Merge pull request #19280 from github/redsun82/rust-doc

Rust: update docs for public preview

Author: redsun82

docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst

@@ -0,0 +1,242 @@
+.. _analyzing-data-flow-in-rust:
+
+Analyzing data flow in Rust
+=============================
+
+You can use CodeQL to track the flow of data through a Rust program to places where the data is used.
+
+About this article
+------------------
+
+This article describes how data flow analysis is implemented in the CodeQL libraries for Rust and includes examples to help you write your own data flow queries.
+The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking.
+For a more general introduction to modeling data flow, see ":ref:`About data flow analysis <about-data-flow-analysis>`."
+
+.. include:: ../reusables/new-data-flow-api.rst
+
+Local data flow
+---------------
+
+Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before using more complex tracking, consider local tracking, as it is sufficient for many queries.
+
+Using local data flow
+~~~~~~~~~~~~~~~~~~~~~
+
+You can use the local data flow library by importing the ``codeql.rust.dataflow.DataFlow`` module. The library uses the class ``Node`` to represent any element through which data can flow.
+Common ``Node`` types include expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``).
+You can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library.
+Similarly, you can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate.
+
+.. code-block:: ql
+
+    class Node {
+      /**
+       * Gets the expression corresponding to this node, if any.
+       */
+      CfgNodes::ExprCfgNode asExpr() { ... }
+
+      /**
+       * Gets the parameter corresponding to this node, if any.
+       */
+      Parameter asParameter() { ... }
+
+      ...
+    }
+
+Note that because ``asExpr`` maps from data-flow to control-flow nodes, you need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node. For example, you can write ``node.asExpr().getExpr()``.
+A control-flow graph considers every way control can flow through code, consequently, there can be multiple data-flow and control-flow nodes associated with a single expression node in the AST.
+
+The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``.
+You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.
+
+For example, you can find flow from an expression ``source`` to an expression ``sink`` in zero or more local steps:
+
+.. code-block:: ql
+
+     DataFlow::localFlow(source, sink)
+
+Using local taint tracking
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Local taint tracking extends local data flow to include flow steps where values are not preserved, for example, string manipulation.
+For example:
+
+.. code-block:: rust
+
+     let y: String = "Hello ".to_owned() + x
+
+If ``x`` is a tainted string then ``y`` is also tainted.
+
+The local taint tracking library is in the module ``TaintTracking``.
+Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``.
+You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localTaint``.
+
+For example, you can find taint propagation from an expression ``source`` to an expression ``sink`` in zero or more local steps:
+
+.. code-block:: ql
+
+     TaintTracking::localTaint(source, sink)
+
+
+Using local sources
+~~~~~~~~~~~~~~~~~~~
+
+When exploring local data flow or taint propagation between two expressions, such as in the previous example, you typically constrain the expressions to those relevant to your investigation.
+The next section provides concrete examples, but first introduces the concept of a local source.
+
+A local source is a data-flow node with no local data flow into it.
+It is a local origin of data flow, a place where a new value is created.
+This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
+The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
+It includes a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.
+
+Examples of local data flow
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This query finds the argument passed in each call to ``File::create``:
+
+.. code-block:: ql
+
+    import rust
+
+    from CallExpr call
+    where call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create"
+    select call.getArg(0)
+
+Unfortunately, this only returns the expression used as the argument, not the possible values that could be passed to it. To address this, you can use local data flow to find all expressions that flow into the argument.
+
+.. code-block:: ql
+
+    import rust
+    import codeql.rust.dataflow.DataFlow
+
+    from CallExpr call, DataFlow::ExprNode source, DataFlow::ExprNode sink
+    where
+      call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create" and
