Rust: Models-as-data for flow summaries

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll

@@ -7,17 +7,7 @@ private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprB
 // import all instances below
 private module Summaries {
   private import codeql.rust.Frameworks
-
-  // TODO: Use models-as-data when it's available
-  private class UnwrapSummary extends SummarizedCallable::Range {
-    UnwrapSummary() { this = "lang:core::_::<crate::option::Option>::unwrap" }
-
-    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      input = "Argument[self].Variant[crate::option::Option::Some(0)]" and
-      output = "ReturnValue" and
-      preservesValue = true
-    }
-  }
+  private import codeql.rust.dataflow.internal.ModelsAsData
 }
 
 /** Provides the `Range` class used to define the extent of `LibraryCallable`. */

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -0,0 +1,93 @@
+/**
+ * Defines extensible predicates for contributing library models from data extensions.
+ */
+
+private import rust
+private import codeql.rust.dataflow.FlowSummary
+
+/**
+ * Holds if in a call to the function with canonical path `path`, defined in the
+ * crate `crate`, the value referred to by `output` is a flow source of the given
+ * `kind`.
+ *
+ * `output = "ReturnValue"` simply means the result of the call itself.
+ *
+ * The following kinds are supported:
+ *
+ * - `remote`: a general remote flow source.
+ */
+extensible predicate sourceModel(
+  string crate, string path, string output, string kind, string provenance,
+  QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if in a call to the function with canonical path `path`, defined in the
+ * crate `crate`, the value referred to by `input` is a flow sink of the given
+ * `kind`.
+ *
+ * For example, `input = Argument[0]` means the first argument of the call.
+ *
+ * The following kinds are supported:
+ *
+ * - `sql-injection`: a flow sink for SQL injection.
+ */
+extensible predicate sinkModel(
+  string crate, string path, string input, string kind, string provenance,
+  QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if in a call to the function with canonical path `path`, defined in the
+ * crate `crate`, the value referred to by `input` can flow to the value referred
+ * to by `output`.
+ *
+ * `kind` should be either `value` or `taint`, for value-preserving or taint-preserving
+ * steps, respectively.
+ */
+extensible predicate summaryModel(
+  string crate, string path, string input, string output, string kind, string provenance,
+  QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if the given extension tuple `madId` should pretty-print as `model`.
+ *
+ * This predicate should only be used in tests.
+ */
+predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
+  exists(string crate, string path, string output, string kind |
+    sourceModel(crate, path, kind, output, _, madId) and
+    model = "Source: " + crate + "; " + path + "; " + output + "; " + kind
+  )
+  or
+  exists(string crate, string path, string input, string kind |
+    sinkModel(crate, path, kind, input, _, madId) and
+    model = "Sink: " + crate + "; " + path + "; " + input + "; " + kind
+  )
+  or
+  exists(string type, string path, string input, string output, string kind |
+    summaryModel(type, path, input, output, kind, _, madId) and
+    model = "Summary: " + type + "; " + path + "; " + input + "; " + output + "; " + kind
+  )
+}
+
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  private string crate;
+  private string path;
+
+  SummarizedCallableFromModel() {
+    summaryModel(crate, path, _, _, _, _, _) and
+    this = crate + "::_::" + path
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    exists(string kind | summaryModel(crate, path, input, output, kind, _, _) |
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
+  }
+}

rust/ql/lib/codeql/rust/dataflow/internal/empty.model.yml

@@ -0,0 +1,17 @@
+extensions:
+  # Make sure that the extensible model predicates have at least one definition
+  # to avoid errors about undefined extensionals.
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data: []
+
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModel
+    data: []
+
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data: []

