Merge pull request #20398 from paldepind/rust/warp-model

Rust: Add tests and models for Warp

rust/ql/lib/codeql/rust/frameworks/warp.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[0..7]", "remote", "manual"]

rust/ql/test/library-tests/dataflow/sources/Cargo.lock

@@ -1514,6 +1514,16 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
 [[package]]
 name = "minimal-lexical"
 version = "0.2.1"
@@ -1680,6 +1690,26 @@ version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
 
+[[package]]
+name = "pin-project"
+version = "1.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677f1add503faace112b9f1373e43e9e054bfdd22ff1a63c1bc485eaec6a6a8a"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.16"
@@ -2069,6 +2099,12 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "scoped-tls"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1cf6437eb19a8f4a6cc0f7dca544973b0b78843adbfeb3683d1a94a0024a294"
+
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -2297,6 +2333,7 @@ dependencies = [
  "serde",
  "serde_json",
  "tokio",
+ "warp",
 ]
 
 [[package]]
@@ -2538,6 +2575,12 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "unicase"
+version = "2.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.18"
@@ -2600,6 +2643,35 @@ dependencies = [
  "try-lock",
 ]
 
+[[package]]
+name = "warp"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d06d9202adc1f15d709c4f4a2069be5428aa912cc025d6f268ac441ab066b0"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "headers",
+ "http 1.3.1",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-util",
+ "log",
+ "mime",
+ "mime_guess",
+ "percent-encoding",
+ "pin-project",
+ "scoped-tls",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "tokio",
+ "tokio-util",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "wasi"
 version = "0.11.1+wasi-snapshot-preview1"

rust/ql/test/library-tests/dataflow/sources/TaintSources.expected

@@ -100,3 +100,67 @@
 | web_frameworks.rs:58:14:58:15 | ms | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/options.yml

@@ -16,3 +16,4 @@ qltest_dependencies:
     - rustls = { version = "0.23.27" }
     - futures-rustls = { version = "0.26.0" }
     - async-std = { version = "1.13.1" }
+    - warp = { version = "0.4.2", features = ["server"] }

rust/ql/test/library-tests/dataflow/sources/web_frameworks.rs

@@ -229,3 +229,61 @@ mod axum_test {
         // ...
     }
 }
+
+mod warp_test {
+    use super::sink;
+    use warp::Filter;
+
+    #[tokio::main]
+    #[rustfmt::skip]
+    async fn test_warp() {
+        // A route with parameter and `map`
+        let map_route =
+            warp::path::param().map(|a: String| // $ Alert[rust/summary/taint-sources]
+            {
+            sink(a); // $ MISSING: hasTaintFlow
+
+            "".to_string()
+        });
+
+        // A route with parameter and `then`
+        let then_route = warp::path::param().then( // $ Alert[rust/summary/taint-sources]
+            async move |a: String| {
+                sink(a); // $ MISSING: hasTaintFlow
+
+                "".to_string()
+            },
+        );
+
+        // A route with parameter and `and_then`
+        let and_then_route = warp::path::param().and_then( // $ Alert[rust/summary/taint-sources] 
+            async move | id: u64 |
+            {
+            if id != 0 {
+                sink(id); // $ MISSING: hasTaintFlow
+                Ok("".to_string())
+            } else {
+                Err(warp::reject::not_found())
+            }
+        },
+        );
+
+        // A route with path, parameter, and `and_then`
+        let path_and_map_route = warp::path("1").and(warp::path::param()).map( // $ Alert[rust/summary/taint-sources] 
+            | a: String |
+            {
+                sink(a); // $ MISSING: hasTaintFlow
+
+                "".to_string()
+             },
+        );
+
+        let routes = warp::get().and(
+            map_route
+                .or(then_route)
+                .or(and_then_route)
+                .or(path_and_map_route),
+        );
+        warp::serve(routes).run(([127, 0, 0, 1], 3030)).await;
+    }
+}