mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Rust: Add additional models for stdlib and sqlx
This commit is contained in:
Simon Friis Vindum
6
rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
Normal file
6
rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/rust-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::response::Response>::text", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
@@ -3,4 +3,17 @@ extensions:
|
||||
pack: codeql/rust-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
# Option
|
||||
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
# Result
|
||||
- ["lang:core", "<crate::result::Result>::unwrap", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::result::Result>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
|
||||
- ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
# String
|
||||
- ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
|
||||
|
||||
@@ -207,9 +207,11 @@ localStep
|
||||
| main.rs:229:9:229:10 | [SSA] s1 | main.rs:230:10:230:11 | s1 |
|
||||
| main.rs:229:9:229:10 | s1 | main.rs:229:9:229:10 | [SSA] s1 |
|
||||
| main.rs:229:14:229:29 | Some(...) | main.rs:229:9:229:10 | s1 |
|
||||
| main.rs:230:23:230:23 | 0 | main.rs:230:10:230:24 | s1.unwrap_or(...) |
|
||||
| main.rs:232:9:232:10 | [SSA] s2 | main.rs:233:10:233:11 | s2 |
|
||||
| main.rs:232:9:232:10 | s2 | main.rs:232:9:232:10 | [SSA] s2 |
|
||||
| main.rs:232:14:232:20 | Some(...) | main.rs:232:9:232:10 | s2 |
|
||||
| main.rs:233:23:233:32 | source(...) | main.rs:233:10:233:33 | s2.unwrap_or(...) |
|
||||
| main.rs:237:9:237:10 | [SSA] s1 | main.rs:239:14:239:15 | s1 |
|
||||
| main.rs:237:9:237:10 | s1 | main.rs:237:9:237:10 | [SSA] s1 |
|
||||
| main.rs:237:14:237:29 | Some(...) | main.rs:237:9:237:10 | s1 |
|
||||
@@ -529,6 +531,9 @@ storeStep
|
||||
| main.rs:407:27:407:27 | 0 | Some | main.rs:407:22:407:28 | Some(...) |
|
||||
readStep
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap_or | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap_or |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_or |
|
||||
| main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ |
|
||||
| main.rs:87:11:87:11 | i | &ref | main.rs:87:10:87:11 | * ... |
|
||||
| main.rs:95:10:95:10 | a | tuple.0 | main.rs:95:10:95:12 | a.0 |
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
models
|
||||
| 1 | Summary: lang:core; <crate::option::Option>::unwrap; Argument[self].Variant[crate::option::Option::Some(0)]; ReturnValue; value |
|
||||
| 2 | Summary: lang:core; <crate::option::Option>::unwrap_or; Argument[0]; ReturnValue; value |
|
||||
| 3 | Summary: lang:core; <crate::option::Option>::unwrap_or; Argument[self].Variant[crate::option::Option::Some(0)]; ReturnValue; value |
|
||||
edges
|
||||
| main.rs:19:13:19:21 | source(...) | main.rs:20:10:20:10 | s | provenance | |
|
||||
| main.rs:24:13:24:21 | source(...) | main.rs:27:10:27:10 | c | provenance | |
|
||||
@@ -37,6 +39,10 @@ edges
|
||||
| main.rs:224:14:224:29 | Some(...) [Some] | main.rs:225:10:225:11 | s1 [Some] | provenance | |
|
||||
| main.rs:224:19:224:28 | source(...) | main.rs:224:14:224:29 | Some(...) [Some] | provenance | |
|
||||
| main.rs:225:10:225:11 | s1 [Some] | main.rs:225:10:225:20 | s1.unwrap(...) | provenance | MaD:1 |
|
||||
| main.rs:229:14:229:29 | Some(...) [Some] | main.rs:230:10:230:11 | s1 [Some] | provenance | |
|
||||
| main.rs:229:19:229:28 | source(...) | main.rs:229:14:229:29 | Some(...) [Some] | provenance | |
|
||||
| main.rs:230:10:230:11 | s1 [Some] | main.rs:230:10:230:24 | s1.unwrap_or(...) | provenance | MaD:3 |
|
||||
| main.rs:233:23:233:32 | source(...) | main.rs:233:10:233:33 | s2.unwrap_or(...) | provenance | MaD:2 |
|
||||
| main.rs:237:14:237:29 | Some(...) [Some] | main.rs:239:14:239:15 | s1 [Some] | provenance | |
|
||||
| main.rs:237:19:237:28 | source(...) | main.rs:237:14:237:29 | Some(...) [Some] | provenance | |
|
||||
| main.rs:239:14:239:15 | s1 [Some] | main.rs:239:14:239:16 | TryExpr | provenance | |
|
||||
@@ -150,6 +156,12 @@ nodes
|
||||
| main.rs:224:19:224:28 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:225:10:225:11 | s1 [Some] | semmle.label | s1 [Some] |
|
||||
