hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Add some sinks.

Browse Source
This commit is contained in:
Geoffrey White
2025-01-21 18:11:53 +00:00
parent 4297d05c05
commit 1d2950c70c
3 changed files with 282 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
rust/ql/lib/codeql/rust/frameworks/log.model.yml Normal file
View File

@@ -0,0 +1,10 @@
extensions:
- addsTo:
pack: codeql/rust-all
extensible: sinkModel
data:
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[0]", "log-injection", "manual"]
- ["lang:std", "crate::io::stdio::_print", "Argument[0]", "log-injection", "manual"]
- ["lang:std", "crate::io::stdio::_eprint", "Argument[0]", "log-injection", "manual"]
- ["lang:core", "crate::panicking::panic_fmt", "Argument[0]", "log-injection", "manual"]
- ["lang:core", "<crate::option::Option>::expect", "Argument[0]", "log-injection", "manual"]

236
rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
View File

@@ -1,4 +1,240 @@
#select
| test_logging.rs:42:5:42:36 | ...::log | test_logging.rs:42:28:42:35 | password | test_logging.rs:42:5:42:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:42:28:42:35 | password | password |
| test_logging.rs:43:5:43:36 | ...::log | test_logging.rs:43:28:43:35 | password | test_logging.rs:43:5:43:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:43:28:43:35 | password | password |
| test_logging.rs:44:5:44:35 | ...::log | test_logging.rs:44:27:44:34 | password | test_logging.rs:44:5:44:35 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:44:27:44:34 | password | password |
| test_logging.rs:45:5:45:36 | ...::log | test_logging.rs:45:28:45:35 | password | test_logging.rs:45:5:45:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:45:28:45:35 | password | password |
| test_logging.rs:46:5:46:35 | ...::log | test_logging.rs:46:27:46:34 | password | test_logging.rs:46:5:46:35 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:46:27:46:34 | password | password |
| test_logging.rs:47:5:47:48 | ...::log | test_logging.rs:47:40:47:47 | password | test_logging.rs:47:5:47:48 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:47:40:47:47 | password | password |
| test_logging.rs:52:5:52:36 | ...::log | test_logging.rs:52:28:52:35 | password | test_logging.rs:52:5:52:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:52:28:52:35 | password | password |
| test_logging.rs:54:5:54:49 | ...::log | test_logging.rs:54:41:54:48 | password | test_logging.rs:54:5:54:49 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:54:41:54:48 | password | password |
| test_logging.rs:56:5:56:47 | ...::log | test_logging.rs:56:39:56:46 | password | test_logging.rs:56:5:56:47 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:56:39:56:46 | password | password |
| test_logging.rs:57:5:57:34 | ...::log | test_logging.rs:57:24:57:31 | password | test_logging.rs:57:5:57:34 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:57:24:57:31 | password | password |
| test_logging.rs:58:5:58:36 | ...::log | test_logging.rs:58:24:58:31 | password | test_logging.rs:58:5:58:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:58:24:58:31 | password | password |
| test_logging.rs:60:5:60:54 | ...::log | test_logging.rs:60:46:60:53 | password | test_logging.rs:60:5:60:54 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:60:46:60:53 | password | password |
| test_logging.rs:65:5:65:48 | ...::log | test_logging.rs:65:40:65:47 | password | test_logging.rs:65:5:65:48 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:65:40:65:47 | password | password |
| test_logging.rs:67:5:67:66 | ...::log | test_logging.rs:67:58:67:65 | password | test_logging.rs:67:5:67:66 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:67:58:67:65 | password | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:5:72:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:72:39:72:46 | password | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:5:74:65 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:74:57:74:64 | password | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:5:76:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:76:39:76:46 | password | password |
| test_logging.rs:82:5:82:44 | ...::log::<...> | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:5:82:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:82:36:82:43 | password | password |
| test_logging.rs:84:5:84:62 | ...::log::<...> | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:5:84:62 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:84:54:84:61 | password | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:5:86:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:86:36:86:43 | password | password |
