-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Rust: new query rust/hardcoded-crytographic-value #18943
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 12 commits
Commits
Show all changes
39 commits
Select commit
Hold shift + click to select a range
9a35feb
Rust: Query framework and basic tests.
geoffw0 bd75f01
Rust: More test cases.
geoffw0 9fb00da
Rust: Implement the query (with one source, one sink model).
geoffw0 a6e106e
Rust: Model more sinks + flows.
geoffw0 aacbfc0
Rust: Improve alert messages.
geoffw0 055baf2
Rust: Improve results on arrays (less duplication).
geoffw0 ac94ac6
Rust: Model even more sinks + flows.
geoffw0 b4a6063
Rust: Add std::mem::zeroed as a source.
geoffw0 95be12e
Rust: Add qhelp and examples.
geoffw0 e564c41
Rust: Compute security-severity tag.
geoffw0 952e417
Rust: Tweak some wording.
geoffw0 9af2d02
Rust: Add the new sinks to stats.
geoffw0 42e7d1e
Rust: Fix typo.
geoffw0 b6c9be2
Merge branch 'main' into constcrypto
geoffw0 19416a9
Rust: Correct test results.
geoffw0 c63c1be
Rust: Accept integration test .expected changes.
geoffw0 3dc35f1
Rust: Accept more test changes.
geoffw0 fdb4362
Merge remote-tracking branch 'upstream/main' into constcrypto
geoffw0 b4e710f
Rust: Add missing models (for some platforms???).
geoffw0 e84a98b
Apply suggestions from code review
geoffw0 a34f9be
Rust: Add a test case for getrandom.
geoffw0 9e54d53
Rust: Add barrier.
geoffw0 1ca5c59
Rust: Replace imports of internal.DataFlowImpl where possible.
geoffw0 e3beacb
Rust: Print models (temporary, to see how this differs on CI).
geoffw0 a0f4fa2
Rust: hardcoded -> hard-coded.
geoffw0 704b385
Rust: Fix a mistake in the test.
geoffw0 81edb47
Merge branch 'main' into constcrypto
geoffw0 f5daec9
Rust: Fix after merge.
geoffw0 07011f7
Rust: Fix more after merge.
geoffw0 898c569
Rust: Change note.
geoffw0 c2ddf25
Merge branch 'main' into constcrypto
geoffw0 0ec10e5
Rust: Corrections after the merge.
geoffw0 fc8a662
Rust: Update the models.
geoffw0 796cb19
Rust: Accept test regressions with new format MaD.
geoffw0 ec3ad85
Rust: Add another test case for barriers (that still functions).
geoffw0 d53dada
Rust: Update barrier logic to use getCanonicalPath.
geoffw0 43ac82f
Rust: Update consistency check .expected files.
geoffw0 1945fb8
Rust: Accept changes to query suites.
geoffw0 f7d822b
Rust: Remove empty file.
