hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Remove taint steps

Browse Source
This commit is contained in:
Simon Friis Vindum
2024-12-18 11:22:56 +01:00
parent c1e21974c6
commit 049fab4c72
9 changed files with 17 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
View File

@@ -46,8 +46,6 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
RustDataFlow::readStep(pred, cs, succ) and
cs.getContent() instanceof ArrayElementContent
)
or
pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),

3
rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
View File

@@ -5,14 +5,11 @@ extensions:
data:
# Option
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
# Result
- ["lang:core", "<crate::result::Result>::unwrap", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::result::Result>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self]", "ReturnValue", "taint", "manual"]
# String
- ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]

4
rust/ql/test/library-tests/dataflow/sources/test.rs
View File

@@ -12,7 +12,7 @@ fn test_env_vars() {
let var2 = std::env::var_os("PATH").unwrap(); // $ Alert[rust/summary/taint-sources]
sink(var1); // $ MISSING: hasTaintFlow
sink(var2); // $ hasTaintFlow
sink(var2); // $ MISSING: hasTaintFlow
for (key, value) in std::env::vars() { // $ Alert[rust/summary/taint-sources]
sink(key); // $ MISSING: hasTaintFlow
@@ -61,7 +61,7 @@ async fn test_reqwest() -> Result<(), reqwest::Error> {
sink(remote_string1); // $ MISSING: hasTaintFlow
let remote_string2 = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap(); // $ Alert[rust/summary/taint-sources]
sink(remote_string2); // $ hasTaintFlow
sink(remote_string2); // $ MISSING: hasTaintFlow
let remote_string3 = reqwest::get("http://example.com/").await?.text().await?; // $ Alert[rust/summary/taint-sources]
sink(remote_string3); // $ MISSING: hasTaintFlow

9
rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
View File

@@ -1,25 +1,20 @@
models
| 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
edges
| main.rs:20:9:20:9 | s | main.rs:21:9:21:14 | sliced | provenance | |
| main.rs:20:9:20:9 | s | main.rs:21:19:21:25 | s[...] | provenance | |
| main.rs:20:13:20:22 | source(...) | main.rs:20:9:20:9 | s | provenance | |
| main.rs:21:9:21:14 | sliced | main.rs:22:16:22:21 | sliced | provenance | |
| main.rs:21:9:21:14 | sliced [&ref] | main.rs:22:16:22:21 | sliced | provenance | |
| main.rs:21:18:21:25 | &... [&ref] | main.rs:21:9:21:14 | sliced [&ref] | provenance | |
| main.rs:21:19:21:25 | s[...] | main.rs:21:18:21:25 | &... [&ref] | provenance | |
| main.rs:26:9:26:10 | s1 | main.rs:29:9:29:10 | s4 | provenance | |
| main.rs:26:14:26:23 | source(...) | main.rs:26:9:26:10 | s1 | provenance | |
| main.rs:29:9:29:10 | s4 | main.rs:32:10:32:11 | s4 | provenance | |
| main.rs:37:9:37:10 | s1 | main.rs:40:10:40:35 | ... + ... | provenance | |
| main.rs:37:14:37:23 | source(...) | main.rs:37:9:37:10 | s1 | provenance | |
| main.rs:57:9:57:9 | s | main.rs:58:16:58:16 | s | provenance | |
| main.rs:57:13:57:22 | source(...) | main.rs:57:9:57:9 | s | provenance | |
| main.rs:58:16:58:16 | s | main.rs:58:16:58:25 | s.as_str(...) | provenance | MaD:1 |
nodes
| main.rs:20:9:20:9 | s | semmle.label | s |
| main.rs:20:13:20:22 | source(...) | semmle.label | source(...) |
| main.rs:21:9:21:14 | sliced | semmle.label | sliced |
| main.rs:21:9:21:14 | sliced [&ref] | semmle.label | sliced [&ref] |
| main.rs:21:18:21:25 | &... [&ref] | semmle.label | &... [&ref] |
| main.rs:21:19:21:25 | s[...] | semmle.label | s[...] |
@@ -28,9 +23,6 @@ nodes
| main.rs:26:14:26:23 | source(...) | semmle.label | source(...) |
| main.rs:29:9:29:10 | s4 | semmle.label | s4 |
| main.rs:32:10:32:11 | s4 | semmle.label | s4 |
| main.rs:37:9:37:10 | s1 | semmle.label | s1 |
| main.rs:37:14:37:23 | source(...) | semmle.label | source(...) |
| main.rs:40:10:40:35 | ... + ... | semmle.label | ... + ... |
| main.rs:57:9:57:9 | s | semmle.label | s |
| main.rs:57:13:57:22 | source(...) | semmle.label | source(...) |
| main.rs:58:16:58:16 | s | semmle.label | s |
@@ -40,5 +32,4 @@ testFailures
#select
| main.rs:22:16:22:21 | sliced | main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | $@ | main.rs:20:13:20:22 | source(...) | source(...) |
| main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |
| main.rs:40:10:40:35 | ... + ... | main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | $@ | main.rs:37:14:37:23 | source(...) | source(...) |
| main.rs:58:16:58:25 | s.as_str(...) | main.rs:57:13:57:22 | source(...) | main.rs:58:16:58:25 | s.as_str(...) | $@ | main.rs:57:13:57:22 | source(...) | source(...) |

