From 14c0bbf531a78f5429610c364e5f52130e4bd78f Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:34:47 +0000 Subject: [PATCH 1/7] Rust: Add another test case, fix an annotation. --- .../security/CWE-696/BadCTorInitialization.expected | 4 ++-- rust/ql/test/query-tests/security/CWE-696/test.rs | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected index 508a359b0c0b..b52516ce9a3d 100644 --- a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected +++ b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected @@ -8,7 +8,7 @@ | test.rs:69:9:69:24 | ...::stdin(...) | test.rs:66:1:66:7 | Attr | test.rs:69:9:69:24 | ...::stdin(...) | Call to ...::stdin(...) in a function with the ctor attribute. | | test.rs:90:5:90:35 | ...::sleep(...) | test.rs:88:1:88:7 | Attr | test.rs:90:5:90:35 | ...::sleep(...) | Call to ...::sleep(...) in a function with the ctor attribute. | | test.rs:97:5:97:23 | ...::exit(...) | test.rs:95:1:95:7 | Attr | test.rs:97:5:97:23 | ...::exit(...) | Call to ...::exit(...) in a function with the ctor attribute. | -| test.rs:166:5:166:15 | ...::stdout(...) | test.rs:164:1:164:7 | Attr | test.rs:166:5:166:15 | ...::stdout(...) | Call to ...::stdout(...) in a function with the ctor attribute. | +| test.rs:171:5:171:15 | ...::stdout(...) | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | Call to ...::stdout(...) in a function with the ctor attribute. | edges | test.rs:29:1:29:13 | Attr | test.rs:31:9:31:25 | ...::stdout(...) | | test.rs:34:1:34:13 | Attr | test.rs:36:9:36:25 | ...::stdout(...) | @@ -19,4 +19,4 @@ edges | test.rs:66:1:66:7 | Attr | test.rs:69:9:69:24 | ...::stdin(...) | | test.rs:88:1:88:7 | Attr | test.rs:90:5:90:35 | ...::sleep(...) | | test.rs:95:1:95:7 | Attr | test.rs:97:5:97:23 | ...::exit(...) | -| test.rs:164:1:164:7 | Attr | test.rs:166:5:166:15 | ...::stdout(...) | +| test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | diff --git a/rust/ql/test/query-tests/security/CWE-696/test.rs b/rust/ql/test/query-tests/security/CWE-696/test.rs index 87f544be85c1..69eb68e868af 100644 --- a/rust/ql/test/query-tests/security/CWE-696/test.rs +++ b/rust/ql/test/query-tests/security/CWE-696/test.rs @@ -137,12 +137,12 @@ fn call_target3_2() { } } -#[ctor] // $ MISSING: Source=source3_2 +#[ctor] fn harmless3_2() { call_target3_2(); } -#[ctor] +#[ctor] // $ MISSING: Source=source3_3 fn bad3_3() { call_target3_1(); call_target3_2(); @@ -153,6 +153,11 @@ fn bad3_4() { bad3_3(); } +fn harmless3_5() { + call_target3_1(); + call_target3_2(); +} + // --- macros --- macro_rules! macro4_1 { From 4d0c53d493fe2cc359add1b0f8474b5d2c1f9950 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:30:19 +0000 Subject: [PATCH 2/7] Rust: Add support for transitive results via calls in the ctor query. --- .../security/CWE-696/BadCtorInitialization.ql | 11 +++--- .../CWE-696/BadCTorInitialization.expected | 34 +++++++++++++++++++ .../test/query-tests/security/CWE-696/test.rs | 6 ++-- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index 22ea6514e02e..32f0e9731cc6 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -41,15 +41,18 @@ class PathElement = AstNode; query predicate edges(PathElement pred, PathElement succ) { // starting edge - exists(CtorAttr ctor, Function f, StdCall call | + exists(CtorAttr ctor, Function f, CallExprBase call | f.getAnAttr() = ctor and call.getEnclosingCallable() = f and pred = ctor and // source - succ = call // sink + succ = call // flow or sink node ) - // or + or // transitive edge - // TODO + exists(Function f | + pred.(CallExprBase).getStaticTarget() = f and + succ.