Update test cases with correct APIs and run CodeQL test

Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
2025-12-17 01:03:14 +01:00 · 2025-11-03 17:38:25 +00:00
parent 8f02ab107c
commit ee3d57ef3c
5 changed files with 2680 additions and 112 deletions
--- a/rust/ql/test/query-tests/security/CWE-614/Cargo.lock
+++ b/rust/ql/test/query-tests/security/CWE-614/Cargo.lock
--- a/rust/ql/test/query-tests/security/CWE-614/CookieSet.expected
+++ b/rust/ql/test/query-tests/security/CWE-614/CookieSet.expected
@@ -52,3 +52,11 @@
 | main.rs:180:29:180:66 | ...::build(...) | secure | true |
 | main.rs:186:9:186:22 | [SSA] secure_cookie2 | secure | true |
 | main.rs:186:9:186:22 | secure_cookie2 | secure | true |
+| main.rs:197:5:197:11 | [SSA] cookie1 | secure | false |
+| main.rs:197:5:197:11 | cookie1 | secure | false |
+| main.rs:202:5:202:11 | [SSA] cookie2 | secure | true |
+| main.rs:202:5:202:11 | cookie2 | secure | true |
+| main.rs:233:5:233:11 | [SSA] cookie1 | secure | false |
+| main.rs:233:5:233:11 | cookie1 | secure | false |
+| main.rs:238:5:238:11 | [SSA] cookie2 | secure | true |
+| main.rs:238:5:238:11 | cookie2 | secure | true |
--- a/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
+++ b/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
@@ -595,3 +595,16 @@ nodes
 | main.rs:173:22:173:59 | ...::build(...) | semmle.label | ...::build(...) |
 | main.rs:173:61:173:65 | build | semmle.label | build |
 subpaths
+testFailures
+| main.rs:197:32:197:42 | //... | Missing result: Source |
+| main.rs:198:64:198:95 | //... | Missing result: Alert[rust/insecure-cookie] |
+| main.rs:206:54:206:64 | //... | Missing result: Source |
+| main.rs:207:64:207:95 | //... | Missing result: Alert[rust/insecure-cookie] |
+| main.rs:215:32:215:42 | //... | Missing result: Source |
+| main.rs:216:59:216:90 | //... | Missing result: Alert[rust/insecure-cookie] |
+| main.rs:224:62:224:72 | //... | Missing result: Source |
+| main.rs:225:59:225:90 | //... | Missing result: Alert[rust/insecure-cookie] |
+| main.rs:233:32:233:42 | //... | Missing result: Source |
+| main.rs:234:65:234:96 | //... | Missing result: Alert[rust/insecure-cookie] |
+| main.rs:242:58:242:68 | //... | Missing result: Source |
+| main.rs:243:65:243:96 | //... | Missing result: Alert[rust/insecure-cookie] |
--- a/rust/ql/test/query-tests/security/CWE-614/main.rs
+++ b/rust/ql/test/query-tests/security/CWE-614/main.rs
@@ -193,32 +193,36 @@ fn test_actix_web() {
    use actix_web::cookie::Cookie as ActixCookie;

    // secure set to false
-    let cookie1 = ActixCookie::build("name", "value").secure(false).finish(); // $ Alert[rust/insecure-cookie]
-    println!("actix-web cookie1 = '{}'", cookie1.to_string());
+    let mut cookie1 = ActixCookie::new("name", "value");
+    cookie1.set_secure(false); // $ Source
+    println!("actix-web cookie1 = '{}'", cookie1.to_string()); // $ Alert[rust/insecure-cookie]

    // secure set to true
-    let cookie2 = ActixCookie::build("name", "value").secure(true).finish(); // good
+    let mut cookie2 = ActixCookie::new("name", "value");
+    cookie2.set_secure(true); // good
    println!("actix-web cookie2 = '{}'", cookie2.to_string());

    // secure left as default
-    let cookie3 = ActixCookie::build("name", "value").finish(); // $ Alert[rust/insecure-cookie]
-    println!("actix-web cookie3 = '{}'", cookie3.to_string());
+    let cookie3 = ActixCookie::new("name", "value"); // $ Source
+    println!("actix-web cookie3 = '{}'", cookie3.to_string()); // $ Alert[rust/insecure-cookie]
 }

 fn test_poem() {
    use poem::web::cookie::Cookie as PoemCookie;

    // secure set to false
-    let cookie1 = PoemCookie::build("name", "value").secure(false).finish(); // $ Alert[rust/insecure-cookie]
-    println!("poem cookie1 = '{}'", cookie1.to_string());
+    let mut cookie1 = PoemCookie::new_with_str("name", "value");
+    cookie1.set_secure(false); // $ Source
+    println!("poem cookie1 = '{}'", cookie1.to_string()); // $ Alert[rust/insecure-cookie]

    // secure set to true
-    let cookie2 = PoemCookie::build("name", "value").secure(true).finish(); // good
+    let mut cookie2 = PoemCookie::new_with_str("name", "value");
+    cookie2.set_secure(true); // good
    println!("poem cookie2 = '{}'", cookie2.to_string());

    // secure left as default
-    let cookie3 = PoemCookie::build("name", "value").finish(); // $ Alert[rust/insecure-cookie]
-    println!("poem cookie3 = '{}'", cookie3.to_string());
+    let cookie3 = PoemCookie::new_with_str("name", "value"); // $ Source
+    println!("poem cookie3 = '{}'", cookie3.to_string()); // $ Alert[rust/insecure-cookie]
 }

 fn test_http_types() {
--- a/rust/ql/test/query-tests/security/CWE-614/options.yml
+++ b/rust/ql/test/query-tests/security/CWE-614/options.yml
@@ -2,6 +2,6 @@ qltest_cargo_check: true
 qltest_dependencies:
  - cookie = { version = "0.18.1", features = ["percent-encode", "signed", "private"] }
  - biscotti = { version = "0.4.3" }
-  - actix-web = { version = "4" }
-  - poem = { version = "3" }
-  - http-types = { version = "2" }
+  - actix-web = { version = "4", features = ["cookies"] }
+  - poem = { version = "3", features = ["cookie"] }
+  - http-types = { version = "2", features = ["cookies"] }