geoffw0 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| extensions: | ||
| - addsTo: | ||
| pack: codeql/rust-all | ||
| extensible: summaryModel | ||
| data: | ||
| - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"] | ||
| - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_mut_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"] | ||
| - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"] | ||
| - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_mut_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"] | ||
geoffw0 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 92 additions & 0 deletions
92
rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| /** | ||
| * Provides classes and predicates for reasoning about hardcoded cryptographic value | ||
| * vulnerabilities. | ||
| */ | ||
|
|
||
| import rust | ||
| private import codeql.rust.dataflow.DataFlow | ||
| private import codeql.rust.dataflow.internal.DataFlowImpl | ||
geoffw0 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| private import codeql.rust.security.SensitiveData | ||
|
|
||
| /** | ||
| * A kind of cryptographic value. | ||
| */ | ||
| class CryptographicValueKind extends string { | ||
| CryptographicValueKind() { this = ["password", "key", "iv", "nonce", "salt"] } | ||
|
|
||
| /** | ||
| * Gets a description of this value kind for user-facing messages. | ||
| */ | ||
| string getDescription() { | ||
| this = "password" and result = "a password" | ||
| or | ||
| this = "key" and result = "a key" | ||
| or | ||
| this = "iv" and result = "an initialization vector" | ||
| or | ||
| this = "nonce" and result = "a nonce" | ||
| or | ||
| this = "salt" and result = "a salt" | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Provides default sources, sinks and barriers for detecting hardcoded cryptographic | ||
| * value vulnerabilities, as well as extension points for adding your own. | ||
| */ | ||
| module HardcodedCryptographicValue { | ||
| /** | ||
| * A data flow source for hardcoded cryptographic value vulnerabilities. | ||
| */ | ||
| abstract class Source extends DataFlow::Node { } | ||
|
|
||
| /** | ||
| * A data flow sink for hardcoded cryptographic value vulnerabilities. | ||
| */ | ||
| abstract class Sink extends DataFlow::Node { | ||
| /** | ||
| * Gets the kind of credential this sink is interpreted as. | ||
| */ | ||
| abstract CryptographicValueKind getKind(); | ||
| } | ||
|
|
||
| /** | ||
| * A barrier for hardcoded cryptographic value vulnerabilities. | ||
| */ | ||
| abstract class Barrier extends DataFlow::Node { } | ||
|
|
||
| /** | ||
| * A literal, considered as a flow source. | ||
| */ | ||
| private class LiteralSource extends Source { | ||
| LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr } | ||
| } | ||
|
|
||
| /** | ||
| * An array initialized from a list of literals, considered as a single flow source. For example: | ||
| * ``` | ||
| * `[0, 0, 0, 0]` | ||
| * ``` | ||
| */ | ||
| private class ArrayListSource extends Source { | ||
| ArrayListSource() { this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr } | ||
| } | ||
|
|
||
| /** | ||
| * An externally modeled source for constant values. | ||
| */ | ||
| private class ModeledSource extends Source { | ||
| ModeledSource() { sourceNode(this, "constant-source") } | ||
| } | ||
|
|
||
| /** | ||
| * An externally modeled sink for hardcoded cryptographic value vulnerabilities. | ||
| */ | ||
| private class ModelsAsDataSinks extends Sink { | ||
| CryptographicValueKind kind; | ||
|
|
||
| ModelsAsDataSinks() { sinkNode(this, "credentials-" + kind) } | ||
|
|
||
| override CryptographicValueKind getKind() { result = kind } | ||
| } | ||
| } | ||
58 changes: 58 additions & 0 deletions
58
rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.qhelp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| <!DOCTYPE qhelp PUBLIC | ||
| "-//Semmle//qhelp//EN" | ||
| "qhelp.dtd"> | ||
| <qhelp> | ||
|
|
||
| <overview> | ||
| <p> | ||
| Hardcoded passwords, keys, initialization vectors and salts should not be used for cryptographic operations. | ||
geoffw0 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| </p> | ||
| <ul> | ||
| <li> | ||
| Attackers can easily recover hardcoded values if they have access to the source code or compiled executable. | ||
| </li> | ||
| <li> | ||
| Some hardcoded values are easily guessable. | ||
| </li> | ||
| <li> | ||
| Use of hardcoded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis. | ||
| </li> | ||
| </ul> | ||
|
|
||
| </overview> | ||
| <recommendation> | ||
|
|
||
| <p> | ||
| Use randomly generated key material, initialization vectors and salts. Use strong passwords that are not hardcoded. | ||