(CallExprBase).getEnclosingCallable() = f + ) } from CtorAttr ctor, StdCall call diff --git a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected index b52516ce9a3d..c85aabe1fb91 100644 --- a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected +++ b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected @@ -8,15 +8,49 @@ | test.rs:69:9:69:24 | ...::stdin(...) | test.rs:66:1:66:7 | Attr | test.rs:69:9:69:24 | ...::stdin(...) | Call to ...::stdin(...) in a function with the ctor attribute. | | test.rs:90:5:90:35 | ...::sleep(...) | test.rs:88:1:88:7 | Attr | test.rs:90:5:90:35 | ...::sleep(...) | Call to ...::sleep(...) in a function with the ctor attribute. | | test.rs:97:5:97:23 | ...::exit(...) | test.rs:95:1:95:7 | Attr | test.rs:97:5:97:23 | ...::exit(...) | Call to ...::exit(...) in a function with the ctor attribute. | +| test.rs:126:9:126:16 | stderr(...) | test.rs:129:1:129:7 | Attr | test.rs:126:9:126:16 | stderr(...) | Call to stderr(...) in a function with the ctor attribute. | +| test.rs:126:9:126:16 | stderr(...) | test.rs:145:1:145:7 | Attr | test.rs:126:9:126:16 | stderr(...) | Call to stderr(...) in a function with the ctor attribute. | +| test.rs:126:9:126:44 | ... .write_all(...) | test.rs:129:1:129:7 | Attr | test.rs:126:9:126:44 | ... .write_all(...) | Call to ... .write_all(...) in a function with the ctor attribute. | +| test.rs:126:9:126:44 | ... .write_all(...) | test.rs:145:1:145:7 | Attr | test.rs:126:9:126:44 | ... .write_all(...) | Call to ... .write_all(...) in a function with the ctor attribute. | | test.rs:171:5:171:15 | ...::stdout(...) | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | Call to ...::stdout(...) in a function with the ctor attribute. | edges | test.rs:29:1:29:13 | Attr | test.rs:31:9:31:25 | ...::stdout(...) | +| test.rs:29:1:29:13 | Attr | test.rs:31:9:31:49 | ... .write(...) | | test.rs:34:1:34:13 | Attr | test.rs:36:9:36:25 | ...::stdout(...) | +| test.rs:34:1:34:13 | Attr | test.rs:36:9:36:49 | ... .write(...) | | test.rs:40:1:40:13 | Attr | test.rs:43:9:43:25 | ...::stdout(...) | +| test.rs:40:1:40:13 | Attr | test.rs:43:9:43:49 | ... .write(...) | | test.rs:51:1:51:7 | Attr | test.rs:53:9:53:16 | stdout(...) | +| test.rs:51:1:51:7 | Attr | test.rs:53:9:53:40 | ... .write(...) | | test.rs:56:1:56:7 | Attr | test.rs:58:9:58:16 | stderr(...) | +| test.rs:56:1:56:7 | Attr | test.rs:58:9:58:44 | ... .write_all(...) | | test.rs:61:1:61:7 | Attr | test.rs:63:14:63:28 | ...::_print(...) | +| test.rs:66:1:66:7 | Attr | test.rs:68:20:68:32 | ...::new(...) | | test.rs:66:1:66:7 | Attr | test.rs:69:9:69:24 | ...::stdin(...) | +| test.rs:66:1:66:7 | Attr | test.rs:69:9:69:45 | ... .read_line(...) | +| test.rs:74:1:74:7 | Attr | test.rs:76:17:76:45 | ...::create(...) | +| test.rs:74:1:74:7 | Attr | test.rs:76:17:76:54 | ... .unwrap(...) | +| test.rs:79:1:79:7 | Attr | test.rs:81:14:81:38 | ...::now(...) | | test.rs:88:1:88:7 | Attr | test.rs:90:5:90:35 | ...::sleep(...) | | test.rs:95:1:95:7 | Attr | test.rs:97:5:97:23 | ...::exit(...) | +| test.rs:100:1:100:13 | Attr | test.rs:102:5:102:46 | ... .write_nl(...) | +| test.rs:100:1:100:13 | Attr | test.rs:102:5:102:46 | ...::new(...) | +| test.rs:100:1:100:13 | Attr | test.rs:102:31:102:45 | ... .write_fmt(...) | +| test.rs:105:1:105:13 | Attr | test.rs:107:5:107:23 | panic_cold_explicit(...) | +| test.rs:113:1:113:13 | Attr | test.rs:115:18:115:37 | ...::new::<...