github · geoffw0 · Mar 3, 2025 · Mar 5, 2025 · Mar 3, 2025 · Mar 4, 2025
@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1674 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1674 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1670 |
+| Taint edges - number of edges | 1674 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_mut_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
+      - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_mut_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
@@ -8,3 +8,40 @@ extensions:
      - ["repo:https://github.com/RustCrypto/traits:digest", "<_ as crate::digest::Digest>::chain_update", "Argument[0]", "hasher-input", "manual"]
      - ["repo:https://github.com/RustCrypto/traits:digest", "<_ as crate::digest::Digest>::digest", "Argument[0]", "hasher-input", "manual"]
      - ["repo:https://github.com/stainless-steel/md5:md5", "crate::compute", "Argument[0]", "hasher-input", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:cipher", "<crate::stream_wrapper::StreamCipherCoreWrapper as crate::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128 as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128 as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128Enc as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128Enc as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128Dec as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes128Dec as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192 as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192 as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192Enc as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192Enc as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192Dec as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes192Dec as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256 as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256 as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::autodetect::Aes256 as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::autodetect::Aes256 as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256Enc as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256Enc as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256Dec as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/block-ciphers:aes", "<crate::soft::Aes256Dec as crate::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "crate::KeyInit::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "crate::KeyInit::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "crate::KeyInit::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "crate::KeyInit::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "<_ as crate::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "<_ as crate::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "<_ as crate::KeyIvInit>::new_from_slices", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "<_ as crate::KeyIvInit>::new_from_slices", "Argument[1]", "credentials-iv", "manual"]
+      - ["repo:https://github.com/RustCrypto/AEADs:aes-gcm", "<crate::AesGcm as crate::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:aead", "<_ as crate::Aead>::encrypt", "Argument[0]", "credentials-nonce", "manual"]
@@ -1,8 +1,17 @@
 extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:core", "crate::mem::zeroed", "ReturnValue.Element", "constant-source", "manual"]
  - addsTo:
      pack: codeql/rust-all
      extensible: summaryModel
    data:
+      # Conversions
+      - ["lang:core", "<_ as crate::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
+      - ["lang:core", "<_ as crate::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
+      - ["lang:core", "<[_]>::align_to", "Argument[self].Element", "ReturnValue.Field[0,1,2].Reference.Element", "taint", "manual"]
      # Fmt
      - ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]
      # Iterator

@@ -0,0 +1,92 @@
+/**
+ * Provides classes and predicates for reasoning about hardcoded cryptographic value
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.security.SensitiveData
+
+/**
+ * A kind of cryptographic value.
+ */
+class CryptographicValueKind extends string {
+  CryptographicValueKind() { this = ["password", "key", "iv", "nonce", "salt"] }
+
+  /**
+   * Gets a description of this value kind for user-facing messages.
+   */
+  string getDescription() {
+    this = "password" and result = "a password"
+    or
+    this = "key" and result = "a key"
+    or
+    this = "iv" and result = "an initialization vector"
+    or
+    this = "nonce" and result = "a nonce"
+    or
+    this = "salt" and result = "a salt"
+  }
+}
+
+/**
+ * Provides default sources, sinks and barriers for detecting hardcoded cryptographic
+ * value vulnerabilities, as well as extension points for adding your own.
+ */
+module HardcodedCryptographicValue {
+  /**
+   * A data flow source for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the kind of credential this sink is interpreted as.
+     */
+    abstract CryptographicValueKind getKind();
+  }
+
+  /**
+   * A barrier for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A literal, considered as a flow source.
+   */
+  private class LiteralSource extends Source {
+    LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr }
+  }
+
+  /**
+   * An array initialized from a list of literals, considered as a single flow source. For example:
+   * ```
+   * `[0, 0, 0, 0]`
+   * ```
+   */
+  private class ArrayListSource extends Source {
+    ArrayListSource() { this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr }
+  }
+
+  /**
+   * An externally modeled source for constant values.
+   */
+  private class ModeledSource extends Source {
+    ModeledSource() { sourceNode(this, "constant-source") }
+  }
+
+  /**
+   * An externally modeled sink for hardcoded cryptographic value vulnerabilities.
+   */
+  private class ModelsAsDataSinks extends Sink {
+    CryptographicValueKind kind;
+
+    ModelsAsDataSinks() { sinkNode(this, "credentials-" + kind) }
+
+    override CryptographicValueKind getKind() { result = kind }
+  }
+}
@@ -0,0 +1,58 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Hardcoded passwords, keys, initialization vectors and salts should not be used for cryptographic operations.
+</p>
+<ul>
+  <li>
+    Attackers can easily recover hardcoded values if they have access to the source code or compiled executable.
+  </li>
+  <li>
+    Some hardcoded values are easily guessable.
+  </li>
+  <li>
+    Use of hardcoded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.
+  </li>
+</ul>
+
+</overview>
+<recommendation>
+
+<p>
+Use randomly generated key material, initialization vectors and salts. Use strong passwords that are not hardcoded.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+The following example shows instantiating a cipher with hardcoded key material, making the encrypted data vulnerable to recovery.
+</p>
+
+<sample src="HardcodedCryptographicValueBad.rs" />
+
+<p>
+In the fixed code below, the key material is randomly generated and not hardcoded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.
+</p>
+
+<sample src="HardcodedCryptographicValueGood.rs" />
+
+</example>
+<references>
+
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Use_of_hard-coded_password">Use of hard-coded password</a>.
+</li>
+<li>
+OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
+</li>
+<li>
+O'Reilly: <a href="https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html">Using Salts, Nonces, and Initialization Vectors</a>.
+</li>
+
+</references>
+</qhelp>
@@ -0,0 +1,57 @@
+/**
+ * @name Hard-coded cryptographic value
+ * @description Using hardcoded keys, passwords, salts or initialization
+ *              vectors is not secure.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 9.8
+ * @precision high
+ * @id rust/hardcoded-cryptographic-value
+ * @tags security
+ *       external/cwe/cwe-259
+ *       external/cwe/cwe-321
+ *       external/cwe/cwe-798
+ *       external/cwe/cwe-1204
+ */
+
+import rust
+import codeql.rust.security.HardcodedCryptographicValueExtensions
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.dataflow.internal.DataFlowImpl
+
+/**
+ * A taint-tracking configuration for hardcoded cryptographic value vulnerabilities.
+ */
+module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
+  import HardcodedCryptographicValue
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    // (this combined with sources for `ArrayListExpr` means we only get one source in
+    //  case like `[0, 0, 0, 0]`)
+    isSource(node)
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from reference content at sinks.
+    isSink(node) and
+    c.getAReadContent() instanceof ReferenceContent
+  }
+}
+
+module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;
+
+import HardcodedCryptographicValueFlow::PathGraph
+
+from
+  HardcodedCryptographicValueFlow::PathNode source, HardcodedCryptographicValueFlow::PathNode sink
+where HardcodedCryptographicValueFlow::flowPath(source, sink)
+select source.getNode(), source, sink, "This hard-coded value is used as $@.", sink,
+  sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind().getDescription()
@@ -0,0 +1,2 @@
+let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption
+let cipher = Aes256Gcm::new(&key.into());
@@ -0,0 +1,2 @@
+let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
+let cipher = Aes256Gcm::new(&key);
@@ -11,6 +11,7 @@ private import codeql.rust.controlflow.internal.CfgConsistency as CfgConsistency
 private import codeql.rust.dataflow.internal.DataFlowConsistency as DataFlowConsistency
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.CleartextLoggingExtensions
+private import codeql.rust.security.HardcodedCryptographicValueExtensions

