feat(rust): Add ReSQLite source support

2026-04-24 00:05:14 +02:00 · 2025-02-10 11:11:01 +00:00
parent 6e5899b4ff
commit 3e38867cb2
3 changed files with 24 additions and 7 deletions
--- a/rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml
@@ -9,3 +9,12 @@ extensions:
      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::prepare_with_flags", "Argument[0]", "sql-injection", "manual"]
      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row", "Argument[0]", "sql-injection", "manual"]
      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row_and_then", "Argument[0]", "sql-injection", "manual"]
+
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_unwrap", "ReturnValue", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref_unwrap", "ReturnValue", "database", "manual"]
--- a/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql
+++ b/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql
@@ -4,7 +4,7 @@ import codeql.rust.Concepts
 import utils.test.InlineExpectationsTest

 module RusqliteTest implements TestSig {
-  string getARelevantTag() { result = ["sql-sink"] }
+  string getARelevantTag() { result = ["sql-sink", "database-read"] }

  predicate hasActualResult(Location location, string element, string tag, string value) {
    exists(SqlInjection::Sink sink |
@@ -14,6 +14,14 @@ module RusqliteTest implements TestSig {
      tag = "sql-sink" and
      value = ""
    )
+    or
+    exists(ModeledDatabaseSource sink |
+      location = sink.getLocation() and
+      location.getFile().getBaseName() != "" and
+      element = sink.toString() and
+      tag = "database-read" and
+      value = ""
+    )
  }
 }

--- a/rust/ql/test/library-tests/frameworks/rusqlite/main.rs
+++ b/rust/ql/test/library-tests/frameworks/rusqlite/main.rs
@@ -31,18 +31,18 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {

    let person = connection.query_row(&query, (), |row| {    // $ sql-sink
        Ok(Person {
-            id: row.get(0)?,
-            name: row.get(1)?,
-            age: row.get(2)?,
+            id: row.get(0)?,        // $ database-read
+            name: row.get(1)?,      // $ database-read
+            age: row.get(2)?,       // $ database-read
        })
    })?;

    let mut stmt = connection.prepare("SELECT id, name, age FROM person")?;      // $ sql-sink
    let people = stmt.query_map([], |row| {
        Ok(Person {
-            id: row.get(0)?,
-            name: row.get(1)?,
-            age: row.get(2)?,
+            id: row.get_unwrap(0),      // $ database-read
+            name: row.get_unwrap(1),    // $ database-read
+            age: row.get_unwrap(2),     // $ database-read
        })
    })?;