module SummarizedCallable {
 }
 
 final class SummarizedCallable = SummarizedCallable::Range;
+
+final class Provenance = Impl::Public::Provenance;

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -186,18 +186,37 @@ module Node {
   class FlowSummaryNode extends Node, TFlowSummaryNode {
     FlowSummaryImpl::Private::SummaryNode getSummaryNode() { this = TFlowSummaryNode(result) }
 
-    /** Gets the summarized callable that this node belongs to. */
+    /** Gets the summarized callable that this node belongs to, if any. */
     FlowSummaryImpl::Public::SummarizedCallable getSummarizedCallable() {
       result = this.getSummaryNode().getSummarizedCallable()
     }
 
-    override CfgScope getCfgScope() { none() }
+    /** Gets the source node that this node belongs to, if any */
+    FlowSummaryImpl::Public::SourceNode getSourceNode() {
+      result = this.getSummaryNode().getSourceNode()
+    }
+
+    /** Holds is this node is a source node of kind `kind`. */
+    predicate isSource(string kind) {
+      this.getSummaryNode().(FlowSummaryImpl::Private::SourceOutputNode).isEntry(kind)
+    }
+
+    override CfgScope getCfgScope() {
+      result = this.getSummaryNode().getSourceNode().getEnclosingCfgScope()
+    }
 
     override DataFlowCallable getEnclosingCallable() {
       result.asLibraryCallable() = this.getSummarizedCallable()
+      or
+      result.asCfgScope() = this.getSummaryNode().getSourceNode().getEnclosingCfgScope()
     }
 
-    override EmptyLocation getLocation() { any() }
+    override Location getLocation() {
+      exists(this.getSummarizedCallable()) and
+      result instanceof EmptyLocation
+      or
+      result = this.getSourceNode().getLocation()
+    }
 
     override string toString() { result = this.getSummaryNode().toString() }
   }
@@ -526,13 +545,14 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
 }
 
 module LocalFlow {
-  predicate flowSummaryLocalStep(
-    Node::FlowSummaryNode nodeFrom, Node::FlowSummaryNode nodeTo,
-    FlowSummaryImpl::Public::SummarizedCallable c, string model
-  ) {
-    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.getSummaryNode(),
-      nodeTo.getSummaryNode(), true, model) and
-    c = nodeFrom.getSummarizedCallable()
+  predicate flowSummaryLocalStep(Node::FlowSummaryNode nodeFrom, Node nodeTo, string model) {
+    exists(FlowSummaryImpl::Public::SummarizedCallable c |
+      FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.getSummaryNode(),
+        nodeTo.(Node::FlowSummaryNode).getSummaryNode(), true, model) and
+      c = nodeFrom.getSummarizedCallable()
+    )
+    or
+    FlowSummaryImpl::Private::localSourceNodeStep(nodeFrom, nodeTo, model)
   }
 
   pragma[nomagic]
@@ -848,7 +868,7 @@ module RustDataFlow implements InputSig<Location> {
   predicate nodeIsHidden(Node node) {
     node instanceof Node::SsaNode
     or
-    node instanceof Node::FlowSummaryNode
+    node.(Node::FlowSummaryNode).getSummaryNode().isHidden()
     or
     node instanceof Node::CaptureNode
     or
@@ -864,6 +884,8 @@ module RustDataFlow implements InputSig<Location> {
       node.asExpr() = match.getScrutinee() or
       node.asExpr() = match.getArmPat(_)
     )
+    or
+    FlowSummaryImpl::Private::localSourceNodeStep(_, node, _)
   }
 
   class DataFlowExpr = ExprCfgNode;
@@ -944,7 +966,7 @@ module RustDataFlow implements InputSig<Location> {
     ) and
     model = ""
     or
-    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, _, model)
+    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, model)
   }
 
