Rust: Generate more sinks and update query description

2025-12-16 16:53:25 +01:00 · 2025-03-13 15:20:11 +01:00
parent 1ae28c7907
commit fb718660d9
5 changed files with 26 additions and 15 deletions
--- a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
@@ -9,7 +9,6 @@ extensions:
      pack: codeql/rust-all
      extensible: sinkModel
    data:
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::request", "Argument[1]", "transmission", "manual"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::request", "Argument[1]", "transmission", "manual"]
  - addsTo:
--- a/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml
+++ b/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml
@@ -10,6 +10,14 @@ extensions:
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::connect::Connector as crate::Service>::call", "Argument[0]", "log-injection", "df-generated"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::connect::ConnectorService as crate::Service>::call", "Argument[0]", "log-injection", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::wait::timeout", "Argument[1]", "log-injection", "df-generated"]
      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "Argument[0]", "transmission", "df-generated"]
--- a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp
+++ b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp
@@ -22,11 +22,15 @@ sensitive information when it is not necessary to.

 <p>
 The following example shows three cases of transmitting information. In the
-'BAD' case, the data transmitted is sensitive (a password) and is not encrypted
-as it occurs as a URL parameter. In the 'GOOD' cases, the data is either not
-sensitive, or is protected with encryption. When encryption is used, take care
-to select a secure modern encryption algorithm, and put suitable key management
-practices into place.
+'BAD' case, the transmitted data is sensitive (a credit card number) and is
+included as cleartext in the URL. URLs are often logged or otherwise visible in
+cleartext, and should not contain sensitive information.
+</p>
+
+<p>
+In the 'GOOD' cases, the data is either not sensitive, or is protected with
+encryption. When encryption is used, take care to select a secure modern
+encryption algorithm, and put suitable key management practices into place.
 </p>

 <sample src="CleartextTransmission.rs" />
--- a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs
+++ b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs
@@ -2,14 +2,14 @@ func getData() {
 	// ...

 	// GOOD: not sensitive information
-	let body = reqwest::get("https://example.com/data").await?.text().await?;
+	let body = reqwest::get("https://example.com/song/{faveSong}").await?.text().await?;

-	// BAD: sensitive information sent in cleartext
-	let body = reqwest::get(format!("https://example.com/data?password={password}")).await?.text().await?;
+	// BAD: sensitive information sent in cleartext in the URL
+	let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?;

-	// GOOD: encrypted sensitive information sent
+	// GOOD: encrypted sensitive information sent in the URL
 	let encryptedPassword = encrypt(password, encryptionKey);
-	let body = reqwest::get(format!("https://example.com/data?password={encryptedPassword}")).await?.text().await?;
+	let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?;

 	// ...
 }
--- a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
+++ b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
@@ -2,15 +2,15 @@
 | main.rs:6:25:6:30 | &regex | main.rs:4:20:4:32 | ...::var | main.rs:6:25:6:30 | &regex | This regular expression is constructed from a $@. | main.rs:4:20:4:32 | ...::var | user-provided value |
 edges
 | main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance |  |
-| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:63  |
-| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1586 |
+| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62  |
+| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1593 |
 | main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance |  |
 | main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance |  |
 | main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance |  |
 | main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance |  |
 | main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance |  |
-| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:67 |
-| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3009 |
+| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:66 |
+| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3016 |
 | main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | &regex | provenance |  |
 nodes
 | main.rs:4:9:4:16 | username | semmle.label | username |