| main.rs:225:10:225:20 | s1.unwrap(...) | semmle.label | s1.unwrap(...) |
|
||||
| main.rs:229:14:229:29 | Some(...) [Some] | semmle.label | Some(...) [Some] |
|
||||
| main.rs:229:19:229:28 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:230:10:230:11 | s1 [Some] | semmle.label | s1 [Some] |
|
||||
| main.rs:230:10:230:24 | s1.unwrap_or(...) | semmle.label | s1.unwrap_or(...) |
|
||||
| main.rs:233:10:233:33 | s2.unwrap_or(...) | semmle.label | s2.unwrap_or(...) |
|
||||
| main.rs:233:23:233:32 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:237:14:237:29 | Some(...) [Some] | semmle.label | Some(...) [Some] |
|
||||
| main.rs:237:19:237:28 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:239:14:239:15 | s1 [Some] | semmle.label | s1 [Some] |
|
||||
@@ -240,6 +252,8 @@ testFailures
|
||||
| main.rs:201:33:201:33 | n | main.rs:198:27:198:36 | source(...) | main.rs:201:33:201:33 | n | $@ | main.rs:198:27:198:36 | source(...) | source(...) |
|
||||
| main.rs:214:25:214:25 | n | main.rs:211:19:211:28 | source(...) | main.rs:214:25:214:25 | n | $@ | main.rs:211:19:211:28 | source(...) | source(...) |
|
||||
| main.rs:225:10:225:20 | s1.unwrap(...) | main.rs:224:19:224:28 | source(...) | main.rs:225:10:225:20 | s1.unwrap(...) | $@ | main.rs:224:19:224:28 | source(...) | source(...) |
|
||||
| main.rs:230:10:230:24 | s1.unwrap_or(...) | main.rs:229:19:229:28 | source(...) | main.rs:230:10:230:24 | s1.unwrap_or(...) | $@ | main.rs:229:19:229:28 | source(...) | source(...) |
|
||||
| main.rs:233:10:233:33 | s2.unwrap_or(...) | main.rs:233:23:233:32 | source(...) | main.rs:233:10:233:33 | s2.unwrap_or(...) | $@ | main.rs:233:23:233:32 | source(...) | source(...) |
|
||||
| main.rs:240:10:240:11 | i1 | main.rs:237:19:237:28 | source(...) | main.rs:240:10:240:11 | i1 | $@ | main.rs:237:19:237:28 | source(...) | source(...) |
|
||||
| main.rs:251:10:251:11 | i1 | main.rs:246:35:246:44 | source(...) | main.rs:251:10:251:11 | i1 | $@ | main.rs:246:35:246:44 | source(...) | source(...) |
|
||||
| main.rs:267:35:267:35 | n | main.rs:264:29:264:38 | source(...) | main.rs:267:35:267:35 | n | $@ | main.rs:264:29:264:38 | source(...) | source(...) |
|
||||
|
||||
@@ -227,10 +227,10 @@ fn option_unwrap() {
|
||||
|
||||
fn option_unwrap_or() {
|
||||
let s1 = Some(source(46));
|
||||
sink(s1.unwrap_or(0)); // $ MISSING: hasValueFlow=46
|
||||
sink(s1.unwrap_or(0)); // $ hasValueFlow=46
|
||||
|
||||
let s2 = Some(0);
|
||||
sink(s2.unwrap_or(source(47))); // $ MISSING: hasValueFlow=47
|
||||
sink(s2.unwrap_or(source(47))); // $ hasValueFlow=47
|
||||
}
|
||||
|
||||
fn option_questionmark() -> Option<i64> {
|
||||
|
||||
@@ -12,7 +12,7 @@ fn test_env_vars() {
|
||||
let var2 = std::env::var_os("PATH").unwrap(); // $ Alert[rust/summary/taint-sources]
|
||||
|
||||
sink(var1); // $ MISSING: hasTaintFlow
|
||||
sink(var2); // $ MISSING: hasTaintFlow
|
||||
sink(var2); // $ hasTaintFlow
|
||||
|
||||
for (key, value) in std::env::vars() { // $ Alert[rust/summary/taint-sources]
|
||||
sink(key); // $ MISSING: hasTaintFlow
|
||||
@@ -61,7 +61,7 @@ async fn test_reqwest() -> Result<(), reqwest::Error> {
|
||||
sink(remote_string1); // $ MISSING: hasTaintFlow
|
||||
|
||||
let remote_string2 = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap(); // $ Alert[rust/summary/taint-sources]
|
||||
sink(remote_string2); // $ MISSING: hasTaintFlow
|
||||
sink(remote_string2); // $ hasTaintFlow
|
||||
|
||||
let remote_string3 = reqwest::get("http://example.com/").await?.text().await?; // $ Alert[rust/summary/taint-sources]
|
||||
sink(remote_string3); // $ MISSING: hasTaintFlow
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
models
|
||||
| 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
|
||||
edges
|
||||
| main.rs:20:13:20:22 | source(...) | main.rs:21:19:21:25 | s[...] | provenance | |
|
||||
| main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | provenance | |
|
||||
@@ -6,6 +7,8 @@ edges
|
||||
| main.rs:21:19:21:25 | s[...] | main.rs:21:18:21:25 | &... [&ref] | provenance | |
|
||||
| main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | provenance | |
|
||||
| main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | provenance | |
|