geoffw0 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| </p> | ||
|
|
||
| </recommendation> | ||
| <example> | ||
|
|
||
| <p> | ||
| The following example shows instantiating a cipher with hardcoded key material, making the encrypted data vulnerable to recovery. | ||
| </p> | ||
|
|
||
| <sample src="HardcodedCryptographicValueBad.rs" /> | ||
|
|
||
| <p> | ||
| In the fixed code below, the key material is randomly generated and not hardcoded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated. | ||
| </p> | ||
|
|
||
| <sample src="HardcodedCryptographicValueGood.rs" /> | ||
|
|
||
| </example> | ||
| <references> | ||
|
|
||
| <li> | ||
| OWASP: <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>. | ||
| </li> | ||
| <li> | ||
| OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>. | ||
| </li> | ||
| <li> | ||
| O'Reilly: <a href="https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html">Using Salts, Nonces, and Initialization Vectors</a>. | ||
| </li> | ||
|
|
||
| </references> | ||
| </qhelp> | ||
57 changes: 57 additions & 0 deletions
57
rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| /** | ||
| * @name Hard-coded cryptographic value | ||
| * @description Using hardcoded keys, passwords, salts or initialization | ||
geoffw0 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * vectors is not secure. | ||
| * @kind path-problem | ||
| * @problem.severity warning | ||
| * @security-severity 9.8 | ||
| * @precision high | ||
| * @id rust/hardcoded-crytographic-value | ||
| * @tags security | ||
| * external/cwe/cwe-259 | ||
| * external/cwe/cwe-321 | ||
| * external/cwe/cwe-798 | ||
| * external/cwe/cwe-1204 | ||
| */ | ||
|
|
||
| import rust | ||
| import codeql.rust.security.HardcodedCryptographicValueExtensions | ||
| import codeql.rust.dataflow.DataFlow | ||
| import codeql.rust.dataflow.TaintTracking | ||
| import codeql.rust.dataflow.internal.DataFlowImpl | ||
|
|
||
| /** | ||
| * A taint-tracking configuration for hardcoded cryptographic value vulnerabilities. | ||
| */ | ||
| module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig { | ||
| import HardcodedCryptographicValue | ||
|
|
||
| predicate isSource(DataFlow::Node source) { source instanceof Source } | ||
|
|
||
| predicate isSink(DataFlow::Node sink) { sink instanceof Sink } | ||
|
|
||
| predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier } | ||
|
|
||
| predicate isBarrierIn(DataFlow::Node node) { | ||
| // make sources barriers so that we only report the closest instance | ||
| // (this combined with sources for `ArrayListExpr` means we only get one source in | ||
| // case like `[0, 0, 0, 0]`) | ||
| isSource(node) | ||
| } | ||
|
|
||
| predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { | ||
| // flow out from reference content at sinks. | ||
| isSink(node) and | ||
| c.getAReadContent() instanceof ReferenceContent | ||
| } | ||
| } | ||
|
|
||
| module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>; | ||
|
|
||
| import HardcodedCryptographicValueFlow::PathGraph | ||
|
|
||
| from | ||
| HardcodedCryptographicValueFlow::PathNode source, HardcodedCryptographicValueFlow::PathNode sink | ||
| where HardcodedCryptographicValueFlow::flowPath(source, sink) | ||
| select source.getNode(), source, sink, "This hard-coded value is used as $@.", sink, | ||
| sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind().getDescription() | ||
2 changes: 2 additions & 0 deletions
2
rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueBad.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption | ||
| let cipher = Aes256Gcm::new(&key.into()); |
2 changes: 2 additions & 0 deletions
2
rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValueGood.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption | ||
| let cipher = Aes256Gcm::new(&key); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could consider adding a
WithReferencetoken, which would allow us to simplify the above slightly asThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I see what's special about
WithReferenceoverWithElementor any of a hundred other shortcuts we could potentially create. But if you've had good experiences with this syntactic sugar in other languages, I will defer to your experience.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WithElementmostly makes a difference when you are tracking precise array indicies, like we do in Ruby, where you would otherwise have to write an "infinite" number of MaD rows (one for index0, one for index1, ...).WithElementgenerates a somewhat simpler synthetic function, which does not consist of a read step followed by a store step.