hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Add examples to tests.

Browse Source
This commit is contained in:
Geoffrey White
2025-07-30 17:09:16 +01:00
parent b6e60e4087
commit 42ced8aa3d
4 changed files with 258 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
rust/ql/test/query-tests/security/CWE-312/Cargo.lock generated
View File

@@ -2,6 +2,41 @@
# It is not intended for manual editing.
version = 4
[[package]]
name = "aead"
version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0"
dependencies = [
"crypto-common",
"generic-array",
]
[[package]]
name = "aes"
version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0"
dependencies = [
"cfg-if",
"cipher",
"cpufeatures",
]
[[package]]
name = "aes-gcm"
version = "0.10.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1"
dependencies = [
"aead",
"aes",
"cipher",
"ctr",
"ghash",
"subtle",
]
[[package]]
name = "allocator-api2"
version = "0.2.21"
@@ -253,6 +288,16 @@ version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9555578bc9e57714c812a1f84e4fc5b4d21fcb063490c624de019f7464c91268"
[[package]]
name = "cipher"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad"
dependencies = [
"crypto-common",
"inout",
]
[[package]]
name = "colored"
version = "2.2.0"
@@ -340,9 +385,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
dependencies = [
"generic-array",
"rand_core",
"typenum",
]
[[package]]
name = "ctr"
version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835"
dependencies = [
"cipher",
]
[[package]]
name = "der"
version = "0.7.10"
@@ -414,7 +469,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
dependencies = [
"libc",
"windows-sys 0.59.0",
"windows-sys 0.60.2",
]
[[package]]
@@ -672,6 +727,16 @@ dependencies = [
"wasi 0.14.2+wasi-0.2.4",
]
[[package]]
name = "ghash"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1"
dependencies = [
"opaque-debug",
"polyval",
]
[[package]]
name = "gloo-timers"
version = "0.3.0"
@@ -872,6 +937,15 @@ dependencies = [
"hashbrown",
]
[[package]]
name = "inout"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
dependencies = [
"generic-array",
]
[[package]]
name = "instant"
version = "0.1.13"
@@ -1096,6 +1170,12 @@ version = "1.21.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"
[[package]]
name = "opaque-debug"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
[[package]]
name = "openssl"
version = "0.10.73"
@@ -1264,6 +1344,18 @@ dependencies = [
"windows-sys 0.60.2",
]
[[package]]
name = "polyval"
version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25"
dependencies = [
"cfg-if",
"cpufeatures",
"opaque-debug",
"universal-hash",
]
[[package]]
name = "potential_utf"
version = "0.1.2"
@@ -1395,7 +1487,7 @@ dependencies = [
"errno",
"libc",
"linux-raw-sys 0.9.4",
"windows-sys 0.59.0",
"windows-sys 0.60.2",
]
[[package]]
@@ -1837,6 +1929,9 @@ dependencies = [
name = "test"
version = "0.0.1"
dependencies = [
"aes",
"aes-gcm",
"base64",
"futures",
"log",
"log_err",
@@ -1987,6 +2082,16 @@ version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
[[package]]
name = "universal-hash"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea"
dependencies = [
"crypto-common",
"subtle",
]
[[package]]
name = "url"
version = "2.5.4"

162
rust/ql/test/query-tests/security/CWE-312/CleartextStorageDatabase.expected
View File

