Rust: Implement the query.

rust/ql/src/queries/security/CWE-312/CleartextLogging.ql

@@ -14,7 +14,35 @@
  */
 
 import rust
+import codeql.rust.security.CleartextLoggingExtensions
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
 
-from Element e
-where none()
-select e, ""
+/**
+ * A taint-tracking configuration for cleartext logging vulnerabilities.
+ */
+module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  import CleartextLogging
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+}
+
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
+
+import CleartextLoggingFlow::PathGraph
+
+from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink
+where CleartextLoggingFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "This operation writes '" + sink.toString() +
+    "' to a log file. It may contain unencrypted sensitive data from $@.", source,
+  source.getNode().toString()