| test_logging.rs:100:5:100:19 | ...::log | test_logging.rs:99:38:99:45 | password | test_logging.rs:100:5:100:19 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:99:38:99:45 | password | password |
| test_logging.rs:118:5:118:42 | ...::log | test_logging.rs:118:28:118:41 | get_password(...) | test_logging.rs:118:5:118:42 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:118:28:118:41 | get_password(...) | get_password(...) |
| test_logging.rs:131:5:131:32 | ...::log | test_logging.rs:129:25:129:32 | password | test_logging.rs:131:5:131:32 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:129:25:129:32 | password | password |
| test_logging.rs:152:5:152:36 | ...::_print | test_logging.rs:152:28:152:35 | password | test_logging.rs:152:5:152:36 | ...::_print | This operation writes '...::_print' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:152:28:152:35 | password | password |
| test_logging.rs:153:5:153:38 | ...::_print | test_logging.rs:153:30:153:37 | password | test_logging.rs:153:5:153:38 | ...::_print | This operation writes '...::_print' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:153:30:153:37 | password | password |
| test_logging.rs:154:5:154:37 | ...::_eprint | test_logging.rs:154:29:154:36 | password | test_logging.rs:154:5:154:37 | ...::_eprint | This operation writes '...::_eprint' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:154:29:154:36 | password | password |
| test_logging.rs:155:5:155:39 | ...::_eprint | test_logging.rs:155:31:155:38 | password | test_logging.rs:155:5:155:39 | ...::_eprint | This operation writes '...::_eprint' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:155:31:155:38 | password | password |
| test_logging.rs:158:16:158:47 | ...::panic_fmt | test_logging.rs:158:39:158:46 | password | test_logging.rs:158:16:158:47 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:158:39:158:46 | password | password |
| test_logging.rs:159:16:159:46 | ...::panic_fmt | test_logging.rs:159:38:159:45 | password | test_logging.rs:159:16:159:46 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:159:38:159:45 | password | password |
| test_logging.rs:160:16:160:55 | ...::panic_fmt | test_logging.rs:160:47:160:54 | password | test_logging.rs:160:16:160:55 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:160:47:160:54 | password | password |
| test_logging.rs:161:16:161:53 | ...::panic_fmt | test_logging.rs:161:45:161:52 | password | test_logging.rs:161:16:161:53 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:161:45:161:52 | password | password |
| test_logging.rs:162:16:162:55 | ...::panic_fmt | test_logging.rs:162:47:162:54 | password | test_logging.rs:162:16:162:55 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:162:47:162:54 | password | password |
| test_logging.rs:165:16:165:61 | ...::panic_fmt | test_logging.rs:165:53:165:60 | password | test_logging.rs:165:16:165:61 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:165:53:165:60 | password | password |
| test_logging.rs:168:27:168:32 | expect | test_logging.rs:168:58:168:65 | password | test_logging.rs:168:27:168:32 | expect | This operation writes 'expect' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:168:58:168:65 | password | password |
edges
| test_logging.rs:42:12:42:35 | MacroExpr | test_logging.rs:42:5:42:36 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:42:28:42:35 | password | test_logging.rs:42:12:42:35 | MacroExpr | provenance | |
| test_logging.rs:43:12:43:35 | MacroExpr | test_logging.rs:43:5:43:36 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:43:28:43:35 | password | test_logging.rs:43:12:43:35 | MacroExpr | provenance | |
| test_logging.rs:44:11:44:34 | MacroExpr | test_logging.rs:44:5:44:35 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:44:27:44:34 | password | test_logging.rs:44:11:44:34 | MacroExpr | provenance | |
| test_logging.rs:45:12:45:35 | MacroExpr | test_logging.rs:45:5:45:36 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:45:28:45:35 | password | test_logging.rs:45:12:45:35 | MacroExpr | provenance | |
| test_logging.rs:46:11:46:34 | MacroExpr | test_logging.rs:46:5:46:35 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:46:27:46:34 | password | test_logging.rs:46:11:46:34 | MacroExpr | provenance | |