+      sink.asExpr().getExpr() = call.getArg(0) and
+      DataFlow::localFlow(source, sink)
+    select source, sink
+
+You can vary the source by making the source the parameter of a function instead of an expression. The following query finds where a parameter is used in file creation:
+
+.. code-block:: ql
+
+    import rust
+    import codeql.rust.dataflow.DataFlow
+
+    from CallExpr call, DataFlow::ParameterNode source, DataFlow::ExprNode sink
+    where
+      call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create" and
+      sink.asExpr().getExpr() = call.getArg(0) and
+      DataFlow::localFlow(source, sink)
+    select source, sink
+
+Global data flow
+----------------
+
+Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow.
+However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform.
+
+.. pull-quote:: Note
+
+   .. include:: ../reusables/path-problem.rst
+
+Using global data flow
+~~~~~~~~~~~~~~~~~~~~~~
+
+We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
+
+.. code-block:: ql
+
+   import codeql.rust.dataflow.DataFlow
+
+   module MyDataFlowConfiguration implements DataFlow::ConfigSig {
+     predicate isSource(DataFlow::Node source) {
+       ...
+     }
+
+     predicate isSink(DataFlow::Node sink) {
+       ...
+     }
+   }
+
+   module MyDataFlow = DataFlow::Global<MyDataFlowConfiguration>;
+
+These predicates are defined in the configuration:
+
+-  ``isSource`` - defines where data may flow from.
+-  ``isSink`` - defines where data may flow to.
+-  ``isBarrier`` - optional, defines where data flow is blocked.
+-  ``isAdditionalFlowStep`` - optional, adds additional flow steps.
+
+The last line (``module MyDataFlow = ...``) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using ``MyDataFlow::flow(DataFlow::Node source, DataFlow::Node sink)``:
+
+.. code-block:: ql
+
+   from DataFlow::Node source, DataFlow::Node sink
+   where MyDataFlow::flow(source, sink)
+   select source, "Dataflow to $@.", sink, sink.toString()
+
+Using global taint tracking
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Global taint tracking relates to global data flow in the same way that local taint tracking relates to local data flow.
+In other words, global taint tracking extends global data flow with additional non-value-preserving steps.
+The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using ``TaintTracking::Global``:
+
+.. code-block:: ql
+
+   module MyTaintFlow = TaintTracking::Global<MyDataFlowConfiguration>;
+
+   from DataFlow::Node source, DataFlow::Node sink
+   where MyTaintFlow::flow(source, sink)
+   select source, "Taint flow to $@.", sink, sink.toString()
+
+Predefined sources
+~~~~~~~~~~~~~~~~~~
+
+The library module ``codeql.rust.Concepts`` contains a number of predefined sources and sinks that you can use to write security queries to track data flow and taint flow.
+
+Examples of global data flow
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following global taint-tracking query finds places where a string literal is used in a function call argument named "password".
+  - Since this is a taint-tracking query, the ``TaintTracking::Global`` module is used.
+  - The ``isSource`` predicate defines sources as any ``StringLiteralExpr``.
+  - The ``isSink`` predicate defines sinks as arguments to a ``CallExpr`` called "password".
+  - The sources and sinks may need to be adjusted for a particular use. For example, passwords might be represented by a type other than ``String`` or passed in arguments with a different name than "password".
+
+.. code-block:: ql
+
+    import rust
+    import codeql.rust.dataflow.DataFlow
+    import codeql.rust.dataflow.TaintTracking
+
+    module ConstantPasswordConfig implements DataFlow::ConfigSig {
+      predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr }
+
+      predicate isSink(DataFlow::Node node) {
+        // any argument going to a parameter called `password`
+        exists(Function f, CallExpr call, int index |
+          call.getArg(index) = node.asExpr().getExpr() and
+          call.getStaticTarget() = f and
+          f.getParam(index).getPat().(IdentPat).getName().getText() = "password"
+        )
+      }
+    }
+
+    module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
+
+    from DataFlow::Node sourceNode, DataFlow::Node sinkNode
+    where ConstantPasswordFlow::flow(sourceNode, sinkNode)
+    select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString()
+
+
+Further reading
+---------------
+
+- `Exploring data flow with path queries  <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries>`__ in the GitHub documentation.
+
+
+.. include:: ../reusables/rust-further-reading.rst
+.. include:: ../reusables/codeql-ref-tools-further-reading.rst

