feat(dataflow): Add Taint Tracking

GeekMasher · GeekMasher · commit 614d6e35fda9 · 2025-06-17T21:02:41.000+01:00
diff --git a/ql/lib/codeql/bicep/dataflow/TaintTracking.qll b/ql/lib/codeql/bicep/dataflow/TaintTracking.qll
@@ -0,0 +1,18 @@
+/**
+ * Provides the module `TaintTracking`.
+ */
+
+private import bicep
+
+/**
+ * Provides a library for performing local (intra-procedural) and global
+ * (inter-procedural) taint-tracking analyses.
+ */
+module TaintTracking {
+  import codeql.bicep.dataflow.internal.TaintTrackingImpl::Public
+  private import codeql.bicep.dataflow.internal.DataFlowImplSpecific
+  private import codeql.bicep.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  private import bicep
+  import TaintFlowMake<Location, BicepDataFlow, BicepTaintTracking>
+}
diff --git a/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingImpl.qll b/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingImpl.qll
@@ -0,0 +1,7 @@
+import codeql.bicep.dataflow.internal.TaintTrackingPublic as Public
+
+module Private {
+  import codeql.bicep.dataflow.DataFlow::DataFlow as DataFlow
+  import codeql.bicep.dataflow.internal.DataFlowImpl as DataFlowInternal
+  import codeql.bicep.dataflow.internal.TaintTrackingPrivate
+}
diff --git a/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingImplSpecific.qll b/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingImplSpecific.qll
@@ -0,0 +1,11 @@
+/**
+ * Provides bicep-specific definitions for use in the taint tracking library.
+ */
+
+private import codeql.Locations
+private import codeql.dataflow.TaintTracking
+private import DataFlowImplSpecific
+
+module BicepTaintTracking implements InputSig<Location, BicepDataFlow> {
+  import TaintTrackingPrivate
+}
diff --git a/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingPrivate.qll b/ql/lib/codeql/bicep/dataflow/internal/TaintTrackingPrivate.qll
@@ -45,3 +45,16 @@ private module Cached {
 }
 
 import Cached
+
+import SpeculativeTaintFlow
+
+private module SpeculativeTaintFlow {
+  private import codeql.bicep.dataflow.internal.DataFlowDispatch as DataFlowDispatch
+  private import codeql.bicep.dataflow.internal.DataFlowPublic as DataFlowPublic
+
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
+  predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() }
+}