 /**
 * Gets a count of the total number of lines of code in the database.
@@ -62,6 +63,8 @@ string getAQuerySinkKind(DataFlow::Node n) {
  n instanceof SqlInjection::Sink and result = "SqlInjection"
  or
  n instanceof CleartextLogging::Sink and result = "CleartextLogging"
+  or
+  n instanceof HardcodedCryptographicValue::Sink and result = "HardcodedCryptographicValue"
 }

 /**
-Original file line number
+Diff line change
@@ -0,0 +1,9 @@
+    extensions:
+      - addsTo:
+          pack: codeql/rust-all
+          extensible: summaryModel
+        data:
+          - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
             Copy link

  
      
    
  

  
      

  
    Contributor


      

  

  
    
      

      
            hvitved
  

      

      

      


        Mar 10, 2025


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      We could consider adding a WithReference token, which would allow us to simplify the above slightly as
["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_slice", "Argument[0].WithReference", "ReturnValue", "value", "manual"]

    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
  


          
          
        
      
    

    



  
        
  
    
        
    
  


      
          
  
      
            Copy link

  
      
    
  

  
      

  
    Contributor


      

  Author


  

  
    
      

      
            geoffw0
  

      

      

      


        Mar 10, 2025


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      I'm not sure I see what's special about WithReference over WithElement or any of a hundred other shortcuts we could potentially create.  But if you've had good experiences with this syntactic sugar in other languages, I will defer to your experience.
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
  


          
          
        
      
    

    



  
        
  
    
        
    
  


      
          
  
      
            Copy link

  
      
    
  

  
      

  
    Contributor


      

  

  
    
      

      
            hvitved
  

      

      

      


        Mar 11, 2025


      
    

  


        
      
  
  
  
    

    There was a problem hiding this comment.


  

 
  
    

    Choose a reason for hiding this comment

    
      The reason will be displayed to describe this comment to others. Learn more.
    

    
      
      


  


  
    
      WithElement mostly makes a difference when you are tracking precise array indicies, like we do in Ruby, where you would otherwise have to write an "infinite" number of MaD rows (one for index 0, one for index 1, ...). WithElement generates a somewhat simpler synthetic function, which does not consist of a read step followed by a store step.
    
  
  


    

        
      
  
  
    
  
  
  
    
    Sorry, something went wrong.
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.


  
  


          
      
  
    
    
      
        
            
    All reactions
+          - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::from_mut_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+          - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
+          - ["repo:https://github.com/fizyk20/generic-array.git:generic-array", "<crate::GenericArray>::try_from_mut_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
                   geoffw0 marked this conversation as resolved.
              

          
            Show resolved
            Hide resolved
        

                
  
            
  

  
    
  
    
      

              Uh oh!

              
There was an error while loading. Please reload this page.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		let key: [u8;32] = [0;32]; // BAD: Using hardcoded keys for encryption
		let cipher = Aes256Gcm::new(&key.into());
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
		let cipher = Aes256Gcm::new(&key);