| test_logging.rs:47:24:47:47 | MacroExpr | test_logging.rs:47:5:47:48 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:47:40:47:47 | password | test_logging.rs:47:24:47:47 | MacroExpr | provenance | |
| test_logging.rs:52:12:52:35 | MacroExpr | test_logging.rs:52:5:52:36 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:52:28:52:35 | password | test_logging.rs:52:12:52:35 | MacroExpr | provenance | |
| test_logging.rs:54:12:54:48 | MacroExpr | test_logging.rs:54:5:54:49 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:54:41:54:48 | password | test_logging.rs:54:12:54:48 | MacroExpr | provenance | |
| test_logging.rs:56:12:56:46 | MacroExpr | test_logging.rs:56:5:56:47 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:56:39:56:46 | password | test_logging.rs:56:12:56:46 | MacroExpr | provenance | |
| test_logging.rs:57:12:57:33 | MacroExpr | test_logging.rs:57:5:57:34 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:57:24:57:31 | password | test_logging.rs:57:12:57:33 | MacroExpr | provenance | |
| test_logging.rs:58:12:58:35 | MacroExpr | test_logging.rs:58:5:58:36 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:58:24:58:31 | password | test_logging.rs:58:12:58:35 | MacroExpr | provenance | |
| test_logging.rs:60:30:60:53 | MacroExpr | test_logging.rs:60:5:60:54 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:60:46:60:53 | password | test_logging.rs:60:30:60:53 | MacroExpr | provenance | |
| test_logging.rs:65:24:65:47 | MacroExpr | test_logging.rs:65:5:65:48 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:65:40:65:47 | password | test_logging.rs:65:24:65:47 | MacroExpr | provenance | |
| test_logging.rs:67:42:67:65 | MacroExpr | test_logging.rs:67:5:67:66 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:67:58:67:65 | password | test_logging.rs:67:42:67:65 | MacroExpr | provenance | |
| test_logging.rs:72:23:72:46 | MacroExpr | test_logging.rs:72:5:72:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:72:39:72:46 | password | test_logging.rs:72:23:72:46 | MacroExpr | provenance | |
| test_logging.rs:74:41:74:64 | MacroExpr | test_logging.rs:74:5:74:65 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:74:57:74:64 | password | test_logging.rs:74:41:74:64 | MacroExpr | provenance | |
| test_logging.rs:76:23:76:46 | MacroExpr | test_logging.rs:76:5:76:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:76:39:76:46 | password | test_logging.rs:76:23:76:46 | MacroExpr | provenance | |
| test_logging.rs:82:20:82:43 | MacroExpr | test_logging.rs:82:5:82:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:82:36:82:43 | password | test_logging.rs:82:20:82:43 | MacroExpr | provenance | |
| test_logging.rs:84:38:84:61 | MacroExpr | test_logging.rs:84:5:84:62 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:84:54:84:61 | password | test_logging.rs:84:38:84:61 | MacroExpr | provenance | |
| test_logging.rs:86:20:86:43 | MacroExpr | test_logging.rs:86:5:86:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:86:36:86:43 | password | test_logging.rs:86:20:86:43 | MacroExpr | provenance | |
| test_logging.rs:99:9:99:10 | m3 | test_logging.rs:100:11:100:18 | MacroExpr | provenance | |
| test_logging.rs:99:14:99:46 | res | test_logging.rs:99:22:99:45 | { ... } | provenance | |
| test_logging.rs:99:22:99:45 | ...::format(...) | test_logging.rs:99:14:99:46 | res | provenance | |
| test_logging.rs:99:22:99:45 | ...::must_use(...) | test_logging.rs:99:9:99:10 | m3 | provenance | |
| test_logging.rs:99:22:99:45 | MacroExpr | test_logging.rs:99:22:99:45 | ...::format(...) | provenance | MaD:19 |
| test_logging.rs:99:22:99:45 | { ... } | test_logging.rs:99:22:99:45 | ...::must_use(...) | provenance | MaD:18 |
| test_logging.rs:99:38:99:45 | password | test_logging.rs:99:22:99:45 | MacroExpr | provenance | |
| test_logging.rs:100:11:100:18 | MacroExpr | test_logging.rs:100:5:100:19 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:118:12:118:41 | MacroExpr | test_logging.rs:118:5:118:42 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:118:28:118:41 | get_password(...) | test_logging.rs:118:12:118:41 | MacroExpr | provenance | |
| test_logging.rs:129:9:129:10 | t1 [tuple.1] | test_logging.rs:131:28:131:29 | t1 [tuple.1] | provenance | |
| test_logging.rs:129:14:129:33 | TupleExpr [tuple.1] | test_logging.rs:129:9:129:10 | t1 [tuple.1] | provenance | |
| test_logging.rs:129:25:129:32 | password | test_logging.rs:129:14:129:33 | TupleExpr [tuple.1] | provenance | |
| test_logging.rs:131:12:131:31 | MacroExpr | test_logging.rs:131:5:131:32 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:131:28:131:29 | t1 [tuple.1] | test_logging.rs:131:28:131:31 | t1.1 | provenance | |
