WIP 1 - starting to make BarrierElement in shared dataflow lib

Author: owen-mc

rust/ql/lib/codeql/rust/dataflow/FlowBarrier.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides classes and predicates for defining barriers and barrier guards.
+ *
+ * Flow sinks defined here feed into data flow configurations as follows:
+ *
+ * ```text
+ * data from *.model.yml | QL extensions of FlowSink::Range
+ *  v                       v
+ * FlowSink (associated with a models-as-data kind string)
+ *  v
+ * sinkNode predicate | other QL defined sinks, for example using concepts
+ *  v                    v
+ * various Sink classes for specific data flow configurations <- extending QuerySink
+ * ```
+ *
+ * New sinks should be defined using models-as-data, QL extensions of
+ * `FlowSink::Range`, or concepts. Data flow configurations should use the
+ * `sinkNode` predicate and/or concepts to define their sinks.
+ */
+
+private import rust
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowImpl as DataFlowImpl
+
+// import all instances below
+private module Barriers {
+  private import codeql.rust.Frameworks
+  private import codeql.rust.dataflow.internal.ModelsAsData
+}
+
+/** Provides the `Range` class used to define the extent of `FlowBarrier`. */
+module FlowBarrier {
+  /** A flow sink. */
+  abstract class Range extends Impl::Public::BarrierElement {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate isBarrier(
+      string output, string kind, Impl::Public::Provenance provenance, string model
+    ) {
+      this.isBarrier(output, kind) and provenance = "manual" and model = ""
+    }
+
+    /**
+     * Holds is this element is a flow barrier of kind `kind`, where data
+     * flows out as described by `output`.
+     */
+    predicate isBarrier(string output, string kind) { none() }
+  }
+}
+
+final class FlowBarrier = FlowBarrier::Range;
+
+predicate barrierNode = DataFlowImpl::barrierNode/2;

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -1157,6 +1157,10 @@ private module Cached {
   cached
   predicate sinkNode(Node n, string kind) { n.(FlowSummaryNode).isSink(kind, _) }
 
+  /** Holds if `n` is a flow barrier of kind `kind`. */
+  cached
+  predicate barrierNode(Node n, string kind) { n.(FlowSummaryNode).isBarrier(kind, _) }
+
   /**
    * A step in a flow summary defined using `OptionalStep[name]`. An `OptionalStep` is "opt-in", which means
    * that by default the step is not present in the flow summary and needs to be explicitly enabled by defining

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -44,6 +44,7 @@
  */
 
 private import rust
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSummary
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.dataflow.FlowSink
@@ -239,6 +240,23 @@ private class FlowSinkFromModel extends FlowSink::Range {
   }
 }
 
+private class BarrierFromModel extends FlowBarrier::Range {
+  private string path;
+
+  BarrierFromModel() {
+    barrierModel(path, _, _, _, _) and
+    this.callResolvesTo(path)
+    // path = this.getCall().getResolvedTarget().getCanonicalPath()
+  }
+
+  override predicate isBarrier(string output, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      barrierModel(path, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}
+
 private module Debug {
   private import FlowSummaryImpl
   private import Private

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -82,12 +82,12 @@ class FlowSummaryNode extends Node, TFlowSummaryNode {
     result = this.getSummaryNode().getSinkElement()
   }
 
-  /** Holds is this node is a source node of kind `kind`. */
+  /** Holds if this node is a source node of kind `kind`. */
   predicate isSource(string kind, string model) {
     this.getSummaryNode().(FlowSummaryImpl::Private::SourceOutputNode).isEntry(kind, model)
   }
 
-  /** Holds is this node is a sink node of kind `kind`. */
+  /** Holds if this node is a sink node of kind `kind`. */
   predicate isSink(string kind, string model) {
     this.getSummaryNode().(FlowSummaryImpl::Private::SinkInputNode).isExit(kind, model)
   }

rust/ql/test/library-tests/dataflow/barrier/inline-flow.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: barrierModel
+    data:
+      - ["main::sanitize", "ReturnValue", "test", "manual"]

rust/ql/test/library-tests/dataflow/barrier/inline-flow.ql

@@ -3,10 +3,21 @@
  */
 
 import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.FlowBarrier
 import utils.test.InlineFlowTest
-import DefaultFlowTest
-import TaintFlow::PathGraph
+import PathGraph
 
-from TaintFlow::PathNode source, TaintFlow::PathNode sink
-where TaintFlow::flowPath(source, sink)
+module CustomConfig implements DataFlow::ConfigSig {
+  predicate isSource = DefaultFlowConfig::isSource/1;
+
+  predicate isSink = DefaultFlowConfig::isSink/1;
+
+  predicate isBarrier(DataFlow::Node n) { barrierNode(n, "test") }
+}
+
+import FlowTest<CustomConfig, CustomConfig>
+
+from PathNode source, PathNode sink
+where flowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll

@@ -368,6 +368,19 @@ module Make<
       abstract predicate isSink(string input, string kind, Provenance provenance, string model);
     }
 
+    /** A barrier element. */
+    abstract class BarrierElement extends SourceBaseFinal {
+      bindingset[this]
+      BarrierElement() { any() }
+
+      /**
+       * Holds if this element is a flow barrier of kind `kind`, where data
+       * flows out as described by `output`.
+       */
+      pragma[nomagic]
+      abstract predicate isBarrier(string output, string kind, Provenance provenance, string model);
+    }
+
     private signature predicate hasKindSig(string kind);
 
     signature class NeutralCallableSig extends SummarizedCallableBaseFinal {