2
rust/ql/test/library-tests/dataflow/strings/main.rs
View File

@@ -37,7 +37,7 @@ fn string_add_reference() {
let s1 = source(37);
let s2 = "1".to_string();
sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37
sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37
sink("Hello ".to_string() + &s2);
}

6
rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
View File

@@ -1,7 +1,4 @@
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:10 |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap | MaD:2 |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap | MaD:6 |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or | MaD:9 |
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:7 |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:0 |
| main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... | |
| main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... | |
@@ -11,7 +8,6 @@
| main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 | |
| main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 | |
| main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] | |
| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... | |
| main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] | |
| main.rs:64:24:64:24 | s | main.rs:64:24:64:27 | s[1] | |
| main.rs:69:9:69:12 | arr2 | main.rs:69:9:69:15 | arr2[1] | |

3
rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected
View File

@@ -7,10 +7,8 @@ edges
| main.rs:22:9:22:9 | a | main.rs:23:9:23:9 | b | provenance | |
| main.rs:22:13:22:22 | source(...) | main.rs:22:9:22:9 | a | provenance | |
| main.rs:23:9:23:9 | b | main.rs:24:10:24:17 | b as i64 | provenance | |
| main.rs:37:13:37:13 | s | main.rs:38:13:38:18 | sliced | provenance | |
| main.rs:37:13:37:13 | s | main.rs:38:23:38:29 | s[...] | provenance | |
| main.rs:37:17:37:26 | source(...) | main.rs:37:13:37:13 | s | provenance | |
| main.rs:38:13:38:18 | sliced | main.rs:39:14:39:19 | sliced | provenance | |
| main.rs:38:13:38:18 | sliced [&ref] | main.rs:39:14:39:19 | sliced | provenance | |
| main.rs:38:22:38:29 | &... [&ref] | main.rs:38:13:38:18 | sliced [&ref] | provenance | |
| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... [&ref] | provenance | |
@@ -31,7 +29,6 @@ nodes
| main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 |
| main.rs:37:13:37:13 | s | semmle.label | s |
| main.rs:37:17:37:26 | source(...) | semmle.label | source(...) |
| main.rs:38:13:38:18 | sliced | semmle.label | sliced |
| main.rs:38:13:38:18 | sliced [&ref] | semmle.label | sliced [&ref] |
| main.rs:38:22:38:29 | &... [&ref] | semmle.label | &... [&ref] |
| main.rs:38:23:38:29 | s[...] | semmle.label | s[...] |

