Rust: Allow rows to be direct sources of taint as well.

2025-12-17 01:03:14 +01:00 · 2025-10-13 15:49:22 +01:00
parent f310d535ae
commit 8f7d3798ad
5 changed files with 628 additions and 509 deletions
--- a/rust/ql/lib/codeql/rust/frameworks/mysql-async.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/mysql-async.model.yml
@@ -21,10 +21,16 @@ extensions:
      - ["<_ as mysql_async::queryable::Queryable>::exec_first", "ReturnValue.Future.Field[core::result::Result::Ok(0)].Field[core::option::Option::Some(0)]", "database", "manual"]
      - ["<_ as mysql_async::queryable::Queryable>::query_fold", "Argument[2].Parameter[1]", "database", "manual"]
      - ["<_ as mysql_async::queryable::Queryable>::exec_fold", "Argument[3].Parameter[1]", "database", "manual"]
-      - ["<mysql_async::conn::Conn as mysql_async::queryable::Queryable>::query_iter", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "database", "manual"]
-      - ["<mysql_async::conn::Conn as mysql_async::queryable::Queryable>::exec_iter", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "database", "manual"]
+      - ["<mysql_async::conn::Conn as mysql_async::queryable::Queryable>::query_iter", "ReturnValue.Future.Field[core::result::Result::Ok(0)].Element", "database", "manual"]
+      - ["<mysql_async::conn::Conn as mysql_async::queryable::Queryable>::exec_iter", "ReturnValue.Future.Field[core::result::Result::Ok(0)].Element", "database", "manual"]
      - ["<_ as mysql_async::queryable::Queryable>::query_map", "Argument[1].Parameter[0]", "database", "manual"]
      - ["<_ as mysql_async::queryable::Queryable>::exec_map", "Argument[2].Parameter[0]", "database", "manual"]
+      - ["<mysql_common::row::Row>::get", "ReturnValue.Field[core::option::Option::Some(0)]", "database", "manual"]
+      - ["<mysql_common::row::Row>::get_opt", "ReturnValue.Field[core::option::Option::Some(0)].Field[core::result::Result::Ok(0)]", "database", "manual"]
+      - ["<mysql_common::row::Row>::take", "ReturnValue.Field[core::option::Option::Some(0)]", "database", "manual"]
+      - ["<mysql_common::row::Row>::take_opt", "ReturnValue.Field[core::option::Option::Some(0)].Field[core::result::Result::Ok(0)]", "database", "manual"]
+      - ["<mysql_common::row::Row>::as_ref", "ReturnValue.Field[core::option::Option::Some(0)].Reference", "database", "manual"]
+      - ["<mysql_common::row::Row>::unwrap", "ReturnValue.Element", "database", "manual"]
  - addsTo:
      pack: codeql/rust-all
      extensible: summaryModel
--- a/rust/ql/lib/codeql/rust/frameworks/mysql.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/mysql.model.yml
@@ -30,8 +30,8 @@ extensions:
      - ["<_ as mysql::conn::queryable::Queryable>::exec_fold", "Argument[3].Parameter[1]", "database", "manual"]
      - ["<_ as mysql::conn::queryable::Queryable>::query_fold_opt", "Argument[2].Parameter[1].Field[core::result::Result::Ok(0)]", "database", "manual"]
      - ["<_ as mysql::conn::queryable::Queryable>::exec_fold_opt", "Argument[3].Parameter[1].Field[core::result::Result::Ok(0)]", "database", "manual"]
-      - ["<mysql::conn::pool::PooledConn as mysql::conn::queryable::Queryable>::query_iter", "ReturnValue.Field[core::result::Result::Ok(0)]", "database", "manual"]
-      - ["<mysql::conn::pool::PooledConn as mysql::conn::queryable::Queryable>::exec_iter", "ReturnValue.Field[core::result::Result::Ok(0)]", "database", "manual"]
+      - ["<mysql::conn::pool::PooledConn as mysql::conn::queryable::Queryable>::query_iter", "ReturnValue.Field[core::result::Result::Ok(0)].Element", "database", "manual"]
+      - ["<mysql::conn::pool::PooledConn as mysql::conn::queryable::Queryable>::exec_iter", "ReturnValue.Field[core::result::Result::Ok(0)].Element", "database", "manual"]
      - ["<_ as mysql::conn::queryable::Queryable>::query_map", "Argument[1].Parameter[0]", "database", "manual"]
      - ["<_ as mysql::conn::queryable::Queryable>::query_map_opt", "Argument[1].Parameter[0].Field[core::result::Result::Ok(0)]", "database", "manual"]
      - ["<_ as mysql::conn::queryable::Queryable>::exec_map", "Argument[2].Parameter[0]", "database", "manual"]
--- a/rust/ql/test/library-tests/dataflow/sources/InlineFlow.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/InlineFlow.expected
--- a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
+++ b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -88,13 +88,24 @@
 | test.rs:841:22:841:49 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:867:22:867:50 | ...::new | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:902:47:902:51 | query | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:905:28:905:30 | get | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:908:28:908:34 | get_opt | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:911:28:911:31 | take | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:914:28:914:35 | take_opt | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:917:26:917:31 | as_ref | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:924:28:924:38 | query_first | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:927:27:927:35 | exec_iter | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:928:42:928:44 | get | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:935:22:935:30 | query_map | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:942:22:942:30 | query_map | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:951:26:951:35 | query_fold | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:957:22:957:31 | query_fold | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:989:47:989:51 | query | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:992:28:992:30 | get | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:995:28:995:34 | get_opt | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:998:28:998:31 | take | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:1001:28:1001:35 | take_opt | Flow source 'DatabaseSource' of type database (DEFAULT). |
+| test.rs:1004:26:1004:31 | as_ref | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:1011:28:1011:38 | query_first | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:1014:27:1014:35 | exec_iter | Flow source 'DatabaseSource' of type database (DEFAULT). |
 | test.rs:1022:22:1022:30 | query_map | Flow source 'DatabaseSource' of type database (DEFAULT). |
--- a/rust/ql/test/library-tests/dataflow/sources/test.rs
+++ b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -902,30 +902,30 @@ mod test_mysql {
        let mut rows : Vec<mysql::Row> = conn.query("SELECT id, name, age FROM person")?; // $ Alert[rust/summary/taint-sources]
        let mut row = &mut rows[0];