>(...) | +| test.rs:113:1:113:13 | Attr | test.rs:116:15:116:27 | alloc(...) | +| test.rs:113:1:113:13 | Attr | test.rs:118:9:118:21 | ... .is_null(...) | +| test.rs:113:1:113:13 | Attr | test.rs:119:9:119:28 | dealloc(...) | +| test.rs:129:1:129:7 | Attr | test.rs:131:5:131:20 | call_target3_1(...) | +| test.rs:131:5:131:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | +| test.rs:131:5:131:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | +| test.rs:140:1:140:7 | Attr | test.rs:142:5:142:20 | call_target3_2(...) | +| test.rs:145:1:145:7 | Attr | test.rs:147:5:147:20 | call_target3_1(...) | +| test.rs:145:1:145:7 | Attr | test.rs:148:5:148:20 | call_target3_2(...) | +| test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | +| test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | +| test.rs:151:1:151:7 | Attr | test.rs:153:5:153:12 | bad3_3(...) | +| test.rs:157:5:157:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | +| test.rs:157:5:157:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | +| test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ... .write(...) | | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | diff --git a/rust/ql/test/query-tests/security/CWE-696/test.rs b/rust/ql/test/query-tests/security/CWE-696/test.rs index 69eb68e868af..5cd7f451f2cb 100644 --- a/rust/ql/test/query-tests/security/CWE-696/test.rs +++ b/rust/ql/test/query-tests/security/CWE-696/test.rs @@ -123,10 +123,10 @@ unsafe fn harmless2_11() { // --- transitive cases --- fn call_target3_1() { - _ = stderr().write_all(b"Hello, world!"); // $ MISSING: Alert=source3_1 Alert=source3_3 Alert=source3_4 + _ = stderr().write_all(b"Hello, world!"); // $ Alert=source3_1 Alert=source3_3 MISSING: Alert=source3_4 } -#[ctor] // $ MISSING: Source=source3_1 +#[ctor] // $ Source=source3_1 fn bad3_1() { call_target3_1(); } @@ -142,7 +142,7 @@ fn harmless3_2() { call_target3_2(); } -#[ctor] // $ MISSING: Source=source3_3 +#[ctor] // $ Source=source3_3 fn bad3_3() { call_target3_1(); call_target3_2(); From 3e0e374783bb0a78d2c721c0a88586fe3986d0da Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:32:35 +0000 Subject: [PATCH 3/7] Rust: Remove unnecessary edges. --- .../queries/security/CWE-696/BadCtorInitialization.ql | 9 +++++---- .../security/CWE-696/BadCTorInitialization.expected | 2 -- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index 32f0e9731cc6..da65c16159b6 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -40,16 +40,17 @@ class StdCall extends Expr { class PathElement = AstNode; query predicate edges(PathElement pred, PathElement succ) { - // starting edge + // starting edge (`#[ctor]` / `#[dtor]` attribute to call) exists(CtorAttr ctor, Function f, CallExprBase call | f.getAnAttr() = ctor and call.getEnclosingCallable() = f and - pred = ctor and // source - succ = call // flow or sink node + pred = ctor and + succ = call ) or - // transitive edge + // transitive edge (call to call) exists(Function f | + edges(_, pred) and pred.(CallExprBase).getStaticTarget() = f and succ.(CallExprBase).getEnclosingCallable() = f ) diff --git a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected index c85aabe1fb91..8805f214b658 100644 --- a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected +++ b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected @@ -50,7 +50,5 @@ edges | test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | | test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | | test.rs:151:1:151:7 | Attr | test.rs:153:5:153:12 | bad3_3(...) | -| test.rs:157:5:157:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | -| test.rs:157:5:157:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ... .write(...) | | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | From 4f08fdd23241d5f214dd3560ec85d048ae32dbc2 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 