Rust: Update StartswithCall.

geoffw0 · geoffw0 · commit 02b9229be785 · 2025-08-14T12:09:49.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll
@@ -14,7 +14,7 @@ private import codeql.rust.internal.PathResolution
  */
 private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::MethodCallExprCfgNode {
   StartswithCall() {
-    this.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::starts_with"
+    this.getMethodCallExpr().getStaticTarget().getCanonicalPath() = "<std::path::Path>::starts_with"
   }
 
   override predicate checks(Cfg::CfgNode e, boolean branch) {
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -29,7 +29,7 @@ fn tainted_path_handler_folder_good(Query(file_path): Query<String>) -> Result<S
     if !file_path.starts_with(public_path) {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked
 }
 
 //#[handler]
@@ -42,7 +42,7 @@ fn tainted_path_handler_folder_almost_good1(
     if !file_path.starts_with(public_path) {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink MISSING: Alert[rust/path-injection]=remote2 -- we cannot resolve the `join` call above, because it needs a `PathBuf -> Path` `Deref`
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked Alert[rust/path-injection]=remote2 -- we cannot resolve the `join` call above, because it needs a `PathBuf -> Path` `Deref`
 }
 
 //#[handler]
@@ -54,7 +54,7 @@ fn tainted_path_handler_folder_good_simpler(Query(file_path): Query<String>) ->
     if !file_path.starts_with(public_path) {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked
 }
 
 //#[handler]

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ private import codeql.rust.internal.PathResolution`
`14`	`14`	`*/`
`15`	`15`	`private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::MethodCallExprCfgNode {`
`16`	`16`	`StartswithCall() {`
`17`		`- this.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::starts_with"`
	`17`	`+ this.getMethodCallExpr().getStaticTarget().getCanonicalPath() = "<std::path::Path>::starts_with"`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`override predicate checks(Cfg::CfgNode e, boolean branch) {`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ fn tainted_path_handler_folder_good(Query(file_path): Query<String>) -> Result<S`
`29`	`29`	`if !file_path.starts_with(public_path) {`
`30`	`30`	`return Err(Error::from_status(StatusCode::BAD_REQUEST));`
`31`	`31`	`}`
`32`		`- fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink`
	`32`	`+ fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`//#[handler]`
`@@ -42,7 +42,7 @@ fn tainted_path_handler_folder_almost_good1(`
`42`	`42`	`if !file_path.starts_with(public_path) {`
`43`	`43`	`return Err(Error::from_status(StatusCode::BAD_REQUEST));`
`44`	`44`	`}`
`45`		- fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink MISSING: Alert[rust/path-injection]=remote2 -- we cannot resolve the `join` call above, because it needs a `PathBuf -> Path` `Deref`
	`45`	+ fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked Alert[rust/path-injection]=remote2 -- we cannot resolve the `join` call above, because it needs a `PathBuf -> Path` `Deref`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`//#[handler]`
`@@ -54,7 +54,7 @@ fn tainted_path_handler_folder_good_simpler(Query(file_path): Query<String>) ->`
`54`	`54`	`if !file_path.starts_with(public_path) {`
`55`	`55`	`return Err(Error::from_status(StatusCode::BAD_REQUEST));`
`56`	`56`	`}`
`57`		`- fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-checked path-injection-sink`
	`57`	`+ fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: path-injection-checked`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`//#[handler]`