-        let v1 : i64 = row.get(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v1); // $ MISSING: hasTaintFlow
+        let v1 : i64 = row.get(0).unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v1); // $ hasTaintFlow=0

-        let v2 : i64 = row.get_opt(0).unwrap().unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v2); // $ MISSING: hasTaintFlow
+        let v2 : i64 = row.get_opt(0).unwrap().unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v2); // $ hasTaintFlow=0

-        let v3 : i64 = row.take(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v3); // $ MISSING: hasTaintFlow
+        let v3 : i64 = row.take(0).unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v3); // $ hasTaintFlow=0

-        let v4 : i64 = row.take_opt(0).unwrap().unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v4); // $ MISSING: hasTaintFlow
+        let v4 : i64 = row.take_opt(0).unwrap().unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v4); // $ hasTaintFlow=0

-        let value5 = row.as_ref(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
+        let value5 = row.as_ref(0).unwrap(); // $ Alert[rust/summary/taint-sources]
        if let mysql::Value::Int(v) = value5 {
-            sink(v); // $ MISSING: hasTaintFlow
+            sink(v); // $ MISSING: hasTaintFlow=0
        } else if let mysql::Value::Bytes(v) = value5 {
-            sink(v); // $ MISSING: hasTaintFlow
+            sink(v); // $ MISSING: hasTaintFlow=0
        }

        let v6: i64 = conn.query_first("SELECT id FROM person")?.unwrap(); // $ Alert[rust/summary/taint-sources]
        sink(v6); // $ hasTaintFlow

        let mut t1 = conn.exec_iter("SELECT id FROM person", (1, 2, 3))?; // $ Alert[rust/summary/taint-sources]
-        sink(t1.nth(0).unwrap().unwrap().get::<i64, usize>(0).unwrap()); // $ MISSING: hasTaintFlow
+        sink(t1.nth(0).unwrap().unwrap().get::<i64, usize>(1).unwrap()); // $ Alert[rust/summary/taint-sources] hasTaintFlow=1
        for row in t1 {
            for v in row {
                sink(v); // $ hasTaintFlow
@@ -989,23 +989,23 @@ mod test_mysql_async {
        let mut rows : Vec<mysql::Row> = conn.query("SELECT id, name, age FROM person").await?; // $ Alert[rust/summary/taint-sources]
        let mut row = &mut rows[0];

-        let v1 : i64 = row.get(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v1); // $ MISSING: hasTaintFlow
+        let v1 : i64 = row.get(0).unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v1); // $ hasTaintFlow=0

-        let v2 : i64 = row.get_opt(0).unwrap().unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v2); // $ MISSING: hasTaintFlow
+        let v2 : i64 = row.get_opt(0).unwrap().unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v2); // $ hasTaintFlow=0

-        let v3 : i64 = row.take(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v3); // $ MISSING: hasTaintFlow
+        let v3 : i64 = row.take(0).unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v3); // $ hasTaintFlow=0

-        let v4 : i64 = row.take_opt(0).unwrap().unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
-        sink(v4); // $ MISSING: hasTaintFlow
+        let v4 : i64 = row.take_opt(0).unwrap().unwrap(); // $ Alert[rust/summary/taint-sources]
+        sink(v4); // $ hasTaintFlow=0

-        let value5 = row.as_ref(0).unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
+        let value5 = row.as_ref(0).unwrap(); // $ Alert[rust/summary/taint-sources]
        if let mysql::Value::Int(v) = value5 {
-            sink(v); // $ MISSING: hasTaintFlow
+            sink(v); // $ MISSING: hasTaintFlow=0
        } else if let mysql::Value::Bytes(v) = value5 {
-            sink(v); // $ MISSING: hasTaintFlow
+            sink(v); // $ MISSING: hasTaintFlow=0
        }

        let v6: i64 = conn.query_first("SELECT id FROM person").await?.unwrap(); // $ Alert[rust/summary/taint-sources]