@@ -1,61 +1,61 @@
#select
| test_storage.rs:62:13:62:23 | ...::query | test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:62:13:62:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:33:97:33:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:77:13:77:25 | ...::raw_sql | test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:77:13:77:25 | ...::raw_sql | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:33:97:33:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:81:13:81:23 | ...::query | test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:81:13:81:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:33:97:33:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:87:13:87:23 | ...::query | test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:87:13:87:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:33:97:33:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:101:13:101:23 | ...::query | test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:101:13:101:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:33:97:33:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:99:13:99:23 | ...::query | test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:99:13:99:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:70:97:70:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:114:13:114:25 | ...::raw_sql | test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:114:13:114:25 | ...::raw_sql | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:70:97:70:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:118:13:118:23 | ...::query | test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:118:13:118:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:70:97:70:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:124:13:124:23 | ...::query | test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:124:13:124:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:70:97:70:114 | get_phone_number(...) | get_phone_number(...) |
| test_storage.rs:138:13:138:23 | ...::query | test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:138:13:138:23 | ...::query | This database operation may read or write unencrypted sensitive data from $@. | test_storage.rs:70:97:70:114 | get_phone_number(...) | get_phone_number(...) |
edges
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:62:25:62:37 | insert_query2 | provenance | |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:77:27:77:39 | insert_query2 | provenance | |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:81:25:81:37 | insert_query2 | provenance | |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:87:25:87:37 | insert_query2 | provenance | |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:101:25:101:37 | insert_query2 | provenance | |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:33:9:33:21 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:33:25:33:114 | ... + ... | test_storage.rs:33:9:33:21 | insert_query2 | provenance | |
| test_storage.rs:33:25:33:114 | ... + ... | test_storage.rs:33:25:33:121 | ... + ... | provenance | MaD:3 |
| test_storage.rs:33:25:33:121 | ... + ... | test_storage.rs:33:9:33:21 | insert_query2 | provenance | |
| test_storage.rs:33:96:33:114 | &... | test_storage.rs:33:9:33:21 | insert_query2 | provenance | |
| test_storage.rs:33:96:33:114 | &... | test_storage.rs:33:25:33:114 | ... + ... | provenance | |
| test_storage.rs:33:97:33:114 | get_phone_number(...) | test_storage.rs:33:96:33:114 | &... | provenance | Config |
| test_storage.rs:62:25:62:37 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:62:25:62:37 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:62:25:62:37 | insert_query2 | test_storage.rs:62:25:62:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:62:25:62:46 | insert_query2.as_str() | test_storage.rs:62:13:62:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:62:25:62:46 | insert_query2.as_str() [&ref] | test_storage.rs:62:13:62:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:77:27:77:39 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:77:27:77:39 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:77:27:77:39 | insert_query2 | test_storage.rs:77:27:77:48 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:77:27:77:48 | insert_query2.as_str() | test_storage.rs:77:13:77:25 | ...::raw_sql | provenance | MaD:2 Sink:MaD:2 |
| test_storage.rs:77:27:77:48 | insert_query2.as_str() [&ref] | test_storage.rs:77:13:77:25 | ...::raw_sql | provenance | MaD:2 Sink:MaD:2 |
| test_storage.rs:81:25:81:37 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:81:25:81:37 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:81:25:81:37 | insert_query2 | test_storage.rs:81:25:81:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:81:25:81:46 | insert_query2.as_str() | test_storage.rs:81:13:81:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:81:25:81:46 | insert_query2.as_str() [&ref] | test_storage.rs:81:13:81:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:87:25:87:37 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:87:25:87:37 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:87:25:87:37 | insert_query2 | test_storage.rs:87:25:87:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:87:25:87:46 | insert_query2.as_str() | test_storage.rs:87:13:87:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:87:25:87:46 | insert_query2.as_str() [&ref] | test_storage.rs:87:13:87:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:101:25:101:37 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:101:25:101:37 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:101:25:101:37 | insert_query2 | test_storage.rs:101:25:101:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:101:25:101:46 | insert_query2.as_str() | test_storage.rs:101:13:101:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:101:25:101:46 | insert_query2.as_str() [&ref] | test_storage.rs:101:13:101:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:99:25:99:37 | insert_query2 | provenance | |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:114:27:114:39 | insert_query2 | provenance | |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:118:25:118:37 | insert_query2 | provenance | |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:124:25:124:37 | insert_query2 | provenance | |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:138:25:138:37 | insert_query2 | provenance | |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() | provenance | MaD:4 |
| test_storage.rs:70:9:70:21 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() | provenance | MaD:5 |
| test_storage.rs:70:25:70:114 | ... + ... | test_storage.rs:70:9:70:21 | insert_query2 | provenance | |
| test_storage.rs:70:25:70:114 | ... + ... | test_storage.rs:70:25:70:121 | ... + ... | provenance | MaD:3 |