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]

rust/ql/lib/qlpack.yml

@@ -13,4 +13,6 @@ dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
+dataExtensions:
+  - /**/*.model.yml
 warnOnImplicitThis: true

rust/ql/test/library-tests/dataflow/models/models.ext.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["repo::test", "crate::identity", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["repo::test", "crate::coerce", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["repo::test", "crate::get_var_pos", "Argument[0].Variant[crate::MyPosEnum::A(0)]", "ReturnValue", "value", "manual"]
+      - ["repo::test", "crate::set_var_pos", "Argument[0]", "ReturnValue.Variant[crate::MyPosEnum::B(0)]", "value", "manual"]
+      - ["repo::test", "crate::get_var_field", "Argument[0].Variant[crate::MyFieldEnum::C::field_c]", "ReturnValue", "value", "manual"]
+      - ["repo::test", "crate::set_var_field", "Argument[0]", "ReturnValue.Variant[crate::MyFieldEnum::D::field_d]", "value", "manual"]

rust/ql/test/library-tests/dataflow/models/models.ql

@@ -15,66 +15,6 @@ query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c)
   Private::External::invalidSpecComponent(s, c)
 }
 
-private class SummarizedCallableIdentity extends SummarizedCallable::Range {
-  SummarizedCallableIdentity() { this = "repo::test::_::crate::identity" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0]" and
-    output = "ReturnValue" and
-    preservesValue = true
-  }
-}
-
-private class SummarizedCallableCoerce extends SummarizedCallable::Range {
-  SummarizedCallableCoerce() { this = "repo::test::_::crate::coerce" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0]" and
-    output = "ReturnValue" and
-    preservesValue = false
-  }
-}
-
-private class SummarizedCallableGetVarPos extends SummarizedCallable::Range {
-  SummarizedCallableGetVarPos() { this = "repo::test::_::crate::get_var_pos" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0].Variant[crate::MyPosEnum::A(0)]" and
-    output = "ReturnValue" and
-    preservesValue = true
-  }
-}
-
-private class SummarizedCallableSetVarPos extends SummarizedCallable::Range {
-  SummarizedCallableSetVarPos() { this = "repo::test::_::crate::set_var_pos" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0]" and
-    output = "ReturnValue.Variant[crate::MyPosEnum::B(0)]" and
-    preservesValue = true
-  }
-}
-
-private class SummarizedCallableGetVarField extends SummarizedCallable::Range {
-  SummarizedCallableGetVarField() { this = "repo::test::_::crate::get_var_field" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0].Variant[crate::MyFieldEnum::C::field_c]" and
-    output = "ReturnValue" and
-    preservesValue = true
-  }
-}
-
-private class SummarizedCallableSetVarField extends SummarizedCallable::Range {
-  SummarizedCallableSetVarField() { this = "repo::test::_::crate::set_var_field" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[0]" and
-    output = "ReturnValue.Variant[crate::MyFieldEnum::D::field_d]" and
-    preservesValue = true
-  }
-}
-
 module CustomConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { DefaultFlowConfig::isSource(source) }
 

rust/ql/test/query-tests/security/CWE-089/SqlInjection.qlref

@@ -1,2 +1,4 @@
 query: queries/security/CWE-089/SqlInjection.ql
-postprocess: utils/InlineExpectationsTestQuery.ql
+postprocess:
+ - utils/PrettyPrintModels.ql
+ - utils/InlineExpectationsTestQuery.ql

rust/ql/test/utils/InlineFlowTest.qll

@@ -9,6 +9,7 @@ private import codeql.rust.controlflow.CfgNodes
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.internal.DataFlowImpl
 private import codeql.rust.dataflow.internal.TaintTrackingImpl
+private import codeql.rust.dataflow.internal.ModelsAsData as MaD
 private import internal.InlineExpectationsTestImpl as InlineExpectationsTestImpl
 
 // Holds if the target expression of `call` is a path and the string representation of the path is `name`.
@@ -38,7 +39,7 @@ private module FlowTestImpl implements InputSig<Location, RustDataFlow> {
     exists(sink)
   }
 
-  predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { none() }
+  predicate interpretModelForTest = MaD::interpretModelForTest/2;
 }
 
 import InlineFlowTestMake<Location, RustDataFlow, RustTaintTracking, InlineExpectationsTestImpl::Impl, FlowTestImpl>

rust/ql/test/utils/PrettyPrintModels.ql

@@ -0,0 +1,7 @@
+/**
+ * @kind test-postprocess
+ */
+
+import codeql.rust.dataflow.internal.ModelsAsData
+import codeql.dataflow.test.ProvenancePathGraph
+import codeql.dataflow.test.ProvenancePathGraph::TestPostProcessing::TranslateProvenanceResults<interpretModelForTest/2>