Merge pull request #19304 from geoffw0/rustio

Rust: Model sources for std::io

rust/ql/lib/codeql/rust/Concepts.qll

@@ -102,6 +102,58 @@ class ModeledEnvironmentSource extends EnvironmentSource::Range {
   ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
 }
 
+/**
+ * A data flow source corresponding to a file access.
+ */
+final class FileSource = FileSource::Range;
+
+/**
+ * An externally modeled source for data from a file access.
+ */
+class ModeledFileSource extends FileSource::Range {
+  ModeledFileSource() { sourceNode(this, "file") }
+}
+
+/**
+ * Provides a class for modeling new sources for file accesses.
+ */
+module FileSource {
+  /**
+   * A data flow source corresponding to a file access.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "file" }
+
+    override string getSourceType() { result = "FileSource" }
+  }
+}
+
+/**
+ * A data flow source corresponding to standard input.
+ */
+final class StdInSource = StdInSource::Range;
+
+/**
+ * An externally modeled source for data from standard input.
+ */
+class ModeledStdInSourceSource extends StdInSource::Range {
+  ModeledStdInSourceSource() { sourceNode(this, "stdin") }
+}
+
+/**
+ * Provides a class for modeling new sources for standard input.
+ */
+module StdInSource {
+  /**
+   * A data flow source corresponding to standard input.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "stdin" }
+
+    override string getSourceType() { result = "StdInSource" }
+  }
+}
+
 /**
  * A data flow source corresponding to the program's database reads.
  */

rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml

@@ -2,7 +2,14 @@ extensions:
   - addsTo:
       pack: codeql/rust-all
       extensible: sourceModel
-    data: []
+    data:
+      - ["lang:std", "crate::fs::read", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_to_string", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "crate::fs::read_link", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::path", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::DirEntry>::file_name", "ReturnValue", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
+      - ["lang:std", "<crate::fs::File>::open_buffered", "ReturnValue.Field[crate::result::Result::Ok(0)]", "file", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: sinkModel
@@ -34,7 +41,6 @@ extensions:
       - ["lang:std", "<crate::fs::File>::create_new", "Argument[0]", "path-injection", "manual"]
       - ["lang:std", "<crate::fs::File>::open", "Argument[0]", "path-injection", "manual"]
       - ["lang:std", "<crate::fs::File>::open_buffered", "Argument[0]", "path-injection", "manual"]
-
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml

@@ -0,0 +1,38 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:std", "crate::io::stdio::stdin", "ReturnValue", "stdin", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader>::new", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["lang:std", "<crate::io::buffered::bufreader::BufReader>::buffer", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", ":<crate::io::stdio::Stdin as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", ":<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::StdinLock as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::fs::File as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::split", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::BufRead::lines", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::chain", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::chain", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "crate::io::Read::take", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::io::stdio::Stdin>::lock", "Argument[self]", "ReturnValue", "taint", "manual"]

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -1940,8 +1940,25 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<usize as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:proc_macro::_::<usize as crate::bridge::rpc::DecodeMut>::decode |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_:::<crate::io::stdio::Stdin as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_:::<crate::io::stdio::Stdin as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_:::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_:::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::fs::File as crate::io::Read>::read_to_string |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::IoSlice>::advance_slices | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::IoSlice>::advance_slices |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::IoSliceMut>::advance_slices | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::IoSliceMut>::advance_slices |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::Stdin as crate::io::Read>::read_to_string |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::<crate::io::stdio::StdinLock as crate::io::Read>::read_to_string |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::BufRead::read_line | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::BufRead::read_line |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_exact | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_exact |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_to_end | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_to_end |
+| file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:std::_::crate::io::Read::read_to_string | &ref | file://:0:0:0:0 | [post] [summary param] 0 in lang:std::_::crate::io::Read::read_to_string |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<&[u8] as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u8 as crate::bridge::rpc::DecodeMut>::decode |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Reference.Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Reference in lang:proc_macro::_::<u32 as crate::bridge::rpc::DecodeMut>::decode |
@@ -1957,6 +1974,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0].Reference in lang:core::_::<crate::cell::RefMut>::map_split | &ref | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0] in lang:core::_::<crate::cell::RefMut>::map_split |
 | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0].Reference in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_while | &ref | file://:0:0:0:0 | [summary] to write: Argument[1].Parameter[0] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_while |
 | file://:0:0:0:0 | [summary] to write: Argument[1].Reference in lang:core::_::<_ as crate::clone::uninit::CopySpec>::clone_one | &ref | file://:0:0:0:0 | [post] [summary param] 1 in lang:core::_::<_ as crate::clone::uninit::CopySpec>::clone_one |
+| file://:0:0:0:0 | [summary] to write: Argument[1].Reference in lang:std::_::crate::io::BufRead::read_until | &ref | file://:0:0:0:0 | [post] [summary param] 1 in lang:std::_::crate::io::BufRead::read_until |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::max_by | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::max_by |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::max_by_key | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::max_by_key |
 | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0].Reference in lang:core::_::crate::cmp::min_by | &ref | file://:0:0:0:0 | [summary] to write: Argument[2].Parameter[0] in lang:core::_::crate::cmp::min_by |
@@ -2185,6 +2203,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::or_else | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::or_else |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<str>::parse | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<str>::parse |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::io::buffered::bufreader::BufReader as crate::io::BufRead>::fill_buf |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::path::Path>::canonicalize | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::path::Path>::canonicalize |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout |

rust/ql/test/library-tests/dataflow/sources/TaintSources.expected

@@ -22,4 +22,28 @@
 | test.rs:80:24:80:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:112:35:112:46 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:119:31:119:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:203:16:203:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |
+| test.rs:205:31:205:43 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:210:31:210:38 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:215:22:215:39 | ...::read_to_string | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:221:22:221:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:222:27:222:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:228:22:228:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:243:22:243:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:249:22:249:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:255:22:255:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:261:9:261:22 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:265:17:265:30 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:271:20:271:38 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:304:50:304:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:310:50:310:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:317:50:317:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:324:50:324:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:331:56:331:69 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:338:50:338:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:345:50:345:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:351:50:351:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:360:25:360:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:361:25:361:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:369:25:369:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:377:22:377:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:386:16:386:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/test.rs

@@ -198,6 +198,189 @@ async fn test_hyper_http(case: i64) -> Result<(), Box<dyn std::error::Error>> {
     Ok(())
 }
 
+use std::fs;
+
+fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
+    {
+        let buffer: Vec<u8> = std::fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
+    }
+
+    {
+        let buffer: Vec<u8> = fs::read("file.bin")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.bin"
+    }
+
+    {
+        let buffer = fs::read_to_string("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    for entry in fs::read_dir("directory")? {
+        let e = entry?;
+        let path = e.path(); // $ Alert[rust/summary/taint-sources]
+        let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
+        sink(path); // $ hasTaintFlow
+        sink(file_name); // $ hasTaintFlow
+    }
+
+    {
+        let target = fs::read_link("symlink.txt")?; // $ Alert[rust/summary/taint-sources]
+        sink(target); // $ hasTaintFlow="symlink.txt"
+    }
+
+    Ok(())
+}
+
+use std::io::Read;
+use std::io::BufRead;
+
+fn test_io_fs() -> std::io::Result<()> {
+    // --- stdin ---
+
+    {
+        let mut buffer = [0u8; 100];
+        let _bytes = std::io::stdin().read(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ MISSING: hasTaintFlow
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = [0; 100];
+        std::io::stdin().read_exact(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    for byte in std::io::stdin().bytes() { // $ Alert[rust/summary/taint-sources]
+        sink(byte); // $ hasTaintFlow
+    }
+
+    // --- file ---
+
+    let mut file = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+
+    {
+        let mut buffer = [0u8; 100];
+        let _bytes = file.read(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let _bytes = file.read_to_end(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = file.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = [0; 100];
+        file.read_exact(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    for byte in file.bytes() {
+        sink(byte); // $ hasTaintFlow="file.txt"
+    }
+
+    // --- BufReader ---
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let data = reader.fill_buf()?;
+        sink(&data); // $ hasTaintFlow
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let data = reader.buffer();
+        sink(&data); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = String::new();
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        reader.read_line(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        reader.read_until(b',', &mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    {
+        let mut buffer = Vec::<u8>::new();
+        let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ Alert[rust/summary/taint-sources]
+        while let Some(chunk) = reader_split.next() {
+            sink(chunk.unwrap()); // $ MISSING: hasTaintFlow
+        }
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        for line in reader.lines() {
+            sink(line); // $ hasTaintFlow
+        }
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let line = reader.lines().nth(1).unwrap();
+        sink(line.unwrap().clone()); // $ MISSING: hasTaintFlow
+    }
+
+    {
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
+        let lines: Vec<_> = reader.lines().collect();
+        sink(lines[1].as_ref().unwrap().clone()); // $ MISSING: hasTaintFlow
+    }
+
+    // --- misc operations ---
+
+    {
+        let mut buffer = String::new();
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut file2 = std::fs::File::open("another_file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut reader = file1.chain(file2);
+        reader.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt" hasTaintFlow="another_file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let mut file1 = std::fs::File::open("file.txt")?; // $ Alert[rust/summary/taint-sources]
+        let mut reader = file1.take(100);
+        reader.read_to_string(&mut buffer)?;
+        sink(&buffer); // $ hasTaintFlow="file.txt"
+    }
+
+    {
+        let mut buffer = String::new();
+        let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
+        sink(&buffer); // $ hasTaintFlow
+    }
+
+    Ok(())
+}
+
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
     let case = std::env::args().nth(1).unwrap_or(String::from("1")).parse::<i64>().unwrap(); // $ Alert[rust/summary/taint-sources]