| test_storage.rs:70:25:70:121 | ... + ... | test_storage.rs:70:9:70:21 | insert_query2 | provenance | |
| test_storage.rs:70:96:70:114 | &... | test_storage.rs:70:9:70:21 | insert_query2 | provenance | |
| test_storage.rs:70:96:70:114 | &... | test_storage.rs:70:25:70:114 | ... + ... | provenance | |
| test_storage.rs:70:97:70:114 | get_phone_number(...) | test_storage.rs:70:96:70:114 | &... | provenance | Config |
| test_storage.rs:99:25:99:37 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:99:25:99:37 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:99:25:99:37 | insert_query2 | test_storage.rs:99:25:99:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:99:25:99:46 | insert_query2.as_str() | test_storage.rs:99:13:99:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:99:25:99:46 | insert_query2.as_str() [&ref] | test_storage.rs:99:13:99:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:114:27:114:39 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:114:27:114:39 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:114:27:114:39 | insert_query2 | test_storage.rs:114:27:114:48 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:114:27:114:48 | insert_query2.as_str() | test_storage.rs:114:13:114:25 | ...::raw_sql | provenance | MaD:2 Sink:MaD:2 |
| test_storage.rs:114:27:114:48 | insert_query2.as_str() [&ref] | test_storage.rs:114:13:114:25 | ...::raw_sql | provenance | MaD:2 Sink:MaD:2 |
| test_storage.rs:118:25:118:37 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:118:25:118:37 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:118:25:118:37 | insert_query2 | test_storage.rs:118:25:118:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:118:25:118:46 | insert_query2.as_str() | test_storage.rs:118:13:118:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:118:25:118:46 | insert_query2.as_str() [&ref] | test_storage.rs:118:13:118:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:124:25:124:37 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:124:25:124:37 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:124:25:124:37 | insert_query2 | test_storage.rs:124:25:124:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:124:25:124:46 | insert_query2.as_str() | test_storage.rs:124:13:124:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:124:25:124:46 | insert_query2.as_str() [&ref] | test_storage.rs:124:13:124:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:138:25:138:37 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:138:25:138:37 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() [&ref] | provenance | MaD:4 |
| test_storage.rs:138:25:138:37 | insert_query2 | test_storage.rs:138:25:138:46 | insert_query2.as_str() [&ref] | provenance | MaD:5 |
| test_storage.rs:138:25:138:46 | insert_query2.as_str() | test_storage.rs:138:13:138:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
| test_storage.rs:138:25:138:46 | insert_query2.as_str() [&ref] | test_storage.rs:138:13:138:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
models
| 1 | Sink: sqlx_core::query::query; Argument[0]; database-store |
| 2 | Sink: sqlx_core::raw_sql::raw_sql; Argument[0]; database-store |
@@ -63,29 +63,29 @@ models
| 4 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
| 5 | Summary: <core::str>::as_str; Argument[self]; ReturnValue; value |
nodes
| test_storage.rs:33:9:33:21 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:33:25:33:114 | ... + ... | semmle.label | ... + ... |
| test_storage.rs:33:25:33:121 | ... + ... | semmle.label | ... + ... |
| test_storage.rs:33:96:33:114 | &... | semmle.label | &... |
| test_storage.rs:33:97:33:114 | get_phone_number(...) | semmle.label | get_phone_number(...) |
| test_storage.rs:62:13:62:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:62:25:62:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:62:25:62:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:62:25:62:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:77:13:77:25 | ...::raw_sql | semmle.label | ...::raw_sql |
| test_storage.rs:77:27:77:39 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:77:27:77:48 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:77:27:77:48 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:81:13:81:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:81:25:81:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:81:25:81:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:81:25:81:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:87:13:87:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:87:25:87:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:87:25:87:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:87:25:87:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:101:13:101:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:101:25:101:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:101:25:101:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:101:25:101:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:70:9:70:21 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:70:25:70:114 | ... + ... | semmle.label | ... + ... |
| test_storage.rs:70:25:70:121 | ... + ... | semmle.label | ... + ... |
| test_storage.rs:70:96:70:114 | &... | semmle.label | &... |
| test_storage.rs:70:97:70:114 | get_phone_number(...) | semmle.label | get_phone_number(...) |
| test_storage.rs:99:13:99:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:99:25:99:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:99:25:99:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:99:25:99:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:114:13:114:25 | ...::raw_sql | semmle.label | ...::raw_sql |
| test_storage.rs:114:27:114:39 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:114:27:114:48 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:114:27:114:48 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:118:13:118:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:118:25:118:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:118:25:118:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:118:25:118:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:124:13:124:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:124:25:124:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:124:25:124:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:124:25:124:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
| test_storage.rs:138:13:138:23 | ...::query | semmle.label | ...::query |
| test_storage.rs:138:25:138:37 | insert_query2 | semmle.label | insert_query2 |
| test_storage.rs:138:25:138:46 | insert_query2.as_str() | semmle.label | insert_query2.as_str() |
| test_storage.rs:138:25:138:46 | insert_query2.as_str() [&ref] | semmle.label | insert_query2.as_str() [&ref] |
subpaths