| test_logging.rs:131:28:131:31 | t1.1 | test_logging.rs:131:12:131:31 | MacroExpr | provenance | |
| test_logging.rs:152:12:152:35 | MacroExpr | test_logging.rs:152:5:152:36 | ...::_print | provenance | MaD:1 Sink:MaD:1 |
| test_logging.rs:152:28:152:35 | password | test_logging.rs:152:12:152:35 | MacroExpr | provenance | |
| test_logging.rs:153:14:153:37 | MacroExpr | test_logging.rs:153:5:153:38 | ...::_print | provenance | MaD:1 Sink:MaD:1 |
| test_logging.rs:153:30:153:37 | password | test_logging.rs:153:14:153:37 | MacroExpr | provenance | |
| test_logging.rs:154:13:154:36 | MacroExpr | test_logging.rs:154:5:154:37 | ...::_eprint | provenance | MaD:2 Sink:MaD:2 |
| test_logging.rs:154:29:154:36 | password | test_logging.rs:154:13:154:36 | MacroExpr | provenance | |
| test_logging.rs:155:15:155:38 | MacroExpr | test_logging.rs:155:5:155:39 | ...::_eprint | provenance | MaD:2 Sink:MaD:2 |
| test_logging.rs:155:31:155:38 | password | test_logging.rs:155:15:155:38 | MacroExpr | provenance | |
| test_logging.rs:158:23:158:46 | MacroExpr | test_logging.rs:158:16:158:47 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:158:39:158:46 | password | test_logging.rs:158:23:158:46 | MacroExpr | provenance | |
| test_logging.rs:159:22:159:45 | MacroExpr | test_logging.rs:159:16:159:46 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:159:38:159:45 | password | test_logging.rs:159:22:159:45 | MacroExpr | provenance | |
| test_logging.rs:160:31:160:54 | MacroExpr | test_logging.rs:160:16:160:55 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:160:47:160:54 | password | test_logging.rs:160:31:160:54 | MacroExpr | provenance | |
| test_logging.rs:161:29:161:52 | MacroExpr | test_logging.rs:161:16:161:53 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:161:45:161:52 | password | test_logging.rs:161:29:161:52 | MacroExpr | provenance | |
| test_logging.rs:162:31:162:54 | MacroExpr | test_logging.rs:162:16:162:55 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:162:47:162:54 | password | test_logging.rs:162:31:162:54 | MacroExpr | provenance | |
| test_logging.rs:165:37:165:60 | MacroExpr | test_logging.rs:165:16:165:61 | ...::panic_fmt | provenance | MaD:3 Sink:MaD:3 |
| test_logging.rs:165:53:165:60 | password | test_logging.rs:165:37:165:60 | MacroExpr | provenance | |
| test_logging.rs:168:34:168:66 | MacroExpr | test_logging.rs:168:34:168:75 | ... .as_str(...) | provenance | MaD:17 |
| test_logging.rs:168:34:168:66 | res | test_logging.rs:168:42:168:65 | { ... } | provenance | |
| test_logging.rs:168:34:168:75 | ... .as_str(...) | test_logging.rs:168:27:168:32 | expect | provenance | MaD:4 Sink:MaD:4 |
| test_logging.rs:168:42:168:65 | ...::format(...) | test_logging.rs:168:34:168:66 | res | provenance | |
| test_logging.rs:168:42:168:65 | ...::must_use(...) | test_logging.rs:168:34:168:66 | MacroExpr | provenance | |
| test_logging.rs:168:42:168:65 | MacroExpr | test_logging.rs:168:42:168:65 | ...::format(...) | provenance | MaD:19 |
| test_logging.rs:168:42:168:65 | { ... } | test_logging.rs:168:42:168:65 | ...::must_use(...) | provenance | MaD:18 |
| test_logging.rs:168:58:168:65 | password | test_logging.rs:168:42:168:65 | MacroExpr | provenance | |
nodes
| test_logging.rs:42:5:42:36 | ...::log | semmle.label | ...::log |
| test_logging.rs:42:12:42:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:42:28:42:35 | password | semmle.label | password |
| test_logging.rs:43:5:43:36 | ...::log | semmle.label | ...::log |
| test_logging.rs:43:12:43:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:43:28:43:35 | password | semmle.label | password |
| test_logging.rs:44:5:44:35 | ...::log | semmle.label | ...::log |
| test_logging.rs:44:11:44:34 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:44:27:44:34 | password | semmle.label | password |
| test_logging.rs:45:5:45:36 | ...::log | semmle.label | ...::log |
| test_logging.rs:45:12:45:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:45:28:45:35 | password | semmle.label | password |
| test_logging.rs:46:5:46:35 | ...::log | semmle.label | ...::log |
| test_logging.rs:46:11:46:34 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:46:27:46:34 | password | semmle.label | password |
| test_logging.rs:47:5:47:48 | ...::log | semmle.label | ...::log |
| test_logging.rs:47:24:47:47 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:47:40:47:47 | password | semmle.label | password |