docs/codeql/codeql-language-guides/codeql-for-rust.rst

@@ -0,0 +1,16 @@
+
+.. _codeql-for-rust:
+
+CodeQL for Rust
+=========================
+
+Experiment and learn how to write effective and efficient queries for CodeQL databases generated from Rust code.
+
+.. toctree::
+   :hidden:
+
+   codeql-library-for-rust
+   analyzing-data-flow-in-rust
+
+-  :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
+-  :doc:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`: You can use CodeQL to track the flow of data through a Rust program to places where the data is used.

docs/codeql/codeql-language-guides/codeql-library-for-rust.rst

@@ -0,0 +1,61 @@
+.. _codeql-library-for-rust:
+
+CodeQL library for Rust
+=================================
+
+When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
+
+Overview
+--------
+
+CodeQL ships with a library for analyzing Rust code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide
+abstractions and predicates to help you with common analysis tasks.
+
+The library is implemented as a set of CodeQL modules, which are files with the extension ``.qll``. The
+module `rust.qll <https://github.com/github/codeql/blob/main/rust/ql/lib/rust.qll>`__ imports most other standard library modules, so you can include them
+by beginning your query with:
+
+.. code-block:: ql
+
+   import rust
+
+The CodeQL libraries model various aspects of Rust code. The above import includes the abstract syntax tree (AST) library, which is used for locating program elements
+to match syntactic elements in the source code. This can be used to find values, patterns, and structures.
+
+The control flow graph (CFG) is imported using:
+
+.. code-block:: ql
+
+   import codeql.rust.controlflow.ControlFlowGraph
+
+The CFG models the control flow between statements and expressions. For example, it can determine whether one expression can
+be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
+expression must flow through another expression first.
+
+The data flow library is imported using:
+
+.. code-block:: ql
+
+   import codeql.rust.dataflow.DataFlow
+
+Data flow tracks the flow of data through the program, including across function calls (interprocedural data flow) and between steps in a job or workflow.
+Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program. The taint-tracking library is related to data flow, 
+and helps you find how data can *influence* other values in a program, even when it is not copied exactly.
+
+To summarize, the main Rust library modules are:
+
+.. list-table:: Main Rust library modules
+   :header-rows: 1
+
+   * - Import
+     - Description
+   * - ``rust``
+     - The standard Rust library
+   * - ``codeql.rust.elements``
+     - The abstract syntax tree library (also imported by `rust.qll`)
+   * - ``codeql.rust.controlflow.ControlFlowGraph``
+     - The control flow graph library
+   * - ``codeql.rust.dataflow.DataFlow``
+     - The data flow library
+   * - ``codeql.rust.dataflow.TaintTracking``
+     - The taint tracking library

docs/codeql/codeql-language-guides/index.rst

@@ -15,4 +15,5 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
    codeql-for-javascript
    codeql-for-python
    codeql-for-ruby
+   codeql-for-rust
    codeql-for-swift

docs/codeql/codeql-overview/codeql-tools.rst

@@ -39,6 +39,8 @@ maintained by GitHub are:
 - ``codeql/python-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib>`__)
 - ``codeql/ruby-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src>`__)
 - ``codeql/ruby-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib>`__)
+- ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__)
+- ``codeql/rust-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib>`__)
 - ``codeql/swift-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src>`__)
 - ``codeql/swift-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib>`__)
 

docs/codeql/query-help/codeql-cwe-coverage.rst

@@ -35,5 +35,5 @@ Note that the CWE coverage includes both "`supported queries <https://github.com
    javascript-cwe
    python-cwe
    ruby-cwe
+   rust-cwe
    swift-cwe
-

docs/codeql/query-help/index.rst

@@ -11,6 +11,7 @@ View the query help for the queries included in the ``default``, ``security-exte
 - :doc:`CodeQL query help for JavaScript and TypeScript <javascript>`
 - :doc:`CodeQL query help for Python <python>`
 - :doc:`CodeQL query help for Ruby <ruby>`
+- :doc:`CodeQL query help for Rust <rust>`
 - :doc:`CodeQL query help for Swift <swift>`
 
 .. pull-quote:: Information
@@ -37,5 +38,6 @@ For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE cove
    javascript
    python
    ruby
+   rust
    swift
    codeql-cwe-coverage

docs/codeql/query-help/rust-cwe.md

@@ -0,0 +1,7 @@
+# CWE coverage for Rust
+
+An overview of CWE coverage for Rust in the latest release of CodeQL.
+
+## Overview
+
+<!-- autogenerated CWE coverage table will be added below -->

docs/codeql/query-help/rust.rst

@@ -0,0 +1,8 @@
+CodeQL query help for Rust
+============================
+
+.. include:: ../reusables/query-help-overview.rst
+
+These queries are published in the CodeQL query pack ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__).
+
+.. include:: toc-rust.rst

docs/codeql/reusables/extractors.rst

@@ -6,9 +6,9 @@
      - Identifier
    * - GitHub Actions
      - ``actions``
-   * - C/C++ 
+   * - C/C++
      - ``cpp``
-   * - C# 
+   * - C#
      - ``csharp``
    * - Go
      - ``go``
@@ -20,5 +20,7 @@
      - ``python``
    * - Ruby
      - ``ruby``
+     - Rust
+     - ``rust``
    * - Swift
-     - ``swift``
+     - ``swift``