Merge pull request #18946 from paldepind/rust-regex-injection

Rust: Add regular expression injection query

Author: paldepind

rust/ql/integration-tests/hello-project/summary.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1671 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/integration-tests/hello-workspace/summary.cargo.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1671 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/integration-tests/hello-workspace/summary.rust-project.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1671 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/lib/codeql/rust/frameworks/regex.model.yml

@@ -0,0 +1,7 @@
+# Models for the `regex` crate.
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["repo:https://github.com/rust-lang/regex:regex", "crate::escape", "Argument[0].Reference", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll

@@ -0,0 +1,67 @@
+/**
+ * Provides classes and predicates to reason about regular expression injection
+ * vulnerabilities.
+ */
+
+private import codeql.util.Unit
+private import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.controlflow.CfgNodes
+private import codeql.rust.dataflow.FlowSink
+
+/**
+ * A data flow sink for regular expression injection vulnerabilities.
+ */
+abstract class RegexInjectionSink extends DataFlow::Node { }
+
+/**
+ * A barrier for regular expression injection vulnerabilities.
+ */
+abstract class RegexInjectionBarrier extends DataFlow::Node { }
+
+/** A sink for `a` in `Regex::new(a)` when `a` is not a literal. */
+private class NewRegexInjectionSink extends RegexInjectionSink {
+  NewRegexInjectionSink() {
+    exists(CallExprCfgNode call, PathExpr path |
+      path = call.getFunction().getExpr() and
+      path.getResolvedCrateOrigin() = "repo:https://github.com/rust-lang/regex:regex" and
+      path.getResolvedPath() = "<crate::regex::string::Regex>::new" and
+      this.asExpr() = call.getArgument(0) and
+      not this.asExpr() instanceof LiteralExprCfgNode
+    )
+  }
+}
+
+private class MadRegexInjectionSink extends RegexInjectionSink {
+  MadRegexInjectionSink() { sinkNode(this, "regex-use") }
+}
+
+/**
+ * A unit class for adding additional flow steps.
+ */
+class RegexInjectionAdditionalFlowStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a flow
+   * step for paths related to regular expression injection vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+/**
+ * An escape barrier for regular expression injection vulnerabilities.
+ */
+private class RegexInjectionDefaultBarrier extends RegexInjectionBarrier {
+  RegexInjectionDefaultBarrier() {
+    // A barrier is any call to a function named `escape`, in particular this
+    // makes calls to `regex::escape` a barrier.
+    this.asExpr()
+        .getExpr()
+        .(CallExpr)
+        .getFunction()
+        .(PathExpr)
+        .getPath()
+        .getPart()
+        .getNameRef()
+        .getText() = "escape"
+  }
+}

rust/ql/src/queries/security/CWE-020/RegexInjection.qhelp

@@ -0,0 +1,56 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Constructing a regular expression with unsanitized user input can be dangerous.
+A malicious user may be able to modify the meaning of the expression, causing it
+to match unexpected strings and construct large regular expressions by using
+counted repetitions.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Before embedding user input into a regular expression, escape the input string
+using a function such as <a
+href="https://docs.rs/regex/latest/regex/fn.escape.html">regex::escape</a> to
+escape meta-characters that have special meaning.
+</p>
+<p>
+If purposefully supporting user supplied regular expressions, then use <a
+href="https://docs.rs/regex/latest/regex/struct.RegexBuilder.html#method.size_limit">RegexBuilder::size_limit</a>
+to limit the pattern size so that it is no larger than necessary.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example constructs a regular expressions from the user input
+<code>key</code> without escaping it first.
+</p>
+
+<sample src="RegexInjectionBad.rs" />
+
+<p>
+The regular expression is intended to match strings starting with
+<code>"property"</code> such as <code>"property:foo=bar"</code>. However, a
+malicious user might inject the regular expression <code>".*^|key"</code> and
+unexpectedly cause strings such as <code>"key=secret"</code> to match.
+</p>
+<p>
+If user input is used to construct a regular expression, it should be escaped
+first. This ensures that malicious users cannot insert characters that have special
+meanings in regular expressions.
+</p>
+<sample src="RegexInjectionGood.rs" />
+</example>
+
+<references>
+<li>
+  <code>regex</code> crate documentation: <a href="https://docs.rs/regex/latest/regex/index.html#untrusted-patterns">Untrusted patterns</a>.
+</li>
+</references>
+</qhelp>

rust/ql/src/queries/security/CWE-020/RegexInjection.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Regular expression injection
+ * @description User input should not be used in regular expressions without first being
+ *              escaped, otherwise a malicious user may be able to inject an expression that
+ *              could modify the meaning of the expression, causing it to match unexpected
+ *              strings.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision high
+ * @id rust/regex-injection
+ * @tags security
+ *       external/cwe/cwe-020
+ *       external/cwe/cwe-074
+ */
+
+private import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.TaintTracking
+private import codeql.rust.Concepts
+private import codeql.rust.security.regex.RegexInjectionExtensions
+
+/**
+ * A taint configuration for detecting regular expression injection vulnerabilities.
+ */
+module RegexInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RegexInjectionBarrier }
+
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
+  }
+}
+
+/**
+ * Detect taint flow of tainted data that reaches a regular expression sink.
+ */
+module RegexInjectionFlow = TaintTracking::Global<RegexInjectionConfig>;
+
+private import RegexInjectionFlow::PathGraph
+
+from RegexInjectionFlow::PathNode sourceNode, RegexInjectionFlow::PathNode sinkNode
+where RegexInjectionFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This regular expression is constructed from a $@.", sourceNode.getNode(), "user-provided value"

rust/ql/src/queries/security/CWE-020/RegexInjectionBad.rs

@@ -0,0 +1,8 @@
+use regex::Regex;
+
+fn get_value<'h>(key: &str, property: &'h str) -> Option<&'h str> {
+    // BAD: User provided `key` is interpolated into the regular expression.
+    let pattern = format!(r"^property:{key}=(.*)$");
+    let re = Regex::new(&pattern).unwrap();
+    re.captures(property)?.get(1).map(|m| m.as_str())
+}

rust/ql/src/queries/security/CWE-020/RegexInjectionGood.rs

@@ -0,0 +1,9 @@
+use regex::{escape, Regex};
+
+fn get_value<'h>(key: &str, property: &'h str) -> option<&'h str> {
+    // GOOD: User input is escaped before being used in the regular expression.
+    let escaped_key = escape(key);
+    let pattern = format!(r"^property:{escaped_key}=(.*)$");
+    let re = regex::new(&pattern).unwrap();
+    re.captures(property)?.get(1).map(|m| m.as_str())
+}

rust/ql/test/default-threat-models.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]