Rust: Add XSS query

Author: paldepind

rust/ql/lib/codeql/rust/security/XssExtensions.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides classes and predicates for reasoning about cross-site scripting (XSS)
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.util.Unit
+private import codeql.rust.security.Barriers as Barriers
+
+/**
+ * Provides default sources, sinks and barriers for detecting XSS
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module Xss {
+  /**
+   * A data flow source for XSS vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XSS vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "Xss" }
+  }
+
+  /**
+   * A barrier for XSS vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  /**
+   * A sink for XSS from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "html-injection") }
+  }
+
+  /**
+   * A barrier for XSS vulnerabilities for nodes whose type is a
+   * numeric or boolean type, which is unlikely to expose any vulnerability.
+   */
+  private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  /** A call to a function with "escape" or "encode" in its name. */
+  private class HeuristicHtmlEncodingBarrier extends Barrier {
+    HeuristicHtmlEncodingBarrier() {
+      exists(Call fc |
+        fc.getStaticTarget().(Function).getName().getText().regexpMatch(".*(escape|encode).*") and
+        fc.getArgument(_) = this.asExpr()
+      )
+    }
+  }
+}

rust/ql/src/queries/security/CWE-079/XSS.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Cross-site scripting
+ * @description Writing user input directly to a web page
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id rust/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.XssExtensions
+
+/**
+ * A taint configuration for tainted data that reaches an XSS sink.
+ */
+module XssConfig implements DataFlow::ConfigSig {
+  import Xss
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module XssFlow = TaintTracking::Global<XssConfig>;
+
+import XssFlow::PathGraph
+
+from XssFlow::PathNode sourceNode, XssFlow::PathNode sinkNode
+where XssFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to a $@.",
+  sourceNode.getNode(), "user-provided value"

rust/ql/test/query-tests/security/CWE-079/actix/XSS.expected

@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths

rust/ql/test/query-tests/security/CWE-079/actix/XSS.qlref

@@ -0,0 +1,4 @@
+query: queries/security/CWE-079/XSS.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

rust/ql/test/query-tests/security/CWE-079/axum/XSS.expected

@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths

rust/ql/test/query-tests/security/CWE-079/axum/XSS.qlref

@@ -0,0 +1,4 @@
+query: queries/security/CWE-079/XSS.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

rust/ql/test/query-tests/security/CWE-079/warp/XSS.expected

@@ -0,0 +1,4 @@
+#select
+edges
+nodes
+subpaths

rust/ql/test/query-tests/security/CWE-079/warp/XSS.qlref

@@ -0,0 +1,4 @@
+query: queries/security/CWE-079/XSS.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql