Rust: Add query test.

rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected

@@ -0,0 +1,10 @@
+| main.rs:3:16:4:36 | ... .danger_accept_invalid_certs(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:8:16:9:40 | ... .danger_accept_invalid_hostnames(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:13:16:16:36 | ... .danger_accept_invalid_certs(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:13:16:17:40 | ... .danger_accept_invalid_hostnames(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:36:16:37:36 | ... .danger_accept_invalid_certs(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:41:16:42:40 | ... .danger_accept_invalid_hostnames(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:46:16:47:36 | ... .danger_accept_invalid_certs(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:46:16:48:40 | ... .danger_accept_invalid_hostnames(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:52:16:55:36 | ... .danger_accept_invalid_certs(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |
+| main.rs:52:16:56:40 | ... .danger_accept_invalid_hostnames(...) | Disabling TLS certificate validation with 'danger_accept_invalid_certs(true)' can expose the application to man-in-the-middle attacks. |

rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.qlref

@@ -0,0 +1,4 @@
+query: queries/security/CWE-295/DisabledCertificateCheck.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql

rust/ql/test/query-tests/security/CWE-295/main.rs

@@ -0,0 +1,108 @@
+fn test_native_tls() {
+	// unsafe
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_hostnames(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = native_tls::TlsConnector::builder()
+		.min_protocol_version(Some(native_tls::Protocol::Tlsv12))
+		.use_sni(true)
+		.danger_accept_invalid_certs(true) // $ Alert[rust/disabled-certificate-check]
+		.danger_accept_invalid_hostnames(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	// safe
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(false) // good
+		.danger_accept_invalid_hostnames(false) // good
+		.build()
+		.unwrap();
+
+	// default (safe)
+	let _client = native_tls::TlsConnector::builder()
+		.build()
+		.unwrap();
+}
+
+fn test_reqwest() {
+	// unsafe
+	let _client = reqwest::Client::builder()
+		.danger_accept_invalid_certs(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = reqwest::blocking::ClientBuilder::new()
+		.danger_accept_invalid_hostnames(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = reqwest::ClientBuilder::new()
+		.danger_accept_invalid_certs(true) // $ Alert[rust/disabled-certificate-check]
+		.danger_accept_invalid_hostnames(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = reqwest::blocking::Client::builder()
+		.tcp_keepalive(std::time::Duration::from_secs(30))
+		.https_only(true)
+		.danger_accept_invalid_certs(true) // $ Alert[rust/disabled-certificate-check]
+		.danger_accept_invalid_hostnames(true) // $ Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	// safe
+	let _client = reqwest::blocking::Client::builder()
+		.danger_accept_invalid_certs(false) // good
+		.danger_accept_invalid_hostnames(false) // good
+		.build()
+		.unwrap();
+
+	// default (safe)
+	let _client = reqwest::blocking::Client::builder()
+		.build()
+		.unwrap();
+}
+
+fn test_data_flow(sometimes_global: bool) {
+	let always = true;
+	let mut sometimes = true;
+	let never = false;
+
+	if rand::random_range(0 .. 2) == 0 {
+		sometimes = false;
+	}
+
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(always) // $ MISSING: Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(sometimes) // $ MISSING: Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(sometimes_global) // $ MISSING: Alert[rust/disabled-certificate-check]
+		.build()
+		.unwrap();
+
+	let _client = native_tls::TlsConnector::builder()
+		.danger_accept_invalid_certs(never) // good
+		.build()
+		.unwrap();
+}
+
+fn main() {
+	test_native_tls();
+	test_reqwest();
+	test_data_flow(true);
+	test_data_flow(false);
+}

rust/ql/test/query-tests/security/CWE-295/options.yml

@@ -0,0 +1,5 @@
+qltest_cargo_check: true
+qltest_dependencies:
+    - reqwest = { version = "0.12.9", features = ["blocking"] }
+    - native-tls = { version = "0.2.14" }
+    - rand = { version = "0.9.2" }