hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Fix an issue with the local flow.

Browse Source
This commit is contained in:
Geoffrey White
2025-09-22 14:50:46 +01:00
parent a3ed83bfff
commit 94afc82304
4 changed files with 8 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
View File

@@ -69,11 +69,13 @@ module InsecureCookie {
// check if the argument is always `true`
(
if
forex(DataFlow::Node argSourceNode | DataFlow::localFlow(argSourceNode, argNode) |
argSourceNode.asExpr().getExpr().(BooleanLiteralExpr).getTextValue() = "true"
forex(DataFlow::Node argSourceNode, BooleanLiteralExpr argSourceValue |
DataFlow::localFlow(argSourceNode, argNode) and
argSourceValue = argSourceNode.asExpr().getExpr() |
argSourceValue.getTextValue() = "true"
)
then value = true // `true` flow to here
else value = false // `false` or unknown
then value = true // `true` flows to here
else value = false // `false`, unknown, or multiple values
) and
// and find the node where this happens
(

2
rust/ql/test/query-tests/security/CWE-614/CookieSet.expected
View File

@@ -2,7 +2,7 @@
| main.rs:12:19:12:50 | ...::build(...) | secure | true |
| main.rs:20:5:20:36 | ...::build(...) | secure | false |
| main.rs:21:5:21:36 | ...::build(...) | secure | false |
| main.rs:24:5:24:36 | ...::build(...) | secure | false |
| main.rs:24:5:24:36 | ...::build(...) | secure | true |
| main.rs:25:5:25:36 | ...::build(...) | secure | false |
| main.rs:26:5:26:36 | ...::build(...) | secure | false |
| main.rs:27:5:27:36 | ...::build(...) | secure | false |

9
rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
View File

@@ -6,8 +6,6 @@
| main.rs:20:56:20:60 | build | main.rs:20:5:20:36 | ...::build(...) | main.rs:20:56:20:60 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:21:57:21:61 | build | main.rs:21:5:21:17 | ...::build | main.rs:21:57:21:61 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:21:57:21:61 | build | main.rs:21:5:21:36 | ...::build(...) | main.rs:21:57:21:61 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:24:53:24:57 | build | main.rs:24:5:24:17 | ...::build | main.rs:24:53:24:57 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:24:53:24:57 | build | main.rs:24:5:24:36 | ...::build(...) | main.rs:24:53:24:57 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:25:54:25:58 | build | main.rs:25:5:25:17 | ...::build | main.rs:25:54:25:58 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:25:54:25:58 | build | main.rs:25:5:25:36 | ...::build(...) | main.rs:25:54:25:58 | build | Cookie attribute 'Secure' is not set to true. |
| main.rs:26:52:26:56 | build | main.rs:26:5:26:17 | ...::build | main.rs:26:52:26:56 | build | Cookie attribute 'Secure' is not set to true. |
@@ -91,9 +89,6 @@ edges
| main.rs:21:5:21:17 | ...::build | main.rs:21:5:21:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
| main.rs:21:5:21:36 | ...::build(...) | main.rs:21:5:21:55 | ... .secure(...) | provenance | MaD:41 |
| main.rs:21:5:21:55 | ... .secure(...) | main.rs:21:57:21:61 | build | provenance | MaD:2 Sink:MaD:2 |
| main.rs:24:5:24:17 | ...::build | main.rs:24:5:24:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
| main.rs:24:5:24:36 | ...::build(...) | main.rs:24:5:24:51 | ... .secure(...) | provenance | MaD:41 |
| main.rs:24:5:24:51 | ... .secure(...) | main.rs:24:53:24:57 | build | provenance | MaD:2 Sink:MaD:2 |
| main.rs:25:5:25:17 | ...::build | main.rs:25:5:25:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
| main.rs:25:5:25:36 | ...::build(...) | main.rs:25:5:25:52 | ... .secure(...) | provenance | MaD:41 |
| main.rs:25:5:25:52 | ... .secure(...) | main.rs:25:54:25:58 | build | provenance | MaD:2 Sink:MaD:2 |
@@ -374,10 +369,6 @@ nodes
| main.rs:21:5:21:36 | ...::build(...) | semmle.label | ...::build(...) |
| main.rs:21:5:21:55 | ... .secure(...) | semmle.label | ... .secure(...) |
| main.rs:21:57:21:61 | build | semmle.label | build |
| main.rs:24:5:24:17 | ...::build | semmle.label | ...::build |
| main.rs:24:5:24:36 | ...::build(...) | semmle.label | ...::build(...) |
| main.rs:24:5:24:51 | ... .secure(...) | semmle.label | ... .secure(...) |
| main.rs:24:53:24:57 | build | semmle.label | build |
| main.rs:25:5:25:17 | ...::build | semmle.label | ...::build |
| main.rs:25:5:25:36 | ...::build(...) | semmle.label | ...::build(...) |
| main.rs:25:5:25:52 | ... .secure(...) | semmle.label | ... .secure(...) |

2
rust/ql/test/query-tests/security/CWE-614/main.rs
View File

@@ -21,7 +21,7 @@ fn test_cookie(sometimes: bool) {
Cookie::build(("name", "value")).secure(!sometimes).build(); // $ Alert[rust/insecure-cookie]
// with data flow on the "secure" value
Cookie::build(("name", "value")).secure(always).build(); // $ SPURIOUS: Alert[rust/insecure-cookie]
Cookie::build(("name", "value")).secure(always).build(); // good
Cookie::build(("name", "value")).secure(!always).build(); // $ Alert[rust/insecure-cookie]
Cookie::build(("name", "value")).secure(never).build(); // $ Alert[rust/insecure-cookie]
Cookie::build(("name", "value")).secure(!never).build(); // $ SPURIOUS: Alert[rust/insecure-cookie]