||||
| main.rs:57:13:57:22 | source(...) | main.rs:58:16:58:16 | s | provenance | |
|
||||
| main.rs:58:16:58:16 | s | main.rs:58:16:58:25 | s.as_str(...) | provenance | MaD:1 |
|
||||
nodes
|
||||
| main.rs:20:13:20:22 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:21:18:21:25 | &... [&ref] | semmle.label | &... [&ref] |
|
||||
@@ -15,9 +18,13 @@ nodes
|
||||
| main.rs:32:10:32:11 | s4 | semmle.label | s4 |
|
||||
| main.rs:37:14:37:23 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:40:10:40:35 | ... + ... | semmle.label | ... + ... |
|
||||
| main.rs:57:13:57:22 | source(...) | semmle.label | source(...) |
|
||||
| main.rs:58:16:58:16 | s | semmle.label | s |
|
||||
| main.rs:58:16:58:25 | s.as_str(...) | semmle.label | s.as_str(...) |
|
||||
subpaths
|
||||
testFailures
|
||||
#select
|
||||
| main.rs:22:16:22:21 | sliced | main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | $@ | main.rs:20:13:20:22 | source(...) | source(...) |
|
||||
| main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |
|
||||
| main.rs:40:10:40:35 | ... + ... | main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | $@ | main.rs:37:14:37:23 | source(...) | source(...) |
|
||||
| main.rs:58:16:58:25 | s.as_str(...) | main.rs:57:13:57:22 | source(...) | main.rs:58:16:58:25 | s.as_str(...) | $@ | main.rs:57:13:57:22 | source(...) | source(...) |
|
||||
|
||||
@@ -55,7 +55,7 @@ fn string_to_string() {
|
||||
|
||||
fn as_str() {
|
||||
let s = source(67);
|
||||
sink_slice(s.as_str()); // $ MISSING: hasTaintFlow=67
|
||||
sink_slice(s.as_str()); // $ hasTaintFlow=67
|
||||
}
|
||||
|
||||
fn string_format() {
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:11 |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap | MaD:2 |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or | MaD:5 |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap | MaD:7 |
|
||||
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or | MaD:10 |
|
||||
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:0 |
|
||||
| main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... | |
|
||||
| main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... | |
|
||||
| main.rs:13:10:13:10 | a | main.rs:13:10:13:14 | ... + ... | |
|
||||
|
||||
@@ -1,4 +1,95 @@
|
||||
#select
|
||||
| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | This query depends on a $@. | sqlx.rs:48:25:48:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:96:25:96:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:169:25:169:69 | ...::get(...) | user-provided value |
|
||||
| sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | This query depends on a $@. | sqlx.rs:169:25:169:69 | ...::get(...) | user-provided value |
|
||||
edges
|
||||
| sqlx.rs:48:25:48:69 | ...::get(...) | sqlx.rs:48:25:48:78 | ... .unwrap(...) | provenance | MaD:2 |
|
||||
| sqlx.rs:48:25:48:78 | ... .unwrap(...) | sqlx.rs:48:25:48:85 | ... .text(...) | provenance | MaD:4 |
|
||||
| sqlx.rs:48:25:48:85 | ... .text(...) | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | provenance | MaD:3 |
|
||||
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:65:30:65:43 | unsafe_query_2 | provenance | |
|
||||
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:66:30:66:43 | unsafe_query_3 | provenance | |
|
||||
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:76:29:76:42 | unsafe_query_2 | provenance | |
|
||||
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:77:29:77:42 | unsafe_query_3 | provenance | |
|
||||
| sqlx.rs:65:30:65:43 | unsafe_query_2 | sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:66:30:66:43 | unsafe_query_3 | sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:76:29:76:42 | unsafe_query_2 | sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:77:29:77:42 | unsafe_query_3 | sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:96:25:96:69 | ...::get(...) | sqlx.rs:96:25:96:78 | ... .unwrap(...) | provenance | MaD:2 |
|
||||
| sqlx.rs:96:25:96:78 | ... .unwrap(...) | sqlx.rs:96:25:96:85 | ... .text(...) | provenance | MaD:4 |
|
||||