105
rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected
View File

@@ -1,109 +1,4 @@
#select
| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
| sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
| sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
| sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
| sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:169:25:169:69 | ...::get(...) | user-provided value |
| sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:169:25:169:69 | ...::get(...) | user-provided value |
edges
| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:54:9:54:22 | unsafe_query_2 | provenance | |
| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:55:9:55:22 | unsafe_query_3 | provenance | |
| sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:48:25:48:78 | ... .unwrap(...) | provenance | MaD:2 |
| sqlx.rs:48:25:48:78 | ... .unwrap(...) | sqlx.rs:48:25:48:85 | ... .text(...) [Ok] | provenance | MaD:4 |
| sqlx.rs:48:25:48:85 | ... .text(...) [Ok] | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | provenance | MaD:3 |
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:48:9:48:21 | remote_string | provenance | |
| sqlx.rs:54:9:54:22 | unsafe_query_2 | sqlx.rs:65:30:65:43 | unsafe_query_2 | provenance | |
| sqlx.rs:54:9:54:22 | unsafe_query_2 | sqlx.rs:76:29:76:42 | unsafe_query_2 | provenance | |
| sqlx.rs:55:9:55:22 | unsafe_query_3 | sqlx.rs:66:30:66:43 | unsafe_query_3 | provenance | |
| sqlx.rs:55:9:55:22 | unsafe_query_3 | sqlx.rs:77:29:77:42 | unsafe_query_3 | provenance | |
| sqlx.rs:65:30:65:43 | unsafe_query_2 | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | provenance | MaD:1 |
| sqlx.rs:66:30:66:43 | unsafe_query_3 | sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | provenance | MaD:1 |
| sqlx.rs:76:29:76:42 | unsafe_query_2 | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | provenance | MaD:1 |
| sqlx.rs:77:29:77:42 | unsafe_query_3 | sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | provenance | MaD:1 |
| sqlx.rs:96:9:96:21 | remote_string | sqlx.rs:98:9:98:22 | unsafe_query_1 | provenance | |
| sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:96:25:96:78 | ... .unwrap(...) | provenance | MaD:2 |
| sqlx.rs:96:25:96:78 | ... .unwrap(...) | sqlx.rs:96:25:96:85 | ... .text(...) [Ok] | provenance | MaD:4 |
| sqlx.rs:96:25:96:85 | ... .text(...) [Ok] | sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | provenance | MaD:3 |
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:96:9:96:21 | remote_string | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:104:30:104:43 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:109:31:109:44 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:116:29:116:42 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:123:29:123:42 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:132:55:132:68 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:141:55:141:68 | unsafe_query_1 | provenance | |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | sqlx.rs:149:29:149:42 | unsafe_query_1 | provenance | |
| sqlx.rs:104:30:104:43 | unsafe_query_1 | sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:109:31:109:44 | unsafe_query_1 | sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:116:29:116:42 | unsafe_query_1 | sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:123:29:123:42 | unsafe_query_1 | sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:132:55:132:68 | unsafe_query_1 | sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:141:55:141:68 | unsafe_query_1 | sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:149:29:149:42 | unsafe_query_1 | sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:169:9:169:21 | remote_string | sqlx.rs:171:9:171:22 | unsafe_query_1 | provenance | |
| sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:169:25:169:78 | ... .unwrap(...) | provenance | MaD:2 |
| sqlx.rs:169:25:169:78 | ... .unwrap(...) | sqlx.rs:169:25:169:85 | ... .text(...) [Ok] | provenance | MaD:4 |
| sqlx.rs:169:25:169:85 | ... .text(...) [Ok] | sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | provenance | MaD:3 |
| sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | sqlx.rs:169:9:169:21 | remote_string | provenance | |
| sqlx.rs:171:9:171:22 | unsafe_query_1 | sqlx.rs:177:30:177:43 | unsafe_query_1 | provenance | |
| sqlx.rs:171:9:171:22 | unsafe_query_1 | sqlx.rs:184:29:184:42 | unsafe_query_1 | provenance | |
| sqlx.rs:177:30:177:43 | unsafe_query_1 | sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
| sqlx.rs:184:29:184:42 | unsafe_query_1 | sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
models
| 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
| 2 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self]; ReturnValue; taint |
| 3 | Summary: lang:core; <crate::result::Result>::unwrap_or; Argument[self].Variant[crate::result::Result::Ok(0)]; ReturnValue; value |
| 4 | Summary: repo:https://github.com/seanmonstar/reqwest:reqwest; <crate::blocking::response::Response>::text; Argument[self]; ReturnValue.Variant[crate::result::Result::Ok(0)]; taint |
nodes
| sqlx.rs:48:9:48:21 | remote_string | semmle.label | remote_string |
| sqlx.rs:48:25:48:69 | ...::get(...) | semmle.label | ...::get(...) |
| sqlx.rs:48:25:48:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
| sqlx.rs:48:25:48:85 | ... .text(...) [Ok] | semmle.label | ... .text(...) [Ok] |
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
| sqlx.rs:54:9:54:22 | unsafe_query_2 | semmle.label | unsafe_query_2 |
| sqlx.rs:55:9:55:22 | unsafe_query_3 | semmle.label | unsafe_query_3 |
| sqlx.rs:65:30:65:43 | unsafe_query_2 | semmle.label | unsafe_query_2 |
| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) |
| sqlx.rs:66:30:66:43 | unsafe_query_3 | semmle.label | unsafe_query_3 |
| sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | semmle.label | unsafe_query_3.as_str(...) |
| sqlx.rs:76:29:76:42 | unsafe_query_2 | semmle.label | unsafe_query_2 |
| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) |
| sqlx.rs:77:29:77:42 | unsafe_query_3 | semmle.label | unsafe_query_3 |
| sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | semmle.label | unsafe_query_3.as_str(...) |
| sqlx.rs:96:9:96:21 | remote_string | semmle.label | remote_string |
| sqlx.rs:96:25:96:69 | ...::get(...) | semmle.label | ...::get(...) |
| sqlx.rs:96:25:96:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
| sqlx.rs:96:25:96:85 | ... .text(...) [Ok] | semmle.label | ... .text(...) [Ok] |
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
| sqlx.rs:98:9:98:22 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:104:30:104:43 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:109:31:109:44 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:116:29:116:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:123:29:123:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:132:55:132:68 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:141:55:141:68 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:149:29:149:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:169:9:169:21 | remote_string | semmle.label | remote_string |
| sqlx.rs:169:25:169:69 | ...::get(...) | semmle.label | ...::get(...) |
| sqlx.rs:169:25:169:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
| sqlx.rs:169:25:169:85 | ... .text(...) [Ok] | semmle.label | ... .text(...) [Ok] |
| sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
| sqlx.rs:171:9:171:22 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:177:30:177:43 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
| sqlx.rs:184:29:184:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
| sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
subpaths

