hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: fix CleartextLogging query

Browse Source
This commit is contained in:
Arthur Baars
2025-03-27 18:04:18 +00:00
parent 6dff6826f0
commit 7fc7b7cc04
3 changed files with 39 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
rust/ql/lib/codeql/rust/frameworks/log.model.yml
View File

@@ -3,9 +3,11 @@ extensions:
pack: codeql/rust-all
extensible: sinkModel
data:
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[0]", "log-injection", "manual"] # args
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[2]", "log-injection", "manual"] # target
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[3]", "log-injection", "manual"] # key value
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[0]", "log-injection", "manual"] # logger / args (pre v0.4.27)
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[1]", "log-injection", "manual"] # args / level (pre v0.4.27)
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[2]", "log-injection", "manual"] # level / target (pre v0.4.27)
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[3]", "log-injection", "manual"] # target / key value (pre v0.4.27)
- ["repo:https://github.com/rust-lang/log:log", "crate::__private_api::log", "Argument[4]", "log-injection", "manual"] # key value
- ["lang:std", "crate::io::stdio::_print", "Argument[0]", "log-injection", "manual"]
- ["lang:std", "crate::io::stdio::_eprint", "Argument[0]", "log-injection", "manual"]
- ["lang:std", "<crate::io::stdio::StdoutLock as crate::io::Write>::write", "Argument[0]", "log-injection", "manual"]

8
rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
View File

@@ -2,15 +2,15 @@
| main.rs:6:25:6:30 | &regex | main.rs:4:20:4:32 | ...::var | main.rs:6:25:6:30 | &regex | This regular expression is constructed from a $@. | main.rs:4:20:4:32 | ...::var | user-provided value |
edges
| main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance | |
| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62 |
| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1625 |
| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:64 |
| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1627 |
| main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance | |
| main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance | |
| main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance | |
| main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance | |
| main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance | |
| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:98 |
| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3048 |
| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:100 |
| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3050 |
| main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | &regex | provenance | |
nodes
| main.rs:4:9:4:16 | username | semmle.label | username |

60
rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
View File

@@ -15,14 +15,14 @@
| test_logging.rs:65:5:65:48 | ...::log | test_logging.rs:65:40:65:47 | password | test_logging.rs:65:5:65:48 | ...::log | This operation writes $@ to a log file. | test_logging.rs:65:40:65:47 | password | password |
| test_logging.rs:67:5:67:66 | ...::log | test_logging.rs:67:58:67:65 | password | test_logging.rs:67:5:67:66 | ...::log | This operation writes $@ to a log file. | test_logging.rs:67:58:67:65 | password | password |
| test_logging.rs:68:5:68:67 | ...::log | test_logging.rs:68:19:68:26 | password | test_logging.rs:68:5:68:67 | ...::log | This operation writes $@ to a log file. | test_logging.rs:68:19:68:26 | password | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:5:72:47 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:72:39:72:46 | password | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:5:74:65 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:74:57:74:64 | password | password |
| test_logging.rs:75:5:75:51 | ...::log::<...> | test_logging.rs:75:21:75:28 | password | test_logging.rs:75:5:75:51 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:75:21:75:28 | password | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:5:76:47 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:76:39:76:46 | password | password |
| test_logging.rs:82:5:82:44 | ...::log::<...> | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:5:82:44 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:82:36:82:43 | password | password |
| test_logging.rs:84:5:84:62 | ...::log::<...> | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:5:84:62 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:84:54:84:61 | password | password |
| test_logging.rs:85:5:85:48 | ...::log::<...> | test_logging.rs:85:21:85:28 | password | test_logging.rs:85:5:85:48 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:85:21:85:28 | password | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:5:86:44 | ...::log::<...> | This operation writes $@ to a log file. | test_logging.rs:86:36:86:43 | password | password |
| test_logging.rs:72:5:72:47 | ...::log | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:5:72:47 | ...::log | This operation writes $@ to a log file. | test_logging.rs:72:39:72:46 | password | password |
| test_logging.rs:74:5:74:65 | ...::log | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:5:74:65 | ...::log | This operation writes $@ to a log file. | test_logging.rs:74:57:74:64 | password | password |
| test_logging.rs:75:5:75:51 | ...::log | test_logging.rs:75:21:75:28 | password | test_logging.rs:75:5:75:51 | ...::log | This operation writes $@ to a log file. | test_logging.rs:75:21:75:28 | password | password |
| test_logging.rs:76:5:76:47 | ...::log | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:5:76:47 | ...::log | This operation writes $@ to a log file. | test_logging.rs:76:39:76:46 | password | password |
| test_logging.rs:82:5:82:44 | ...::log | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:5:82:44 | ...::log | This operation writes $@ to a log file. | test_logging.rs:82:36:82:43 | password | password |
| test_logging.rs:84:5:84:62 | ...::log | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:5:84:62 | ...::log | This operation writes $@ to a log file. | test_logging.rs:84:54:84:61 | password | password |
| test_logging.rs:85:5:85:48 | ...::log | test_logging.rs:85:21:85:28 | password | test_logging.rs:85:5:85:48 | ...::log | This operation writes $@ to a log file. | test_logging.rs:85:21:85:28 | password | password |
| test_logging.rs:86:5:86:44 | ...::log | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:5:86:44 | ...::log | This operation writes $@ to a log file. | test_logging.rs:86:36:86:43 | password | password |
| test_logging.rs:94:5:94:29 | ...::log | test_logging.rs:93:15:93:22 | password | test_logging.rs:94:5:94:29 | ...::log | This operation writes $@ to a log file. | test_logging.rs:93:15:93:22 | password | password |
| test_logging.rs:97:5:97:19 | ...::log | test_logging.rs:96:42:96:49 | password | test_logging.rs:97:5:97:19 | ...::log | This operation writes $@ to a log file. | test_logging.rs:96:42:96:49 | password | password |
| test_logging.rs:100:5:100:19 | ...::log | test_logging.rs:99:38:99:45 | password | test_logging.rs:100:5:100:19 | ...::log | This operation writes $@ to a log file. | test_logging.rs:99:38:99:45 | password | password |
@@ -94,35 +94,35 @@ edges
| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0] | test_logging.rs:68:18:68:26 | &... [&ref, tuple.0] | provenance | |
| test_logging.rs:68:19:68:26 | password | test_logging.rs:68:18:68:26 | &password | provenance | Config |
| test_logging.rs:68:19:68:26 | password | test_logging.rs:68:18:68:26 | &password [&ref] | provenance | |
| test_logging.rs:72:23:72:46 | MacroExpr | test_logging.rs:72:5:72:47 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:72:23:72:46 | MacroExpr | test_logging.rs:72:5:72:47 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:72:39:72:46 | password | test_logging.rs:72:23:72:46 | MacroExpr | provenance | |
| test_logging.rs:74:41:74:64 | MacroExpr | test_logging.rs:74:5:74:65 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:74:41:74:64 | MacroExpr | test_logging.rs:74:5:74:65 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:74:57:74:64 | password | test_logging.rs:74:41:74:64 | MacroExpr | provenance | |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0] | test_logging.rs:75:5:75:51 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:75:20:75:28 | &password | test_logging.rs:75:20:75:28 | TupleExpr [tuple.0] | provenance | |
| test_logging.rs:75:20:75:28 | &password [&ref] | test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0] | test_logging.rs:75:20:75:28 | &... [&ref, tuple.0] | provenance | |
| test_logging.rs:75:21:75:28 | password | test_logging.rs:75:20:75:28 | &password | provenance | Config |
| test_logging.rs:75:21:75:28 | password | test_logging.rs:75:20:75:28 | &password [&ref] | provenance | |
| test_logging.rs:76:23:76:46 | MacroExpr | test_logging.rs:76:5:76:47 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:76:23:76:46 | MacroExpr | test_logging.rs:76:5:76:47 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:76:39:76:46 | password | test_logging.rs:76:23:76:46 | MacroExpr | provenance | |
| test_logging.rs:82:20:82:43 | MacroExpr | test_logging.rs:82:5:82:44 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:82:20:82:43 | MacroExpr | test_logging.rs:82:5:82:44 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:82:36:82:43 | password | test_logging.rs:82:20:82:43 | MacroExpr | provenance | |
| test_logging.rs:84:38:84:61 | MacroExpr | test_logging.rs:84:5:84:62 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:84:38:84:61 | MacroExpr | test_logging.rs:84:5:84:62 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:84:54:84:61 | password | test_logging.rs:84:38:84:61 | MacroExpr | provenance | |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0] | test_logging.rs:85:5:85:48 | ...::log | provenance | MaD:10 Sink:MaD:10 Sink:MaD:10 |
| test_logging.rs:85:20:85:28 | &password | test_logging.rs:85:20:85:28 | TupleExpr [tuple.0] | provenance | |
| test_logging.rs:85:20:85:28 | &password [&ref] | test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0] | test_logging.rs:85:20:85:28 | &... [&ref, tuple.0] | provenance | |
| test_logging.rs:85:21:85:28 | password | test_logging.rs:85:20:85:28 | &password | provenance | Config |
| test_logging.rs:85:21:85:28 | password | test_logging.rs:85:20:85:28 | &password [&ref] | provenance | |
| test_logging.rs:86:20:86:43 | MacroExpr | test_logging.rs:86:5:86:44 | ...::log::<...> | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:86:20:86:43 | MacroExpr | test_logging.rs:86:5:86:44 | ...::log | provenance | MaD:9 Sink:MaD:9 |
| test_logging.rs:86:36:86:43 | password | test_logging.rs:86:20:86:43 | MacroExpr | provenance | |
| test_logging.rs:93:9:93:10 | m1 | test_logging.rs:94:11:94:28 | MacroExpr | provenance | |
| test_logging.rs:93:14:93:22 | &password | test_logging.rs:93:9:93:10 | m1 | provenance | |
@@ -224,8 +224,8 @@ models
| 6 | Sink: lang:std; <crate::io::stdio::StdoutLock as crate::io::Write>::write_all; log-injection; Argument[0] |
| 7 | Sink: lang:std; crate::io::stdio::_eprint; log-injection; Argument[0] |
| 8 | Sink: lang:std; crate::io::stdio::_print; log-injection; Argument[0] |
| 9 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[0] |
| 10 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[2] |
| 9 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[1] |
| 10 | Sink: repo:https://github.com/rust-lang/log:log; crate::__private_api::log; log-injection; Argument[3] |
| 11 | Summary: lang:alloc; <crate::string::String>::as_bytes; Argument[self]; ReturnValue; taint |
| 12 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
| 13 | Summary: lang:alloc; crate::fmt::format; Argument[0]; ReturnValue; taint |
@@ -289,13 +289,13 @@ nodes
| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] |
| test_logging.rs:68:19:68:26 | password | semmle.label | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:72:5:72:47 | ...::log | semmle.label | ...::log |
| test_logging.rs:72:23:72:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:72:39:72:46 | password | semmle.label | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:74:5:74:65 | ...::log | semmle.label | ...::log |
| test_logging.rs:74:41:74:64 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:74:57:74:64 | password | semmle.label | password |
| test_logging.rs:75:5:75:51 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:75:5:75:51 | ...::log | semmle.label | ...::log |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] |
| test_logging.rs:75:20:75:28 | &password | semmle.label | &password |
@@ -303,16 +303,16 @@ nodes
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] |
| test_logging.rs:75:21:75:28 | password | semmle.label | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:76:5:76:47 | ...::log | semmle.label | ...::log |
| test_logging.rs:76:23:76:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:76:39:76:46 | password | semmle.label | password |
| test_logging.rs:82:5:82:44 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:82:5:82:44 | ...::log | semmle.label | ...::log |
| test_logging.rs:82:20:82:43 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:82:36:82:43 | password | semmle.label | password |
| test_logging.rs:84:5:84:62 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:84:5:84:62 | ...::log | semmle.label | ...::log |
| test_logging.rs:84:38:84:61 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:84:54:84:61 | password | semmle.label | password |
| test_logging.rs:85:5:85:48 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:85:5:85:48 | ...::log | semmle.label | ...::log |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0] | semmle.label | &... [&ref, tuple.0] |
| test_logging.rs:85:20:85:28 | &password | semmle.label | &password |
@@ -320,7 +320,7 @@ nodes
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0] | semmle.label | TupleExpr [tuple.0] |
| test_logging.rs:85:21:85:28 | password | semmle.label | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:86:5:86:44 | ...::log | semmle.label | ...::log |
| test_logging.rs:86:20:86:43 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:86:36:86:43 | password | semmle.label | password |
| test_logging.rs:93:9:93:10 | m1 | semmle.label | m1 |