| test_logging.rs:52:5:52:36 | ...::log | semmle.label | ...::log |
| test_logging.rs:52:12:52:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:52:28:52:35 | password | semmle.label | password |
| test_logging.rs:54:5:54:49 | ...::log | semmle.label | ...::log |
| test_logging.rs:54:12:54:48 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:54:41:54:48 | password | semmle.label | password |
| test_logging.rs:56:5:56:47 | ...::log | semmle.label | ...::log |
| test_logging.rs:56:12:56:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:56:39:56:46 | password | semmle.label | password |
| test_logging.rs:57:5:57:34 | ...::log | semmle.label | ...::log |
| test_logging.rs:57:12:57:33 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:57:24:57:31 | password | semmle.label | password |
| test_logging.rs:58:5:58:36 | ...::log | semmle.label | ...::log |
| test_logging.rs:58:12:58:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:58:24:58:31 | password | semmle.label | password |
| test_logging.rs:60:5:60:54 | ...::log | semmle.label | ...::log |
| test_logging.rs:60:30:60:53 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:60:46:60:53 | password | semmle.label | password |
| test_logging.rs:65:5:65:48 | ...::log | semmle.label | ...::log |
| test_logging.rs:65:24:65:47 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:65:40:65:47 | password | semmle.label | password |
| test_logging.rs:67:5:67:66 | ...::log | semmle.label | ...::log |
| test_logging.rs:67:42:67:65 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:67:58:67:65 | password | semmle.label | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:72:23:72:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:72:39:72:46 | password | semmle.label | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:74:41:74:64 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:74:57:74:64 | password | semmle.label | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:76:23:76:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:76:39:76:46 | password | semmle.label | password |
| test_logging.rs:82:5:82:44 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:82:20:82:43 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:82:36:82:43 | password | semmle.label | password |
| test_logging.rs:84:5:84:62 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:84:38:84:61 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:84:54:84:61 | password | semmle.label | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:86:20:86:43 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:86:36:86:43 | password | semmle.label | password |
| test_logging.rs:99:9:99:10 | m3 | semmle.label | m3 |
| test_logging.rs:99:14:99:46 | res | semmle.label | res |
| test_logging.rs:99:22:99:45 | ...::format(...) | semmle.label | ...::format(...) |
| test_logging.rs:99:22:99:45 | ...::must_use(...) | semmle.label | ...::must_use(...) |
| test_logging.rs:99:22:99:45 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:99:22:99:45 | { ... } | semmle.label | { ... } |
| test_logging.rs:99:38:99:45 | password | semmle.label | password |
| test_logging.rs:100:5:100:19 | ...::log | semmle.label | ...::log |
| test_logging.rs:100:11:100:18 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:118:5:118:42 | ...::log | semmle.label | ...::log |
| test_logging.rs:118:12:118:41 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:118:28:118:41 | get_password(...) | semmle.label | get_password(...) |
| test_logging.rs:129:9:129:10 | t1 [tuple.1] | semmle.label | t1 [tuple.1] |
| test_logging.rs:129:14:129:33 | TupleExpr [tuple.1] | semmle.label | TupleExpr [tuple.1] |
| test_logging.rs:129:25:129:32 | password | semmle.label | password |
| test_logging.rs:131:5:131:32 | ...::log | semmle.label | ...::log |
| test_logging.rs:131:12:131:31 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:131:28:131:29 | t1 [tuple.1] | semmle.label | t1 [tuple.1] |
| test_logging.rs:131:28:131:31 | t1.1 | semmle.label | t1.1 |
| test_logging.rs:152:5:152:36 | ...::_print | semmle.label | ...::_print |
| test_logging.rs:152:12:152:35 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:152:28:152:35 | password | semmle.label | password |
| test_logging.rs:153:5:153:38 | ...::_print | semmle.label | ...::_print |
| test_logging.rs:153:14:153:37 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:153:30:153:37 | password | semmle.label | password |
| test_logging.rs:154:5:154:37 | ...::_eprint | semmle.label | ...::_eprint |
