WIP

Author: paldepind

rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml

@@ -9,8 +9,8 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "transmission", "manual"]
-      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "transmission", "manual"]
+      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "request-url", "manual"]
+      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "request-url", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll

@@ -53,6 +53,6 @@ module CleartextTransmission {
    * A sink defined through MaD.
    */
   private class ModelsAsDataSink extends Sink {
-    ModelsAsDataSink() { sinkNode(this, "transmission") }
+    ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
   }
 }

rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll

@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for reasoning about request forgery
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.Concepts
+private import codeql.rust.security.CleartextTransmissionExtensions
+
+/**
+ * Provides default sources, sinks and barriers for detecting request forgery
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module RequestForgery {
+  /**
+   * A data flow source for request forgery vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for request forgery vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    /**
+     * Gets the name of a part of the request that may be tainted by this sink,
+     * such as the URL or the host.
+     */
+    override string getSinkType() { result = "RequestForgery" }
+  }
+
+  /**
+   * A barrier for request forgery vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  // TODO: Do this in a cleaner way
+  //   private class ClearTextTransmissionSink extends Sink instanceof CleartextTransmission::Sink { }
+  /**
+   * A sink for request forgery from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "request-url") }
+  }
+}

rust/ql/lib/ext/generated/reqwest.model.yml

@@ -424,21 +424,21 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::into_stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::request::RequestBuilder>::multipart", "Argument[0]", "log-injection", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::into_reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Reader as std::io::Read>::read", "Argument[self]", "log-injection", "df-generated"]
@@ -450,9 +450,9 @@ extensions:
       - ["<reqwest::blocking::response::Response>::text_with_charset", "Argument[self]", "pointer-access", "df-generated"]
       - ["<reqwest::connect::ConnectorService as tower_service::Service>::call", "Argument[0]", "log-injection", "df-generated"]
       - ["<reqwest::error::Error>::new", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::blocking::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::blocking::get", "Argument[0]", "request-url", "df-generated"]
       - ["reqwest::blocking::wait::timeout", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::get", "Argument[0]", "request-url", "df-generated"]
   - addsTo:
       pack: codeql/rust-all
       extensible: sourceModel

rust/ql/src/queries/security/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly incorporating user input into an HTTP request without validating the
+input can facilitate server-side request forgery (SSRF) attacks. In these
+attacks, the server may be tricked into making a request to an unintended API
+endpoint or resource.
+
+If the server performing the request is connected to an internal network, this
+can give an attacker the means to bypass the network boundary and make requests
+against internal services.
+
+A forged request may perform an unintended action on behalf of the attacker, or
+cause information leak if redirected to an external server or if the request
+response is fed back to the user. It may also compromise the server making the
+request, if the request response is handled in an unsafe way.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against SSRF attacks you should avoid putting user-provided input
+directly into a request URL. Instead, maintain a list of authorized URLs on the
+server; then choose from that list based on the input provided. Alternatively,
+ensure requests constructed from user input are limited to a particular host or
+more restrictive URL prefix.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an HTTP request parameter being used directly to
+form a new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a
+known fixed string.
+</p>
+
+<sample src="RequestForgery.rs" />
+</example>
+
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+  <li>
+    <a href="https://cwe.mitre.org/data/definitions/918.html">CWE-918: Server-Side Request Forgery (SSRF)</a>
+  </li>
+</references>
+
+</qhelp>

rust/ql/src/queries/security/CWE-918/RequestForgery.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Server-side request forgery
+ * @description Making a network request with user-controlled data in the URL allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id rust/request-forgery
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.rust.security.CleartextTransmissionExtensions
+private import codeql.rust.security.RequestForgeryExtensions
+
+/**
+ * A taint-tracking configuration for detecting request forgery vulnerabilities.
+ */
+module RequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RequestForgery::Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
+
+import RequestForgeryFlow::PathGraph
+
+from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
+where RequestForgeryFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "The $@ of this request depends on a $@.", sink, "URL",
+  source.getNode(), "user-provided value"

rust/ql/src/queries/security/CWE-918/RequestForgery.rs

@@ -0,0 +1,39 @@
+// BAD: Endpoint handler that makes requests based on user input
+async fn vulnerable_endpoint_handler(req: Request) -> Result<Response> {
+    // This request is vulnerable to SSRF attacks as the user controls the
+    // entire URL
+    let response = reqwest::get(&req.user_url).await;
+    
+    match response {
+        Ok(resp) => {
+            let body = resp.text().await.unwrap_or_default();
+            Ok(Response {
+                message: "Success".to_string(),
+                data: body,
+            })
+        }
+        Err(_) => Err("Request failed")
+    }
+}
+
+// GOOD: Validate user input against an allowlist
+async fn secure_endpoint_handler(req: Request) -> Result<Response> {
+    // Allow list of specific, known-safe URLs
+    let allowed_hosts = ["api.example.com", "trusted-service.com"];
+    
+    if !allowed_hosts.contains(&req.user_url) {
+        return Err("Untrusted domain");
+    }
+    // This request is safe as the user input has been validated
+    let response = reqwest::get(&req.user_url).await;
+    match response {
+        Ok(resp) => {
+            let body = resp.text().await.unwrap_or_default();
+            Ok(Response {
+                message: "Success".to_string(),
+                data: body,
+            })
+        }
+        Err(_) => Err("Request failed")
+    }
+}