3
rust/ql/test/query-tests/security/CWE-312/options.yml
View File

@@ -5,3 +5,6 @@ qltest_dependencies:
- log_err = { version = "1.1.1" }
- sqlx = { version = "0.8", features = ["mysql", "sqlite", "postgres", "runtime-async-std", "tls-native-tls"] }
- futures = { version = "0.3" }
- aes = { version = "0.8.4" }
- aes-gcm = { version = "0.10.3" }
- base64 = { version = "0.22.1" }

67
rust/ql/test/query-tests/security/CWE-312/test_storage.rs
View File

@@ -1,4 +1,8 @@
use aes_gcm::aead::{Aead, AeadCore, OsRng};
use aes_gcm::aes::cipher::Unsigned;
use aes_gcm::{Aes256Gcm, KeyInit};
use base64::prelude::*;
use sqlx::Connection;
use sqlx::Executor;
@@ -20,6 +24,39 @@ fn get_email() -> String {
return String::from("a@b.com");
}
fn get_ccn() -> String {
return String::from("1234567890");
}
fn encrypt(text: String, encryption_key: &aes_gcm::Key<Aes256Gcm>) -> String {
// encrypt text -> ciphertext
let cipher = Aes256Gcm::new(&encryption_key);
let nonce = Aes256Gcm::generate_nonce(&mut OsRng);
let ciphertext = cipher.encrypt(&nonce, text.as_ref()).unwrap();
// append (nonce, ciphertext)
let mut combined = nonce.to_vec();
combined.extend(ciphertext);
// encode to base64 string
BASE64_STANDARD.encode(combined)
}
fn decrypt(data: String, encryption_key: &aes_gcm::Key<Aes256Gcm>) -> String {
let cipher = Aes256Gcm::new(&encryption_key);
// decode base64 string
let decoded = BASE64_STANDARD.decode(data).unwrap();
// split into (nonce, ciphertext)
let nonce_size = <Aes256Gcm as AeadCore>::NonceSize::to_usize();
let (nonce, ciphertext) = decoded.split_at(nonce_size);
// decrypt ciphertext -> plaintext
let plaintext = cipher.decrypt(nonce.into(), ciphertext).unwrap();
String::from_utf8(plaintext).unwrap()
}
async fn test_storage_sql_command(url: &str) -> Result<(), sqlx::Error> {
// connect through a MySQL connection pool
let pool1 = sqlx::mysql::MySqlPool::connect(url).await?;
@@ -102,6 +139,36 @@ async fn test_storage_sql_command(url: &str) -> Result<(), sqlx::Error> {
let _ = sqlx::query(prepared_query.as_str()).bind(get_harmless()).bind(id).execute(&pool3).await?;
let _ = sqlx::query(prepared_query.as_str()).bind(get_social_security_number()).bind(id).execute(&pool3).await?; // $ MISSING: Alert[rust/cleartext-storage-database]
// "bad" example
{
let pool = &pool1;
let credit_card_number = get_ccn();
let query = "INSERT INTO PAYMENTDETAILS(ID, CARDNUM) VALUES(?, ?)";
let result = sqlx::query(query)
.bind(id)
.bind(credit_card_number) // $ MISSING: Alert[rust/cleartext-storage-database]
.execute(pool)
.await?;
}
// "good" example
{
let pool = &pool1;
let credit_card_number = get_ccn();
let encryption_key = Aes256Gcm::generate_key(OsRng);
// ...
let query = "INSERT INTO PAYMENTDETAILS(ID, CARDNUM) VALUES(?, ?)";
let result = sqlx::query(query)
.bind(id)
.bind(encrypt(credit_card_number, &encryption_key))
.execute(pool)
.await?;
}
Ok(())
}