From fb718660d98f7a651ce5ddfdd22b4869c37a4392 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Thu, 13 Mar 2025 15:20:11 +0100 Subject: [PATCH] Rust: Generate more sinks and update query description --- .../lib/codeql/rust/frameworks/reqwest.model.yml | 1 - ...ithub.com-seanmonstar-reqwest-reqwest.model.yml | 8 ++++++++ .../security/CWE-311/CleartextTransmission.qhelp | 14 +++++++++----- .../security/CWE-311/CleartextTransmission.rs | 10 +++++----- .../security/CWE-020/RegexInjection.expected | 8 ++++---- 5 files changed, 26 insertions(+), 15 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml index 2b4ad029b09..3be832c8e7f 100644 --- a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml +++ b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml @@ -9,7 +9,6 @@ extensions: pack: codeql/rust-all extensible: sinkModel data: - - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "manual"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::request", "Argument[1]", "transmission", "manual"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::request", "Argument[1]", "transmission", "manual"] - addsTo: diff --git a/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml b/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml index 7e6fda88b3d..53f2675a0c0 100644 --- a/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml +++ b/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml @@ -10,6 +10,14 @@ extensions: - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::patch", "Argument[0]", "transmission", "df-generated"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::post", "Argument[0]", "transmission", "df-generated"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::put", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::delete", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::get", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::head", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::patch", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::post", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::put", "Argument[0]", "transmission", "df-generated"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::call", "Argument[0]", "log-injection", "df-generated"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "::call", "Argument[0]", "log-injection", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "df-generated"] + - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::wait::timeout", "Argument[1]", "log-injection", "df-generated"] - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "Argument[0]", "transmission", "df-generated"] diff --git a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp index 35bfb88e2a8..cb7d6867ecb 100644 --- a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp +++ b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp @@ -22,11 +22,15 @@ sensitive information when it is not necessary to.

The following example shows three cases of transmitting information. In the -'BAD' case, the data transmitted is sensitive (a password) and is not encrypted -as it occurs as a URL parameter. In the 'GOOD' cases, the data is either not -sensitive, or is protected with encryption. When encryption is used, take care -to select a secure modern encryption algorithm, and put suitable key management -practices into place. +'BAD' case, the transmitted data is sensitive (a credit card number) and is +included as cleartext in the URL. URLs are often logged or otherwise visible in +cleartext, and should not contain sensitive information. +

+ +

+In the 'GOOD' cases, the data is either not sensitive, or is protected with +encryption. When encryption is used, take care to select a secure modern +encryption algorithm, and put suitable key management practices into place.

diff --git a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs index 76fbaf4471c..9856818525d 100644 --- a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs +++ b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs @@ -2,14 +2,14 @@ func getData() { // ... // GOOD: not sensitive information - let body = reqwest::get("https://example.com/data").await?.text().await?; + let body = reqwest::get("https://example.com/song/{faveSong}").await?.text().await?; - // BAD: sensitive information sent in cleartext - let body = reqwest::get(format!("https://example.com/data?password={password}")).await?.text().await?; + // BAD: sensitive information sent in cleartext in the URL + let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?; - // GOOD: encrypted sensitive information sent + // GOOD: encrypted sensitive information sent in the URL let encryptedPassword = encrypt(password, encryptionKey); - let body = reqwest::get(format!("https://example.com/data?password={encryptedPassword}")).await?.text().await?; + let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?; // ... } diff --git a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected index 630334686ab..e204b5a3926 100644 --- a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected +++ b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected @@ -2,15 +2,15 @@ | main.rs:6:25:6:30 | ®ex | main.rs:4:20:4:32 | ...::var | main.rs:6:25:6:30 | ®ex | This regular expression is constructed from a $@. | main.rs:4:20:4:32 | ...::var | user-provided value | edges | main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance | | -| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:63 | -| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1586 | +| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62 | +| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1593 | | main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance | | | main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance | | | main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance | | | main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance | | | main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance | | -| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:67 | -| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3009 | +| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:66 | +| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3016 | | main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | ®ex | provenance | | nodes | main.rs:4:9:4:16 | username | semmle.label | username |