   /**
@@ -1499,6 +1521,10 @@ private module Cached {
 
   cached
   newtype TContentSet = TSingletonContentSet(Content c)
+
+  /** Holds if `n` is a flow source of kind `kind`. */
+  cached
+  predicate sourceNode(Node n, string kind) { n.(Node::FlowSummaryNode).isSource(kind) }
 }
 
 import Cached

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -11,6 +11,26 @@ private import codeql.rust.dataflow.FlowSummary
 module Input implements InputSig<Location, RustDataFlow> {
   class SummarizedCallableBase = string;
 
+  abstract class SourceBase extends Expr {
+    abstract CallExprBase getCall();
+  }
+
+  private class CallExprSource extends SourceBase {
+    private CallExpr call;
+
+    CallExprSource() { this = call.getFunction() }
+
+    override CallExpr getCall() { result = call }
+  }
+
+  private class MethodCallExprSource extends SourceBase {
+    private MethodCallExpr call;
+
+    MethodCallExprSource() { this = call }
+
+    override MethodCallExpr getCall() { result = call }
+  }
+
   RustDataFlow::ArgumentPosition callbackSelfParameterPosition() { none() }
 
   ReturnKind getStandardReturnValueKind() { result = TNormalReturnKind() }
@@ -92,6 +112,16 @@ module Private {
   import Impl::Private
 
   module Steps = Impl::Private::Steps<StepsInput>;
+
+  private import codeql.rust.dataflow.FlowSource
+
+  predicate localSourceNodeStep(Node::FlowSummaryNode nodeFrom, Node::ExprNode nodeTo, string model) {
+    exists(SummaryComponent sc, FlowSource source |
+      nodeFrom.getSummaryNode().(SourceOutputNode).isExit(source, sc, model) and
+      sc = SummaryComponent::return(_) and
+      nodeTo.asExpr().getExpr() = source.getCall()
+    )
+  }
 }
 
 module Public = Impl::Public;

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -47,6 +47,8 @@
 
 private import rust
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprBaseImpl
 
 /**
  * Holds if in a call to the function with canonical path `path`, defined in the
@@ -138,3 +140,28 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
     )
   }
 }
+
+private class FlowSourceFromModel extends FlowSource::Range {
+  private string crate;
+  private string path;
+
+  FlowSourceFromModel() {
+    sourceModel(crate, path, _, _, _, _) and
+    exists(Resolvable r |
+      r = CallExprBaseImpl::getCallResolvable(this.getCall()) and
+      path = r.getResolvedPath()
+    |
+      crate = r.getResolvedCrateOrigin()
+      or
+      not r.hasResolvedCrateOrigin() and
+      crate = ""
+    )
+  }
+
+  override predicate isSource(string output, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      sourceModel(crate, path, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}

rust/ql/lib/utils/test/InlineFlowTest.qll

@@ -27,6 +27,12 @@ private module FlowTestImpl implements InputSig<Location, RustDataFlow> {
   private string getSourceArgString(DataFlow::Node src) {
     defaultSource(src) and
     result = src.asExpr().(CallExprCfgNode).getArgument(0).toString()
+    or
+    sourceNode(src, _) and
+    exists(CallExpr call |
+      call = src.(Node::FlowSummaryNode).getSourceNode().getCall() and
+      result = call.getArgList().getArg(0).toString()
+    )
   }
 
   bindingset[src, sink]

rust/ql/test/library-tests/dataflow/models/main.rs

@@ -175,6 +175,19 @@ fn test_set_tuple_element() {
     sink(t.1); // $ hasValueFlow=11
 }
 
+// has a source model
+fn enum_source(i: i64) -> MyFieldEnum {
+    MyFieldEnum::C { field_c: 0 }
+}
+
+fn test_enum_source() {
+    let s = enum_source(12);
+    match s {
+        MyFieldEnum::C { field_c: i } => sink(i),
+        MyFieldEnum::D { field_d: i } => sink(i), // $ hasValueFlow=12
+    }
+}
+
 fn main() {
     test_identify();
     test_get_var_pos();
@@ -187,5 +200,6 @@ fn main() {
     test_set_array_element();
     test_get_tuple_element();
     test_set_tuple_element();
+    test_enum_source();
     let dummy = Some(0); // ensure that the the `lang:core` crate is extracted
 }