hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20776 from geoffw0/rustexamples

Browse Source 
Rust: Add example queries
This commit is contained in:
Geoffrey White
2025-11-18 09:34:48 +00:00
committed by GitHub
parent b90d0fd44c 9598772477
commit 9ab7f87603
7 changed files with 121 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/codeql/reusables/rust-further-reading.rst
View File

@@ -1,2 +1,3 @@
- `CodeQL queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/src>`__ - `CodeQL queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/src>`__
- `Example queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/examples>`__
- `CodeQL library reference for Rust <https://codeql.github.com/codeql-standard-libraries/rust/>`__ - `CodeQL library reference for Rust <https://codeql.github.com/codeql-standard-libraries/rust/>`__

4
rust/ql/examples/qlpack.lock.yml Normal file
View File

@@ -0,0 +1,4 @@
---
dependencies: {}
compiled: false
lockVersion: 1.0.0

7
rust/ql/examples/qlpack.yml Normal file
View File

@@ -0,0 +1,7 @@
name: codeql/rust-examples
groups:
- rust
- examples
dependencies:
codeql/rust-all: ${workspace}
warnOnImplicitThis: true

18
rust/ql/examples/snippets/empty_if.ql Normal file
View File

@@ -0,0 +1,18 @@
/**
* @name Empty 'if' expression
* @description Finds 'if' expressions where the "then" branch is empty and no
* "else" branch exists.
* @id rust/examples/empty-if
* @tags example
*/
import rust
// find 'if' expressions...
from IfExpr ifExpr
where
// where the 'then' branch is empty
ifExpr.getThen().getStmtList().getNumberOfStmtOrExpr() = 0 and
// and no 'else' branch exists
not ifExpr.hasElse()
select ifExpr, "This 'if' expression is redundant."

48
rust/ql/examples/snippets/simple_constant_password.ql Normal file
View File

@@ -0,0 +1,48 @@
/**
* @name Constant password
* @description Finds places where a string literal is used in a function call
* argument that looks like a password.
* @id rust/examples/simple-constant-password
* @tags example
*/
import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
/**
* A data flow configuration for tracking flow from a string literal to a function
* call argument that looks like a password. For example:
* ```
* fn set_password(password: &str) { ... }
*
* ...
*
* let pwd = "123456"; // source
* set_password(pwd); // sink (argument 0)
* ```
*/
module ConstantPasswordConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
// `node` is a string literal
node.asExpr().getExpr() instanceof StringLiteralExpr
}
predicate isSink(DataFlow::Node node) {
// `node` is an argument whose corresponding parameter name matches the pattern "pass%"
exists(CallExpr call, Function target, int argIndex, Variable v |
call.getStaticTarget() = target and
v.getParameter() = target.getParam(argIndex) and
v.getText().matches("pass%") and
call.getArg(argIndex) = node.asExpr().getExpr()
)
}
}
// instantiate the data flow configuration as a global taint tracking module
module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
// report flows from sources to sinks
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where ConstantPasswordFlow::flow(sourceNode, sinkNode)
select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString()

39
rust/ql/examples/snippets/simple_sql_injection.ql Normal file
View File

@@ -0,0 +1,39 @@
/**
* @name Database query built from user-controlled sources
* @description Finds places where a value from a remote or local user input
* is used as the first argument of a call to `sqlx_core::query::query`.
* @id rust/examples/simple-sql-injection
* @tags example
*/
import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
import codeql.rust.Concepts
/**
* A data flow configuration for tracking flow from a user input (threat model
* source) to the first argument of a call to `sqlx_core::query::query`.
*/
module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
// `node` is a user input (threat model source)
node instanceof ActiveThreatModelSource
}
predicate isSink(DataFlow::Node node) {
// `node` is the first argument of a call to `sqlx_core::query::query`
exists(CallExpr call |
call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and
call.getArg(0) = node.asExpr().getExpr()
)
}
}
// instantiate the data flow configuration as a global taint tracking module
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
// report flows from sources to sinks
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where SqlInjectionFlow::flow(sourceNode, sinkNode)
select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"

4
rust/ql/src/change-notes/2025-11-07-example-queries.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: newQuery
---
* Added three example queries (`rust/examples/empty-if`, `rust/examples/simple-sql-injection` and `rust/examples/simple-constant-password`) to help developers learn to write CodeQL queries for Rust.