Rust: Add source models for fs.

2026-04-23 07:45:17 +02:00 · 2025-04-11 16:18:37 +01:00
parent 258c1afe27
commit 4f9f550ba6
4 changed files with 60 additions and 18 deletions
--- a/rust/ql/lib/codeql/rust/Concepts.qll
+++ b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -102,6 +102,32 @@ class ModeledEnvironmentSource extends EnvironmentSource::Range {
  ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
 }

+/**
+ * A data flow source corresponding to a file access.
+ */
+final class FileSource = FileSource::Range;
+
+/**
+ * An externally modeled source for data from a file access.
+ */
+class ModeledFileSource extends FileSource::Range {
+  ModeledFileSource() { sourceNode(this, "file") }
+}
+
+/**
+ * Provides a class for modeling new sources for file accesses.
+ */
+module FileSource {
+  /**
+   * A data flow source corresponding to a file access.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "file" }
+
+    override string getSourceType() { result = "FileSource" }
+  }
+}
+
 /**
 * A data flow source corresponding to the program's database reads.
 */
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -2,7 +2,14 @@ extensions:
  - addsTo:
      pack: codeql/rust-all
      extensible: sourceModel
-    data: []
+    data:
+      - ["lang:std", "crate::fs::read", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_to_string", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_link", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::path", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::file_name", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open_buffered", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
  - addsTo:
      pack: codeql/rust-all
      extensible: sinkModel
@@ -34,7 +41,6 @@ extensions:
      - ["lang:std", "<crate::fs::File>::create_new", "Argument[0]", "path-injection", "manual"]
      - ["lang:std", "<crate::fs::File>::open", "Argument[0]", "path-injection", "manual"]
      - ["lang:std", "<crate::fs::File>::open_buffered", "Argument[0]", "path-injection", "manual"]
-
  - addsTo:
      pack: codeql/rust-all
      extensible: summaryModel
--- a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -22,4 +22,14 @@
 | test.rs:80:24:80:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:112:35:112:46 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:119:31:119:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:205:31:205:43 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:210:31:210:38 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:215:22:215:39 | ...::read_to_string | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:221:22:221:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:222:27:222:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:228:22:228:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:271:20:271:38 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:360:25:360:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:361:25:361:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:369:25:369:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:386:16:386:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |
--- a/rust/ql/test/library-tests/dataflow/sources/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -202,31 +202,31 @@ use std::fs;

 fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
    {
-        let buffer: Vec<u8> = std::fs::read("file.bin")?; // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(buffer); // $ MISSING: hasTaintFlow
+        let buffer: Vec<u8> = std::fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
    }

    {
-        let buffer: Vec<u8> = fs::read("file.bin")?; // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(buffer); // $ MISSING: hasTaintFlow
+        let buffer: Vec<u8> = fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
    }

    {
-        let buffer = fs::read_to_string("file.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(buffer); // $ MISSING: hasTaintFlow
+        let buffer = fs::read_to_string("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.txt"
    }

    for entry in fs::read_dir("directory")? {
        let e = entry?;
-        let path = e.path(); // $ MISSING: Alert[rust/summary/taint-sources]
-        let file_name = e.file_name(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(path); // $ MISSING: hasTaintFlow
-        sink(file_name); // $ MISSING: hasTaintFlow
+        let path = e.path(); // $ Alert[rust/summary/taint-sources]
+        let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
+        sink(path); // $ hasTaintFlow
+        sink(file_name); // $ hasTaintFlow
    }

    {
-        let target = fs::read_link("symlink.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(target); // $ MISSING: hasTaintFlow
+        let target = fs::read_link("symlink.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(target); // $ hasTaintFlow="symlink.txt"
    }

    Ok(())
@@ -268,7 +268,7 @@ fn test_io_fs() -> std::io::Result<()> {

    // --- file ---

-    let mut file = std::fs::File::open("file.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
+    let mut file = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]

    {
        let mut buffer = [0u8; 100];
@@ -357,8 +357,8 @@ fn test_io_fs() -> std::io::Result<()> {

    {
        let mut buffer = String::new();
-        let mut file1 = std::fs::File::open("file.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
-        let mut file2 = std::fs::File::open("another_file.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut file2 = std::fs::File::open("another_file.txt")?; // $ Alert[rust/summary/taint-sources]
        let mut reader = file1.chain(file2);
        reader.read_to_string(&mut buffer)?;
        sink(&buffer); // $ MISSING: hasTaintFlow
@@ -366,7 +366,7 @@ fn test_io_fs() -> std::io::Result<()> {

    {
        let mut buffer = String::new();
-        let mut file1 = std::fs::File::open("file.txt")?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
        let mut reader = file1.take(100);
        reader.read_to_string(&mut buffer)?;
        sink(&buffer); // $ MISSING: hasTaintFlow