WIP barrier guards

Author: owen-mc

rust/ql/lib/codeql/rust/dataflow/FlowBarrier.qll

@@ -51,4 +51,27 @@ module FlowBarrier {
 
 final class FlowBarrier = FlowBarrier::Range;
 
+/** Provides the `Range` class used to define the extent of `FlowBarrierGuard`. */
+module FlowBarrierGuard {
+  /** A flow barrier guard. */
+  abstract class Range extends Impl::Public::BarrierGuardElement {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate isBarrierGuard(
+      string input, string branch, string kind, Impl::Public::Provenance provenance, string model
+    ) {
+      this.isBarrierGuard(input, branch, kind) and provenance = "manual" and model = ""
+    }
+
+    /**
+     * Holds if this element is a flow barrier guard of kind `kind`, for data
+     * flowing in as described by `input`, when `this` evaluates to `branch`.
+     */
+    predicate isBarrierGuard(string input, string branch, string kind) { none() }
+  }
+}
+
+final class FlowBarrierGuard = FlowBarrierGuard::Range;
+
 predicate barrierNode = DataFlowImpl::barrierNode/2;

shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll

@@ -381,6 +381,21 @@ module Make<
       abstract predicate isBarrier(string output, string kind, Provenance provenance, string model);
     }
 
+    /** A barrier guard element. */
+    abstract class BarrierGuardElement extends SinkBaseFinal {
+      bindingset[this]
+      BarrierGuardElement() { any() }
+
+      /**
+       * Holds if this element is a flow barrier guard of kind `kind`, for data
+       * flowing in as described by `input`, when `this` evaluates to `branch`.
+       */
+      pragma[nomagic]
+      abstract predicate isBarrierGuard(
+        string input, string branch, string kind, Provenance provenance, string model
+      );
+    }
+
     private signature predicate hasKindSig(string kind);
 
     signature class NeutralCallableSig extends SummarizedCallableBaseFinal {
@@ -748,6 +763,19 @@ module Make<
       )
     }
 
+    private predicate isRelevantBarrierGuard(
+      BarrierGuardElement e, string input, string branch, string kind, Provenance provenance,
+      string model
+    ) {
+      e.isBarrierGuard(input, branch, kind, provenance, model) and
+      (
+        provenance.isManual()
+        or
+        provenance.isGenerated() and
+        not exists(Provenance p | p.isManual() and e.isBarrierGuard(_, _, kind, p, _))
+      )
+    }
+
     private predicate flowSpec(string spec) {
       exists(SummarizedCallable c |
         c.propagatesFlow(spec, _, _, _, _, _)
@@ -759,6 +787,8 @@ module Make<
       or
       isRelevantBarrier(_, spec, _, _, _)
       or
+      isRelevantBarrierGuard(_, spec, _, _, _, _)
+      or
       isRelevantSink(_, spec, _, _, _)
     }
 
@@ -1554,6 +1584,19 @@ module Make<
       )
     }
 
+    /**
+     * Holds if `barrierGuard` is a relevant barrier guard element with input specification `inSpec`.
+     */
+    predicate barrierSpec(
+      BarrierGuardElement barrierGuard, SummaryComponentStack inSpec, string branch, string kind,
+      string model
+    ) {
+      exists(string input |
+        isRelevantBarrierGuard(barrierGuard, input, branch, kind, _, model) and
+        External::interpretSpec(input, inSpec)
+      )
+    }
+
     signature module TypesInputSig {
       /** Gets the type of content `c`. */
       DataFlowType getContentType(ContentSet c);