| sqlx.rs:96:25:96:85 | ... .text(...) | sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | provenance | MaD:3 |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:104:30:104:43 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:109:31:109:44 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:116:29:116:42 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:123:29:123:42 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:132:55:132:68 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:141:55:141:68 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | sqlx.rs:149:29:149:42 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:104:30:104:43 | unsafe_query_1 | sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:109:31:109:44 | unsafe_query_1 | sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:116:29:116:42 | unsafe_query_1 | sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:123:29:123:42 | unsafe_query_1 | sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:132:55:132:68 | unsafe_query_1 | sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:141:55:141:68 | unsafe_query_1 | sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:149:29:149:42 | unsafe_query_1 | sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:169:25:169:69 | ...::get(...) | sqlx.rs:169:25:169:78 | ... .unwrap(...) | provenance | MaD:2 |
|
||||
| sqlx.rs:169:25:169:78 | ... .unwrap(...) | sqlx.rs:169:25:169:85 | ... .text(...) | provenance | MaD:4 |
|
||||
| sqlx.rs:169:25:169:85 | ... .text(...) | sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | provenance | MaD:3 |
|
||||
| sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | sqlx.rs:177:30:177:43 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | sqlx.rs:184:29:184:42 | unsafe_query_1 | provenance | |
|
||||
| sqlx.rs:177:30:177:43 | unsafe_query_1 | sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
| sqlx.rs:184:29:184:42 | unsafe_query_1 | sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | provenance | MaD:1 |
|
||||
models
|
||||
| 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
|
||||
| 2 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self]; ReturnValue; taint |
|
||||
| 3 | Summary: lang:core; <crate::result::Result>::unwrap_or; Argument[self]; ReturnValue; taint |
|
||||
| 4 | Summary: repo:https://github.com/seanmonstar/reqwest:reqwest; <crate::blocking::response::Response>::text; Argument[self]; ReturnValue; taint |
|
||||
nodes
|
||||
| sqlx.rs:48:25:48:69 | ...::get(...) | semmle.label | ...::get(...) |
|
||||
| sqlx.rs:48:25:48:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
|
||||
| sqlx.rs:48:25:48:85 | ... .text(...) | semmle.label | ... .text(...) |
|
||||
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
|
||||
| sqlx.rs:65:30:65:43 | unsafe_query_2 | semmle.label | unsafe_query_2 |
|
||||
| sqlx.rs:65:30:65:52 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) |
|
||||
| sqlx.rs:66:30:66:43 | unsafe_query_3 | semmle.label | unsafe_query_3 |
|
||||
| sqlx.rs:66:30:66:52 | unsafe_query_3.as_str(...) | semmle.label | unsafe_query_3.as_str(...) |
|
||||
| sqlx.rs:76:29:76:42 | unsafe_query_2 | semmle.label | unsafe_query_2 |
|
||||
| sqlx.rs:76:29:76:51 | unsafe_query_2.as_str(...) | semmle.label | unsafe_query_2.as_str(...) |
|
||||
| sqlx.rs:77:29:77:42 | unsafe_query_3 | semmle.label | unsafe_query_3 |
|
||||
| sqlx.rs:77:29:77:51 | unsafe_query_3.as_str(...) | semmle.label | unsafe_query_3.as_str(...) |
|
||||
| sqlx.rs:96:25:96:69 | ...::get(...) | semmle.label | ...::get(...) |
|
||||
| sqlx.rs:96:25:96:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
|
||||
| sqlx.rs:96:25:96:85 | ... .text(...) | semmle.label | ... .text(...) |
|
||||
| sqlx.rs:96:25:96:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
|
||||
| sqlx.rs:104:30:104:43 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:104:30:104:52 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:109:31:109:44 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:109:31:109:53 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:116:29:116:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:116:29:116:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:123:29:123:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:123:29:123:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:132:55:132:68 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:132:55:132:77 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:141:55:141:68 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:141:55:141:77 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:149:29:149:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:149:29:149:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:169:25:169:69 | ...::get(...) | semmle.label | ...::get(...) |
