Rust: Fix some shortcomings in our models of Reqwest.

2026-04-22 15:25:18 +02:00 · 2025-04-24 18:23:42 +01:00
parent f4ae211019
commit 3104dba09e
2 changed files with 12 additions and 9 deletions
--- a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
@@ -3,7 +3,7 @@ extensions:
      pack: codeql/rust-all
      extensible: sourceModel
    data:
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "ReturnValue.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "ReturnValue.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
  - addsTo:
      pack: codeql/rust-all
@@ -15,10 +15,13 @@ extensions:
      pack: codeql/rust-all
      extensible: summaryModel
    data:
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::text", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::text_with_charset", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::bytes", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::chunk", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)].Field[crate::option::Option::Some(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::text", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::text_with_charset", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::bytes", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::response::Response>::chunk", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)].Field[crate::option::Option::Some(0)]", "taint", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::response::Response>::text", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::response::Response>::text_with_charset", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::response::Response>::bytes", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::response::Response>::text", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::response::Response>::bytes", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::response::Response>::chunk", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)].Field[crate::option::Option::Some(0)]", "taint", "manual"]
--- a/rust/ql/test/library-tests/dataflow/sources/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -72,15 +72,15 @@ async fn test_reqwest() -> Result<(), reqwest::Error> {
    sink(remote_string4); // $ hasTaintFlow="example.com"

    let remote_string5 = reqwest::get("example.com").await?.text().await?; // $ Alert[rust/summary/taint-sources]
-    sink(remote_string5); // $ MISSING: hasTaintFlow
+    sink(remote_string5); // $ hasTaintFlow="example.com"

    let remote_string6 = reqwest::get("example.com").await?.bytes().await?; // $ Alert[rust/summary/taint-sources]
-    sink(remote_string6); // $ MISSING: hasTaintFlow
+    sink(remote_string6); // $ hasTaintFlow="example.com"

    let mut request1 = reqwest::get("example.com").await?; // $ Alert[rust/summary/taint-sources]
-    sink(request1.chunk().await?.unwrap()); // $ MISSING: hasTaintFlow
+    sink(request1.chunk().await?.unwrap()); // $ hasTaintFlow="example.com"
    while let Some(chunk) = request1.chunk().await? {
-        sink(chunk); // $ MISSING: hasTaintFlow
+        sink(chunk); // $ MISSING: hasTaintFlow="example.com"
    }

    Ok(())