Add QL test

aibaars · aibaars · commit bb02167fb66f · 2025-03-11T17:25:08.000+01:00
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -0,0 +1,46 @@
+#select
+| src/main.rs:10:5:10:22 | ...::read_to_string | src/main.rs:6:11:6:19 | file_name | src/main.rs:10:5:10:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:6:11:6:19 | file_name | user-provided value |
+| src/main.rs:22:5:22:22 | ...::read_to_string | src/main.rs:15:11:15:19 | file_name | src/main.rs:22:5:22:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:15:11:15:19 | file_name | user-provided value |
+| src/main.rs:35:5:35:22 | ...::read_to_string | src/main.rs:27:11:27:19 | file_path | src/main.rs:35:5:35:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:27:11:27:19 | file_path | user-provided value |
+edges
+| src/main.rs:6:11:6:19 | file_name | src/main.rs:8:35:8:43 | file_name | provenance |  |
+| src/main.rs:8:9:8:17 | file_path | src/main.rs:10:24:10:32 | file_path | provenance |  |
+| src/main.rs:8:21:8:44 | ...::from(...) | src/main.rs:8:9:8:17 | file_path | provenance |  |
+| src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:3 |
+| src/main.rs:10:24:10:32 | file_path | src/main.rs:10:5:10:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:15:11:15:19 | file_name | src/main.rs:21:35:21:43 | file_name | provenance |  |
+| src/main.rs:21:9:21:17 | file_path | src/main.rs:22:24:22:32 | file_path | provenance |  |
+| src/main.rs:21:21:21:44 | ...::from(...) | src/main.rs:21:9:21:17 | file_path | provenance |  |
+| src/main.rs:21:35:21:43 | file_name | src/main.rs:21:21:21:44 | ...::from(...) | provenance | MaD:3 |
+| src/main.rs:22:24:22:32 | file_path | src/main.rs:22:5:22:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:27:11:27:19 | file_path | src/main.rs:30:52:30:60 | file_path | provenance |  |
+| src/main.rs:30:9:30:17 | file_path | src/main.rs:35:24:35:32 | file_path | provenance |  |
+| src/main.rs:30:21:30:62 | public_path.join(...) | src/main.rs:30:9:30:17 | file_path | provenance |  |
+| src/main.rs:30:38:30:61 | ...::from(...) | src/main.rs:30:21:30:62 | public_path.join(...) | provenance | MaD:2 |
+| src/main.rs:30:52:30:60 | file_path | src/main.rs:30:38:30:61 | ...::from(...) | provenance | MaD:3 |
+| src/main.rs:35:24:35:32 | file_path | src/main.rs:35:5:35:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+models
+| 1 | Sink: lang:std; crate::fs::read_to_string; path-injection; Argument[0] |
+| 2 | Summary: lang:std; <crate::path::Path>::join; Argument[0]; ReturnValue; taint |
+| 3 | Summary: lang:std; <crate::path::PathBuf as crate::convert::From>::from; Argument[0]; ReturnValue; taint |
+nodes
+| src/main.rs:6:11:6:19 | file_name | semmle.label | file_name |
+| src/main.rs:8:9:8:17 | file_path | semmle.label | file_path |
+| src/main.rs:8:21:8:44 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:8:35:8:43 | file_name | semmle.label | file_name |
+| src/main.rs:10:5:10:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:10:24:10:32 | file_path | semmle.label | file_path |
+| src/main.rs:15:11:15:19 | file_name | semmle.label | file_name |
+| src/main.rs:21:9:21:17 | file_path | semmle.label | file_path |
+| src/main.rs:21:21:21:44 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:21:35:21:43 | file_name | semmle.label | file_name |
+| src/main.rs:22:5:22:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:22:24:22:32 | file_path | semmle.label | file_path |
+| src/main.rs:27:11:27:19 | file_path | semmle.label | file_path |
+| src/main.rs:30:9:30:17 | file_path | semmle.label | file_path |
+| src/main.rs:30:21:30:62 | public_path.join(...) | semmle.label | public_path.join(...) |
+| src/main.rs:30:38:30:61 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:30:52:30:60 | file_path | semmle.label | file_path |
+| src/main.rs:35:5:35:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:35:24:35:32 | file_path | semmle.label | file_path |
+subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.qlref b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.qlref
@@ -0,0 +1,4 @@
+query: queries/security/CWE-022/TaintedPath.ql
+postprocess:
+ - utils/test/PrettyPrintModels.ql
+ - utils/test/InlineExpectationsTestQuery.ql
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPathSinks.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPathSinks.expected
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPathSinks.ql b/rust/ql/test/query-tests/security/CWE-022/TaintedPathSinks.ql
@@ -0,0 +1,19 @@
+import rust
+import codeql.rust.security.TaintedPathExtensions
+import utils.test.InlineExpectationsTest
+
+module TaintedPathSinksTest implements TestSig {
+  string getARelevantTag() { result = "path-injection-sink" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(TaintedPath::Sink sink |
+      location = sink.getLocation() and
+      location.getFile().getBaseName() != "" and
+      element = sink.toString() and
+      tag = "path-injection-sink" and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<TaintedPathSinksTest>
diff --git a/rust/ql/test/query-tests/security/CWE-022/options.yml b/rust/ql/test/query-tests/security/CWE-022/options.yml
@@ -0,0 +1,3 @@
+qltest_cargo_check: true
+qltest_dependencies:
+    - poem = { version = "3.1.7" }
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -0,0 +1,38 @@
+use poem::{error::InternalServerError, handler, http::StatusCode, web::Query, Error, Result};
+use std::{env::home_dir, fs, path::PathBuf};
+
+//#[handler]
+fn tainted_path_handler_bad(
+    Query(file_name): Query<String>, // $ Source=remote1
+) -> Result<String> {
+    let file_path = PathBuf::from(file_name);
+    // BAD: This could read any file on the filesystem.
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink Alert[rust/path-injection]=remote1
+}
+
+//#[handler]
+fn tainted_path_handler_good(
+    Query(file_name): Query<String>, // $ Source=remote2
+) -> Result<String> {
+    // GOOD: ensure that the filename has no path separators or parent directory references
+    if file_name.contains("..") || file_name.contains("/") || file_name.contains("\\") {
+        return Err(Error::from_status(StatusCode::BAD_REQUEST));
+    }
+    let file_path = PathBuf::from(file_name);
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote2
+}
+
+//#[handler]
+fn tainted_path_handler_folder_good(
+    Query(file_path): Query<String>, // $ Source=remote3
+) -> Result<String> {
+    let public_path = home_dir().unwrap().join("public");
+    let file_path = public_path.join(PathBuf::from(file_path));
+    // GOOD: ensure that the path stays within the public folder
+    if !file_path.starts_with(public_path) {
+        return Err(Error::from_status(StatusCode::BAD_REQUEST));
+    }
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote3
+}
+
+fn main() {}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+qltest_cargo_check: true`
	`2`	`+qltest_dependencies:`
	`3`	`+ - poem = { version = "3.1.7" }`