|
||||
| sqlx.rs:169:25:169:78 | ... .unwrap(...) | semmle.label | ... .unwrap(...) |
|
||||
| sqlx.rs:169:25:169:85 | ... .text(...) | semmle.label | ... .text(...) |
|
||||
| sqlx.rs:169:25:169:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
|
||||
| sqlx.rs:177:30:177:43 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:177:30:177:52 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
| sqlx.rs:184:29:184:42 | unsafe_query_1 | semmle.label | unsafe_query_1 |
|
||||
| sqlx.rs:184:29:184:51 | unsafe_query_1.as_str(...) | semmle.label | unsafe_query_1.as_str(...) |
|
||||
subpaths
|
||||
|
||||
@@ -45,7 +45,7 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err
|
||||
// construct queries (with extra variants)
|
||||
let const_string = String::from("Alice");
|
||||
let arg_string = std::env::args().nth(1).unwrap_or(String::from("Alice")); // $ MISSING: Source=args1
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ MISSING: Source=remote1
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ Source=remote1
|
||||
let remote_number = remote_string.parse::<i32>().unwrap_or(0);
|
||||
let safe_query_1 = String::from("SELECT * FROM people WHERE firstname='Alice'");
|
||||
let safe_query_2 = String::from("SELECT * FROM people WHERE firstname='") + &const_string + "'";
|
||||
@@ -62,8 +62,8 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err
|
||||
let _ = conn.execute(safe_query_3.as_str()).await?; // $ sql-sink
|
||||
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=args1
|
||||
if enable_remote {
|
||||
let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
let _ = conn.execute(unsafe_query_3.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
let _ = conn.execute(unsafe_query_2.as_str()).await?; // $ sql-sink Alert=remote1
|
||||
let _ = conn.execute(unsafe_query_3.as_str()).await?; // $ sql-sink Alert=remote1
|
||||
let _ = conn.execute(unsafe_query_4.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
}
|
||||
|
||||
@@ -73,8 +73,8 @@ async fn test_sqlx_mysql(url: &str, enable_remote: bool) -> Result<(), sqlx::Err
|
||||
let _ = sqlx::query(safe_query_3.as_str()).execute(&pool).await?; // $ sql-sink
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[sql-injection]=args1
|
||||
if enable_remote {
|
||||
let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
let _ = sqlx::query(unsafe_query_3.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
let _ = sqlx::query(unsafe_query_2.as_str()).execute(&pool).await?; // $ sql-sink Alert=remote1
|
||||
let _ = sqlx::query(unsafe_query_3.as_str()).execute(&pool).await?; // $ sql-sink Alert=remote1
|
||||
let _ = sqlx::query(unsafe_query_4.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote1
|
||||
}
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(const_string).execute(&pool).await?; // $ sql-sink
|
||||
@@ -93,7 +93,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
|
||||
|
||||
// construct queries
|
||||
let const_string = String::from("Alice");
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ MISSING: Source=remote2
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ Source=remote2
|
||||
let safe_query_1 = String::from("SELECT * FROM people WHERE firstname='") + &const_string + "'";
|
||||
let unsafe_query_1 = String::from("SELECT * FROM people WHERE firstname='") + &remote_string + "'";
|
||||
let prepared_query_1 = String::from("SELECT * FROM people WHERE firstname=?"); // (prepared arguments are safe)
|
||||
@@ -101,26 +101,26 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
|
||||
// direct execution (with extra variants)
|
||||
let _ = conn.execute(safe_query_1.as_str()).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink Alert=remote2
|
||||
}
|
||||
// ...