| test_logging.rs:154:13:154:36 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:154:29:154:36 | password | semmle.label | password |
| test_logging.rs:155:5:155:39 | ...::_eprint | semmle.label | ...::_eprint |
| test_logging.rs:155:15:155:38 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:155:31:155:38 | password | semmle.label | password |
| test_logging.rs:158:16:158:47 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:158:23:158:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:158:39:158:46 | password | semmle.label | password |
| test_logging.rs:159:16:159:46 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:159:22:159:45 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:159:38:159:45 | password | semmle.label | password |
| test_logging.rs:160:16:160:55 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:160:31:160:54 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:160:47:160:54 | password | semmle.label | password |
| test_logging.rs:161:16:161:53 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:161:29:161:52 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:161:45:161:52 | password | semmle.label | password |
| test_logging.rs:162:16:162:55 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:162:31:162:54 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:162:47:162:54 | password | semmle.label | password |
| test_logging.rs:165:16:165:61 | ...::panic_fmt | semmle.label | ...::panic_fmt |
| test_logging.rs:165:37:165:60 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:165:53:165:60 | password | semmle.label | password |
| test_logging.rs:168:27:168:32 | expect | semmle.label | expect |
| test_logging.rs:168:34:168:66 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:168:34:168:66 | res | semmle.label | res |
| test_logging.rs:168:34:168:75 | ... .as_str(...) | semmle.label | ... .as_str(...) |
| test_logging.rs:168:42:168:65 | ...::format(...) | semmle.label | ...::format(...) |
| test_logging.rs:168:42:168:65 | ...::must_use(...) | semmle.label | ...::must_use(...) |
| test_logging.rs:168:42:168:65 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:168:42:168:65 | { ... } | semmle.label | { ... } |
| test_logging.rs:168:58:168:65 | password | semmle.label | password |
subpaths

72
rust/ql/test/query-tests/security/CWE-312/test_logging.rs
View File

@@ -39,51 +39,51 @@ impl std::fmt::Display for MyStruct2 {
fn test_log(harmless: String, password: String, encrypted_password: String) {
// logging macros
debug!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
info!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
trace!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
warn!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
log!(Level::Error, "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
info!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
trace!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
warn!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
// debug! macro, various formatting
debug!("message");
debug!("message = {}", harmless);
debug!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
debug!("message = {}", encrypted_password);
debug!("message = {} {}", harmless, password); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {} {}", harmless, password); // $ Source Alert[rust/cleartext-logging]
debug!("message = {harmless}");
debug!("message = {harmless} {}", password); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {password}"); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {password:?}"); // $ MISSING: Alert[rust/cleartext-logging]
debug!("message = {harmless} {}", password); // $ Source Alert[rust/cleartext-logging]
debug!("message = {password}"); // $ Source Alert[rust/cleartext-logging]
debug!("message = {password:?}"); // $ Source Alert[rust/cleartext-logging]
debug!(target: "target", "message = {}", harmless);
debug!(target: "target", "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
debug!(target: "target", "message = {}", password); // $ Source Alert[rust/cleartext-logging]
debug!(target: &password, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
// log! macro, various formatting
log!(Level::Error, "message = {}", harmless);
log!(Level::Error, "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
log!(target: "target", Level::Error, "message = {}", harmless);
log!(target: "target", Level::Error, "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
log!(target: "target", Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