09:56:32 +0000 Subject: [PATCH 4/7] Rust: Make the two cases read more similarly. --- .../ql/src/queries/security/CWE-696/BadCtorInitialization.ql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index da65c16159b6..cb1c1f31a8b8 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -41,11 +41,10 @@ class PathElement = AstNode; query predicate edges(PathElement pred, PathElement succ) { // starting edge (`#[ctor]` / `#[dtor]` attribute to call) - exists(CtorAttr ctor, Function f, CallExprBase call | + exists(CtorAttr ctor, Function f | f.getAnAttr() = ctor and - call.getEnclosingCallable() = f and pred = ctor and - succ = call + succ.(CallExprBase).getEnclosingCallable() = f ) or // transitive edge (call to call) From 1e656a49b08b5ec43b8f999e4c32d75e5695f7f7 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 13:21:34 +0000 Subject: [PATCH 5/7] Rust: Rewrite the query to (1) include functions and (2) minimize output. --- .../security/CWE-696/BadCtorInitialization.ql | 51 +++++++++----- .../CWE-696/BadCTorInitialization.expected | 66 ++++++++----------- 2 files changed, 61 insertions(+), 56 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index cb1c1f31a8b8..e8f9c28b3872 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -14,7 +14,7 @@ import rust /** - * A `#[ctor]` or `#[dtor]` attribute. + * A `#[ctor]` or `#[dtor]` attribute, that is, a source for this query. */ class CtorAttr extends Attr { string whichAttr; @@ -28,7 +28,7 @@ class CtorAttr extends Attr { } /** - * A call into the Rust standard library. + * A call into the Rust standard library, that is, a sink for this query. */ class StdCall extends Expr { StdCall() { @@ -39,23 +39,38 @@ class StdCall extends Expr { class PathElement = AstNode; -query predicate edges(PathElement pred, PathElement succ) { - // starting edge (`#[ctor]` / `#[dtor]` attribute to call) - exists(CtorAttr ctor, Function f | - f.getAnAttr() = ctor and - pred = ctor and - succ.(CallExprBase).getEnclosingCallable() = f - ) +/** + * A candidate edge for the query that is reachable from + * a source. + */ +predicate edgesFwd(PathElement pred, PathElement succ) { + // attribute (source) -> callable + pred.(CtorAttr) = succ.(Callable).getAnAttr() + or + // [forwards reachable] callable -> enclosed call + edgesFwd(_, pred) and + pred = succ.(CallExprBase).getEnclosingCallable() or - // transitive edge (call to call) - exists(Function f | - edges(_, pred) and - pred.(CallExprBase).getStaticTarget() = f and - succ.(CallExprBase).getEnclosingCallable() = f + // [forwards reachable] call -> target callable + edgesFwd(_, pred) and + pred.(CallExprBase).getStaticTarget() = succ +} + +/** + * An edge for the query that is reachable from a source and backwards + * reachable from a sink (adding the backwards reachability constraint + * reduces the amount of output data produced). + */ +query predicate edges(PathElement pred, PathElement succ) { + edgesFwd(pred, succ) and + ( + succ instanceof StdCall // sink + or + edges(succ, _) // backwards reachable from a sink ) } -from CtorAttr ctor, StdCall call -where edges*(ctor, call) -select call, ctor, call, - "Call to " + call.toString() + " in a function with the " + ctor.getWhichAttr() + " attribute." +from CtorAttr source, StdCall sink +where edges*(source, sink) +select sink, source, sink, + "Call to " + sink.toString() + " in a function with the " + source.getWhichAttr() + " attribute." diff --git a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected index 8805f214b658..311e1828f535 100644 --- a/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected +++ b/rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected @@ -14,41 +14,31 @@ | test.rs:126:9:126:44 | ... .write_all(...) | test.rs:145:1:145:7 | Attr | test.rs:126:9:126:44 | ... .write_all(...) | Call to ... .write_all(...) in a function with the ctor attribute. | | test.rs:171:5:171:15 | ...::stdout(...) | test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | Call to ...::stdout(...) in a function with the ctor attribute. | edges -| test.rs:29:1:29:13 | Attr | test.rs:31:9:31:25 | ...::stdout(...) | -| test.rs:29:1:29:13 | Attr | test.rs:31:9:31:49 | ... .write(...) | -| test.rs:34:1:34:13 | Attr | test.rs:36:9:36:25 | ...::stdout(...) | -| test.rs:34:1:34:13 | Attr | test.rs:36:9:36:49 | ... .write(...) | -| test.rs:40:1:40:13 | Attr | test.rs:43:9:43:25 | ...::stdout(...) | -| test.rs:40:1:40:13 | Attr | test.rs:43:9:43:49 | ... .write(...) | -| test.rs:51:1:51:7 | Attr | test.rs:53:9:53:16 | stdout(...) | -| test.rs:51:1:51:7 | Attr | test.rs:53:9:53:40 | ... .write(...) | -| test.rs:56:1:56:7 | Attr | test.rs:58:9:58:16 | stderr(...) | -| test.rs:56:1:56:7 | Attr | test.rs:58:9:58:44 | ... .write_all(...) | -| test.rs:61:1:61:7 | Attr | test.rs:63:14:63:28 | ...::_print(...) | -| test.rs:66:1:66:7 | Attr | test.rs:68:20:68:32 | ...::new(...) | -| test.rs:66:1:66:7 | Attr | test.rs:69:9:69:24 | ...::stdin(...) | -| test.rs:66:1:66:7 | Attr | test.rs:69:9:69:45 | ... .read_line(...) | -| test.rs:74:1:74:7 | Attr | test.rs:76:17:76:45 | ...::create(...) | -| test.rs:74:1:74:7 | Attr | test.rs:76:17:76:54 | ... .unwrap(...) | -| test.rs:79:1:79:7 | Attr | test.rs:81:14:81:38 | ...::now(...) | -| test.rs:88:1:88:7 | Attr | test.rs:90:5:90:35 | ...::sleep(...) | -| test.rs:95:1:95:7 | Attr | test.rs:97:5:97:23 | ...::exit(...) | -| test.rs:100:1:100:13 | Attr | test.rs:102:5:102:46 | ... .write_nl(...) | -| test.rs:100:1:100:13 | Attr | test.rs:102:5:102:46 | ...::new(...) | -| test.rs:100:1:100:13 | Attr | test.rs:102:31:102:45 | ... .write_fmt(...) | -| test.rs:105:1:105:13 | Attr | test.rs:107:5:107:23 | panic_cold_explicit(...) | -| test.rs:113:1:113:13 | Attr | test.rs:115:18:115:37 | ...::new::<...>(...) | -| test.rs:113:1:113:13 | Attr | test.rs:116:15:116:27 | alloc(...) | -| test.rs:113:1:113:13 | Attr | test.rs:118:9:118:21 | ... .is_null(...) | -| test.rs:113:1:113:13 | Attr | test.rs:119:9:119:28 | dealloc(...) | -| test.rs:129:1:129:7 | Attr | test.rs:131:5:131:20 | call_target3_1(...) | -| test.rs:131:5:131:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | -| test.rs:131:5:131:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | -| test.rs:140:1:140:7 | Attr | test.rs:142:5:142:20 | call_target3_2(...) | -| test.rs:145:1:145:7 | Attr | test.rs:147:5:147:20 | call_target3_1(...) | -| test.rs:145:1:145:7 | Attr | test.rs:148:5:148:20 | call_target3_2(...) | -| test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:16 | stderr(...) | -| test.rs:147:5:147:20 | call_target3_1(...) | test.rs:126:9:126:44 | ... .write_all(...) | -| test.rs:151:1:151:7 | Attr | test.rs:153:5:153:12 | bad3_3(...) | -| test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ... .write(...) | -| test.rs:169:1:169:7 | Attr | test.rs:171:5:171:15 | ...::stdout(...) | +| test.rs:29:1:29:13 | Attr | test.rs:29:1:32:1 | fn bad1_1 | +| test.rs:29:1:32:1 | fn bad1_1 | test.rs:31:9:31:25 | ...::stdout(...) | +| test.rs:34:1:34:13 | Attr | test.rs:34:1:37:1 | fn bad1_2 | +| test.rs:34:1:37:1 | fn bad1_2 | test.rs:36:9:36:25 | ...::stdout(...) | +| test.rs:39:1:44:1 | fn bad1_3 | test.rs:43:9:43:25 | ...::stdout(...) | +| test.rs:40:1:40:13 | Attr | test.rs:39:1:44:1 | fn bad1_3 | +| test.rs:51:1:51:7 | Attr | test.rs:51:1:54:1 | fn bad2_1 | +| test.rs:51:1:54:1 | fn bad2_1 | test.rs:53:9:53:16 | stdout(...) | +| test.rs:56:1:56:7 | Attr | test.rs:56:1:59:1 | fn bad2_2 | +| test.rs:56:1:59:1 | fn bad2_2 | test.rs:58:9:58:16 | stderr(...) | +| test.rs:61:1:61:7 | Attr | test.rs:61:1:64:1 | fn bad2_3 | +| test.rs:61:1:64:1 | fn bad2_3 | test.rs:63:14:63:28 | ...::_print(...) | +| test.rs:66:1:66:7 | Attr | test.rs:66:1:70:1 | fn bad2_4 | +| test.rs:66:1:70:1 | fn bad2_4 | test.rs:69:9:69:24 | ...::stdin(...) | +| test.rs:88:1:88:7 | Attr | test.rs:88:1:91:1 | fn bad2_7 | +| test.rs:88:1:91:1 | fn bad2_7 | test.rs:90:5:90:35 | ...::sleep(...) | +| test.rs:95:1:95:7 | Attr | test.rs:95:1:98:1 | fn bad2_8 | +| test.rs:95:1:98:1 | fn bad2_8 | test.rs:97:5:97:23 | ...::exit(...) | +| test.rs:125:1:127:1 | fn call_target3_1 | test.rs:126:9:126:16 | stderr(...) | +| test.rs:125:1:127:1 | fn call_target3_1 | test.rs:126:9:126:44 | ... .write_all(...) | +| test.rs:129:1:129:7 | Attr | test.rs:129:1:132:1 | fn bad3_1 | +| test.rs:129:1:132:1 | fn bad3_1 | test.rs:131:5:131:20 | call_target3_1(...) | +| test.rs:131:5:131:20 | call_target3_1(...) | test.rs:125:1:127:1 | fn call_target3_1 | +| test.rs:145:1:145:7 | Attr | test.rs:145:1:149:1 | fn bad3_3 | +| test.rs:145:1:149:1 | fn bad3_3 | test.rs:147:5:147:20 | call_target3_1(...) | +| test.rs:147:5:147:20 | call_target3_1(...) | test.rs:125:1:127:1 | fn call_target3_1 | +| test.rs:169:1:169:7 | Attr | test.rs:169:1:172:1 | fn bad4_1 | +| test.rs:169:1:172:1 | fn bad4_1 | test.rs:171:5:171:15 | ...::stdout(...) | From ed22f49cddde7a36039c508e1d0a186ea754cd54 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 13:58:06 +0000 Subject: [PATCH 6/7] Rust: Make ql-for-ql happy. --- .../queries/security/CWE-696/BadCtorInitialization.ql | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index e8f9c28b3872..1d1ffe529b1d 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -40,8 +40,8 @@ class StdCall extends Expr { class PathElement = AstNode; /** - * A candidate edge for the query that is reachable from - * a source. + * Holds if (`pred`, `succ`) represents a candidate edge for the query that is + * reachable from a source. */ predicate edgesFwd(PathElement pred, PathElement succ) { // attribute (source) -> callable @@ -57,9 +57,9 @@ predicate edgesFwd(PathElement pred, PathElement succ) { } /** - * An edge for the query that is reachable from a source and backwards - * reachable from a sink (adding the backwards reachability constraint - * reduces the amount of output data produced). + * Holds if (`pred`, `succ`) represents an edge for the query that is reachable + * from a source and backwards reachable from a sink (adding the backwards + * reachability constraint reduces the amount of output data produced). */ query predicate edges(PathElement pred, PathElement succ) { edgesFwd(pred, succ) and From 0865397e29b9c1dc374a8fb11faebe4c8bd7b6c4 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 2 Dec 2024 14:05:42 +0000 Subject: [PATCH 7/7] Rust: Address nit. --- rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql index 1d1ffe529b1d..c7a3e0d1cdad 100644 --- a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql +++ b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql @@ -71,6 +71,6 @@ query predicate edges(PathElement pred, PathElement succ) { } from CtorAttr source, StdCall sink -where edges*(source, sink) +where edges+(source, sink) select sink, source, sink, "Call to " + sink.toString() + " in a function with the " + source.getWhichAttr() + " attribute."