|
||||
let _ = sqlx::raw_sql(safe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = sqlx::raw_sql(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _ = sqlx::raw_sql(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink Alert=remote2
|
||||
}
|
||||
|
||||
// prepared queries (with extra variants)
|
||||
let _ = sqlx::query(safe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).execute(&mut conn).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&mut conn).await?; // $ sql-sink Alert=remote2
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).execute(&mut conn).await?; // $ sql-sink
|
||||
}
|
||||
// ...
|
||||
let _ = sqlx::query(safe_query_1.as_str()).fetch(&mut conn); // $ sql-sink
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).fetch(&mut conn); // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).fetch(&mut conn); // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).fetch(&mut conn); // $ sql-sink Alert=remote2
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).fetch(&mut conn); // $ sql-sink
|
||||
}
|
||||
// ...
|
||||
@@ -129,7 +129,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
|
||||
let row2: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&const_string).fetch_one(&mut conn).await?; // $ sql-sink
|
||||
println!(" row2 = {:?}", row2);
|
||||
if enable_remote {
|
||||
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_one(&mut conn).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_one(&mut conn).await?; // $ sql-sink Alert=remote2
|
||||
let _: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&remote_string).fetch_one(&mut conn).await?; // $ sql-sink
|
||||
}
|
||||
// ...
|
||||
@@ -138,7 +138,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
|
||||
let row4: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&const_string).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink
|
||||
println!(" row4 = {:?}", row4);
|
||||
if enable_remote {
|
||||
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink $ MISSING: Alert[sql-injection]=remote2
|
||||
let _: (i64, String, String) = sqlx::query_as(unsafe_query_1.as_str()).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink $ Alert=remote2
|
||||
let _: (i64, String, String) = sqlx::query_as(prepared_query_1.as_str()).bind(&remote_string).fetch_optional(&mut conn).await?.expect("no data"); // $ sql-sink
|
||||
}
|
||||
// ...
|
||||
@@ -146,7 +146,7 @@ async fn test_sqlx_sqlite(url: &str, enable_remote: bool) -> Result<(), sqlx::Er
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).fetch_all(&mut conn).await?; // $ sql-sink
|
||||
let _ = sqlx::query("SELECT * FROM people WHERE firstname=?").bind(&const_string).fetch_all(&mut conn).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).fetch_all(&mut conn).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote2
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).fetch_all(&mut conn).await?; // $ sql-sink Alert=remote2
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).fetch_all(&mut conn).await?; // $ sql-sink
|
||||
let _ = sqlx::query("SELECT * FROM people WHERE firstname=?").bind(&remote_string).fetch_all(&mut conn).await?; // $ sql-sink
|
||||
}
|
||||
@@ -166,7 +166,7 @@ async fn test_sqlx_postgres(url: &str, enable_remote: bool) -> Result<(), sqlx::
|
||||
|
||||
// construct queries
|
||||
let const_string = String::from("Alice");
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ MISSING: Source=remote3
|
||||
let remote_string = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap_or(String::from("Alice")); // $ Source=remote3
|
||||
let safe_query_1 = String::from("SELECT * FROM people WHERE firstname='") + &const_string + "'";
|
||||
let unsafe_query_1 = String::from("SELECT * FROM people WHERE firstname='") + &remote_string + "'";
|
||||
let prepared_query_1 = String::from("SELECT * FROM people WHERE firstname=$1"); // (prepared arguments are safe)
|
||||
@@ -174,14 +174,14 @@ async fn test_sqlx_postgres(url: &str, enable_remote: bool) -> Result<(), sqlx::
|
||||
// direct execution
|
||||
let _ = conn.execute(safe_query_1.as_str()).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote3
|
||||
let _ = conn.execute(unsafe_query_1.as_str()).await?; // $ sql-sink Alert=remote3
|
||||
}
|
||||
|
||||
// prepared queries
|
||||
let _ = sqlx::query(safe_query_1.as_str()).execute(&pool).await?; // $ sql-sink
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&const_string).execute(&pool).await?; // $ sql-sink
|
||||
if enable_remote {
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink MISSING: Alert[sql-injection]=remote3
|
||||
let _ = sqlx::query(unsafe_query_1.as_str()).execute(&pool).await?; // $ sql-sink Alert=remote3
|
||||
let _ = sqlx::query(prepared_query_1.as_str()).bind(&remote_string).execute(&pool).await?; // $ sql-sink
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user