Rust: Add another test case for barriers (that still functions).

2026-04-24 16:25:15 +02:00 · 2025-07-21 20:49:19 +01:00
parent 796cb193fc
commit ec3ad85504
3 changed files with 18 additions and 1 deletions
--- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -103,7 +103,8 @@ module HardcodedCryptographicValue {
        ce.getFunction().(PathExpr).getResolvedCrateOrigin() =
          "repo:https://github.com/rust-random/getrandom:getrandom" and
        ce.getFunction().(PathExpr).getResolvedPath() = ["crate::fill", "crate::getrandom"] and
-        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0)
+        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0) and
+        none()
      )
    }
  }
--- a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
+++ b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -12,6 +12,7 @@
 | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
 | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | a key |
+| test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:146:13:146:34 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:146:13:146:34 | ...::new_from_slice | a key |
 edges
 | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | test_cipher.rs:19:73:19:78 | const1 [&ref, element] | provenance |  |
 | test_cipher.rs:18:28:18:36 | &... [&ref, element] | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | provenance |  |
@@ -58,6 +59,11 @@ edges
 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | test_cipher.rs:73:18:73:26 | &... [&ref, element] | provenance |  |
 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | provenance |  |
 | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | test_cipher.rs:74:23:74:44 | ...::new_from_slice | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_cipher.rs:144:9:144:16 | mut key5 [element] | test_cipher.rs:146:37:146:40 | key5 [element] | provenance |  |
+| test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | test_cipher.rs:144:9:144:16 | mut key5 [element] | provenance |  |
+| test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | provenance |  |
+| test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | test_cipher.rs:146:13:146:34 | ...::new_from_slice | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_cipher.rs:146:37:146:40 | key5 [element] | test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | provenance |  |
 models
 | 1 | Sink: <_ as crypto_common::KeyInit>::new_from_slice; Argument[0]; credentials-key |
 | 2 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new; Argument[0]; credentials-key |
@@ -119,4 +125,10 @@ nodes
 | test_cipher.rs:73:20:73:22 | 0u8 | semmle.label | 0u8 |
 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | semmle.label | ...::new_from_slice |
 | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+| test_cipher.rs:144:9:144:16 | mut key5 [element] | semmle.label | mut key5 [element] |
+| test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | semmle.label | [0u8; 32] [element] |
+| test_cipher.rs:144:21:144:23 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:146:13:146:34 | ...::new_from_slice | semmle.label | ...::new_from_slice |
+| test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | semmle.label | &key5 [&ref, element] |
+| test_cipher.rs:146:37:146:40 | key5 [element] | semmle.label | key5 [element] |
 subpaths
--- a/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
@@ -140,4 +140,8 @@ fn test_aes_gcm(
    _ = getrandom2::getrandom(&mut nonce4).unwrap();
    let cipher4 = Aes256Gcm::new(&key4.into());
    let _ = cipher4.encrypt(&nonce4.into(), b"plaintext".as_ref()).unwrap();
+
+    let mut key5 = [0u8;32]; // $ SPURIOUS: Alert[rust/hard-coded-cryptographic-value]
+    _ = getrandom::fill(&mut key5).unwrap();
+    let _ = Aes256::new_from_slice(&key5).unwrap(); // $ Sink
 }