log!(target: &password, Level::Error, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
// structured logging
error!(value = 1; "message = {}", harmless);
error!(value = 1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: "target", value = 1; "message");
error!(target: "target", value = 1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(target: "target", value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: &password, value = 1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(value = 1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(value = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(value:? = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
let value1 = 1;
error!(value1; "message = {}", harmless);
error!(value1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: "target", value1; "message");
error!(target: "target", value1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(target: "target", value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: &password, value1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(value1; "message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
let value2 = password.as_str();
error!(value2; "message"); // $ MISSING: Alert[rust/cleartext-logging]
@@ -96,8 +96,8 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
let m2 = "message = ".to_string() + &password; // $ MISSING: Source=m2
info!("{}", m2); // $ MISSING: Alert[rust/cleartext-logging]=m2
let m3 = format!("message = {}", password); // $ MISSING:=m3
info!("{}", m3); // $ MISSING: Alert[rust/cleartext-logging]=m3
let m3 = format!("message = {}", password); // $ Source=m3
info!("{}", m3); // $ Alert[rust/cleartext-logging]=m3
let mut m4 = String::new();
write!(&mut m4, "message = {}", password); // $ MISSING: Source=m4
@@ -115,7 +115,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
}
// logging with a call
trace!("message = {}", get_password()); // $ MISSING: Alert[rust/cleartext-logging]
trace!("message = {}", get_password()); // $ Source Alert[rust/cleartext-logging]
let str1 = "123456".to_string();
trace!("message = {}", &str1); // $ MISSING: Alert[rust/cleartext-logging]
@@ -126,9 +126,9 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
trace!("message = {}", &str2);
// logging from a tuple
let t1 = (harmless, password); // $ MISSING:=t1
let t1 = (harmless, password); // $ Source=t1
trace!("message = {}", t1.0);
trace!("message = {}", t1.1); // $ MISSING: Alert[rust/cleartext-logging]=t1
trace!("message = {}", t1.1); // $ Alert[rust/cleartext-logging]=t1
trace!("message = {:?}", t1); // $ MISSING: Alert[rust/cleartext-logging]=t1
trace!("message = {:#?}", t1); // $ MISSING: Alert[rust/cleartext-logging]=t1
@@ -149,23 +149,23 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
}
fn test_std(password: String, i: i32, opt_i: Option<i32>) {
print!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
println!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
eprint!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
eprintln!("message = {}", password); // $ MISSING: Alert[rust/cleartext-logging]
print!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
println!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
eprint!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
eprintln!("message = {}", password); // $ Source Alert[rust/cleartext-logging]
match i {
1 => { panic!("message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
2 => { todo!("message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
3 => { unimplemented!("message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
4 => { unreachable!("message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
5 => { assert!(false, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
1 => { panic!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
2 => { todo!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
3 => { unimplemented!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
4 => { unreachable!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
5 => { assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
6 => { assert_eq!(1, 2, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
7 => { assert_ne!(1, 1, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
8 => { debug_assert!(false, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
8 => { debug_assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ MISSING: Alert[rust/cleartext-logging]
11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Source Alert[rust/cleartext-logging]
_ => {}
}