26
rust/ql/test/query-tests/security/CWE-089/sqlx.rs
View File

@@ -62,8 +62,8 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err
let _ = conn.execute(safe_query_3.as_str()).await?; // $ sql-sink
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=args1
if enable_remote {
let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote1
let _ = conn.execute(unsafe_query_3.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote1
let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
let _ = conn.execute(unsafe_query_3.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
let _ = conn.execute(unsafe_query_4.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
}
@@ -73,8 +73,8 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err
let _ = sqlx::query(safe_query_3.as_str()).execute(&pool).await?; // $ sql-sink
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection][rust/sql-injection]=args1
if enable_remote {
let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink Alert[rust/sql-injection]=remote1
let _ = sqlx::query(unsafe_query_3.as_str()).execute(&pool).await?; // $ sql-sink Alert[rust/sql-injection]=remote1
let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
let _ = sqlx::query(unsafe_query_3.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
let _ = sqlx::query(unsafe_query_4.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote1
}
let _ = sqlx::query(prepared_query_1.as_str()).bind(const_string).execute(&pool).await?; // $ sql-sink
@@ -101,26 +101,26 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
// direct execution (with extra variants)
let _ = conn.execute(safe_query_1.as_str()).await?; // $ sql-sink
if enable_remote {
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote2
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
}
// ...
let _ = sqlx::raw_sql(safe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink
if enable_remote {
let _ = sqlx::raw_sql(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink Alert[rust/sql-injection]=remote2
let _ = sqlx::raw_sql(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
}
// prepared queries (with extra variants)
let _ = sqlx::query(safe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).execute(&mut conn).await?; // $ sql-sink
if enable_remote {
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink Alert[rust/sql-injection]=remote2
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).execute(&mut conn).await?; // $ sql-sink
}
// ...
let _ = sqlx::query(safe_query_1.as_str()).fetch(&mut conn); // $ sql-sink
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).fetch(&mut conn); // $ sql-sink
if enable_remote {
let _ = sqlx::query(unsafe_query_1.as_str()).fetch(&mut conn); // $ sql-sink Alert[rust/sql-injection]=remote2
let _ = sqlx::query(unsafe_query_1.as_str()).fetch(&mut conn); // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).fetch(&mut conn); // $ sql-sink
}
// ...
@@ -129,7 +129,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
let row2: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&const_string).fetch_one(&mut conn).await?; // $ sql-sink
println!(" row2 = {:?}", row2);
if enable_remote {
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_one(&mut conn).await?; // $ sql-sink Alert[rust/sql-injection]=remote2
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_one(&mut conn).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
let _: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&remote_string).fetch_one(&mut conn).await?; // $ sql-sink
}
// ...
@@ -138,7 +138,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
let row4: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&const_string).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink
println!(" row4 = {:?}", row4);
if enable_remote {
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink $ Alert[rust/sql-injection]=remote2
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink $ MISSING: Alert[rust/sql-injection]=remote2
let _: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&remote_string).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink
}
// ...
@@ -146,7 +146,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).fetch_all(&mut conn).await?; // $ sql-sink
let _ = sqlx::query("SELECT * FROM people WHERE firstname=?").bind(&const_string).fetch_all(&mut conn).await?; // $ sql-sink
if enable_remote {
let _ = sqlx::query(unsafe_query_1.as_str()).fetch_all(&mut conn).await?; // $ sql-sink Alert[rust/sql-injection]=remote2
let _ = sqlx::query(unsafe_query_1.as_str()).fetch_all(&mut conn).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote2
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).fetch_all(&mut conn).await?; // $ sql-sink
let _ = sqlx::query("SELECT * FROM people WHERE firstname=?").bind(&remote_string).fetch_all(&mut conn).await?; // $ sql-sink
}
@@ -174,14 +174,14 @@ async fn test_sqlx_postgres(url: &str, enable_remote: bool) -> Result<(), sqlx::
// direct execution
let _ = conn.execute(safe_query_1.as_str()).await?; // $ sql-sink
if enable_remote {
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink Alert[rust/sql-injection]=remote3
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote3
}
// prepared queries
let _ = sqlx::query(safe_query_1.as_str()).execute(&pool).await?; // $ sql-sink
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).execute(&pool).await?; // $ sql-sink
if enable_remote {
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink Alert[rust/sql-injection]=remote3
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[rust/sql-injection]=remote3
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).execute(&pool).await?; // $ sql-sink
}