Rust: Add very basic query prototype.

2026-04-26 17:25:19 +02:00 · 2025-09-11 11:17:05 +01:00
parent 513ae2ab54
commit 7e75c1d242
4 changed files with 59 additions and 1 deletions
--- a/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql
+++ b/rust/ql/src/queries/security/CWE-614/InsecureCookie.ql
@@ -0,0 +1,48 @@
+/**
+ * @name 'Secure' attribute is not set to true
+ * @description Omitting the 'Secure' attribute allows data to be transmitted insecurely
+ *              using HTTP. Always set 'Secure' to 'true' to ensure that HTTPS
+ *              is used at all times.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id rust/insecure-cookie
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-614
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import InsecureCookieFlow::PathGraph
+
+/**
+ * A data flow configuration for tracking values representing cookies without the
+ * 'secure' flag set.
+ */
+module InsecureCookieConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    // creation of a cookie with default settings (insecure)
+    exists(CallExprBase ce |
+      ce.getStaticTarget().getCanonicalPath() = "<cookie::Cookie>::build" and
+      node.asExpr().getExpr() = ce
+    )
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // qualifier of a call to `.build`.
+    exists(MethodCallExpr ce |
+      ce.getStaticTarget().getCanonicalPath() = "<cookie::builder::CookieBuilder>::build" and
+      node.asExpr().getExpr() = ce.getReceiver()
+    )
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module InsecureCookieFlow = TaintTracking::Global<InsecureCookieConfig>;
+
+from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
+where InsecureCookieFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."
--- a/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
+++ b/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
@@ -0,0 +1,6 @@
+#select
+| main.rs:16:19:16:50 | ...::build(...) | main.rs:16:19:16:50 | ...::build(...) | main.rs:16:19:16:50 | ...::build(...) | Cookie attribute 'Secure' is not set to true. |
+edges
+nodes
+| main.rs:16:19:16:50 | ...::build(...) | semmle.label | ...::build(...) |
+subpaths
--- a/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.qlref
+++ b/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.qlref
@@ -0,0 +1,4 @@
+query: queries/security/CWE-614/InsecureCookie.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
--- a/rust/ql/test/query-tests/security/CWE-614/main.rs
+++ b/rust/ql/test/query-tests/security/CWE-614/main.rs
@@ -13,7 +13,7 @@ fn test_cookie(sometimes: bool) {
    println!("cookie2 = '{}'", cookie2.to_string());

    // secure left as default (which is `None`, equivalent here to `false`)
-    let cookie3 = Cookie::build(("name", "value")).build(); // $ MISSING: Alert[rust/insecure-cookie]
+    let cookie3 = Cookie::build(("name", "value")).build(); // $ Alert[rust/insecure-cookie]
    println!("cookie3 = '{}'", cookie3.to_string());

    // secure setting varies (may be false)