Rust: Model assert_failed.

geoffw0 · geoffw0 · commit 2bbf49399102 · 2025-01-23T17:17:03.000Z
diff --git a/rust/ql/lib/codeql/rust/frameworks/log.model.yml b/rust/ql/lib/codeql/rust/frameworks/log.model.yml
@@ -11,4 +11,5 @@ extensions:
       - ["lang:std", "<crate::io::stdio::StderrLock as crate::io::Write>::write", "Argument[0]", "log-injection", "manual"]
       - ["lang:std", "<crate::io::stdio::StderrLock as crate::io::Write>::write_all", "Argument[0]", "log-injection", "manual"]
       - ["lang:core", "crate::panicking::panic_fmt", "Argument[0]", "log-injection", "manual"]
+      - ["lang:core", "crate::panicking::assert_failed", "Argument[3].Variant[crate::option::Option::Some(0)]", "log-injection", "manual"]
       - ["lang:core", "<crate::option::Option>::expect", "Argument[0]", "log-injection", "manual"]
diff --git a/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected b/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
@@ -31,7 +31,11 @@
 | test_logging.rs:160:16:160:55 | ...::panic_fmt | test_logging.rs:160:47:160:54 | password | test_logging.rs:160:16:160:55 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:160:47:160:54 | password | password |
 | test_logging.rs:161:16:161:53 | ...::panic_fmt | test_logging.rs:161:45:161:52 | password | test_logging.rs:161:16:161:53 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:161:45:161:52 | password | password |
 | test_logging.rs:162:16:162:55 | ...::panic_fmt | test_logging.rs:162:47:162:54 | password | test_logging.rs:162:16:162:55 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:162:47:162:54 | password | password |
+| test_logging.rs:163:16:163:57 | ...::assert_failed | test_logging.rs:163:49:163:56 | password | test_logging.rs:163:16:163:57 | ...::assert_failed | This operation writes '...::assert_failed' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:163:49:163:56 | password | password |
+| test_logging.rs:164:16:164:57 | ...::assert_failed | test_logging.rs:164:49:164:56 | password | test_logging.rs:164:16:164:57 | ...::assert_failed | This operation writes '...::assert_failed' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:164:49:164:56 | password | password |
 | test_logging.rs:165:16:165:61 | ...::panic_fmt | test_logging.rs:165:53:165:60 | password | test_logging.rs:165:16:165:61 | ...::panic_fmt | This operation writes '...::panic_fmt' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:165:53:165:60 | password | password |
+| test_logging.rs:166:16:166:63 | ...::assert_failed | test_logging.rs:166:55:166:62 | password | test_logging.rs:166:16:166:63 | ...::assert_failed | This operation writes '...::assert_failed' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:166:55:166:62 | password | password |
+| test_logging.rs:167:17:167:64 | ...::assert_failed | test_logging.rs:167:56:167:63 | password | test_logging.rs:167:17:167:64 | ...::assert_failed | This operation writes '...::assert_failed' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:167:56:167:63 | password | password |
 | test_logging.rs:168:27:168:32 | expect | test_logging.rs:168:58:168:65 | password | test_logging.rs:168:27:168:32 | expect | This operation writes 'expect' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:168:58:168:65 | password | password |
 | test_logging.rs:174:30:174:34 | write | test_logging.rs:174:60:174:67 | password | test_logging.rs:174:30:174:34 | write | This operation writes 'write' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:174:60:174:67 | password | password |
 | test_logging.rs:175:30:175:38 | write_all | test_logging.rs:175:64:175:71 | password | test_logging.rs:175:30:175:38 | write_all | This operation writes 'write_all' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:175:64:175:71 | password | password |
@@ -82,8 +86,8 @@ edges
 | test_logging.rs:99:14:99:46 | res | test_logging.rs:99:22:99:45 | { ... } | provenance |  |
 | test_logging.rs:99:22:99:45 | ...::format(...) | test_logging.rs:99:14:99:46 | res | provenance |  |
 | test_logging.rs:99:22:99:45 | ...::must_use(...) | test_logging.rs:99:9:99:10 | m3 | provenance |  |
-| test_logging.rs:99:22:99:45 | MacroExpr | test_logging.rs:99:22:99:45 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:99:22:99:45 | { ... } | test_logging.rs:99:22:99:45 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:99:22:99:45 | MacroExpr | test_logging.rs:99:22:99:45 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:99:22:99:45 | { ... } | test_logging.rs:99:22:99:45 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:99:38:99:45 | password | test_logging.rs:99:22:99:45 | MacroExpr | provenance |  |
 | test_logging.rs:100:11:100:18 | MacroExpr | test_logging.rs:100:5:100:19 | ...::log | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:118:12:118:41 | MacroExpr | test_logging.rs:118:5:118:42 | ...::log | provenance | MaD:0 Sink:MaD:0 |
@@ -112,47 +116,59 @@ edges
 | test_logging.rs:161:45:161:52 | password | test_logging.rs:161:29:161:52 | MacroExpr | provenance |  |
 | test_logging.rs:162:31:162:54 | MacroExpr | test_logging.rs:162:16:162:55 | ...::panic_fmt | provenance | MaD:7 Sink:MaD:7 |
 | test_logging.rs:162:47:162:54 | password | test_logging.rs:162:31:162:54 | MacroExpr | provenance |  |
+| test_logging.rs:163:33:163:56 | ...::Some(...) [Some] | test_logging.rs:163:16:163:57 | ...::assert_failed | provenance | MaD:8 Sink:MaD:8 |
+| test_logging.rs:163:33:163:56 | MacroExpr | test_logging.rs:163:33:163:56 | ...::Some(...) [Some] | provenance |  |
+| test_logging.rs:163:49:163:56 | password | test_logging.rs:163:33:163:56 | MacroExpr | provenance |  |
+| test_logging.rs:164:33:164:56 | ...::Some(...) [Some] | test_logging.rs:164:16:164:57 | ...::assert_failed | provenance | MaD:8 Sink:MaD:8 |
+| test_logging.rs:164:33:164:56 | MacroExpr | test_logging.rs:164:33:164:56 | ...::Some(...) [Some] | provenance |  |
+| test_logging.rs:164:49:164:56 | password | test_logging.rs:164:33:164:56 | MacroExpr | provenance |  |
 | test_logging.rs:165:37:165:60 | MacroExpr | test_logging.rs:165:16:165:61 | ...::panic_fmt | provenance | MaD:7 Sink:MaD:7 |
 | test_logging.rs:165:53:165:60 | password | test_logging.rs:165:37:165:60 | MacroExpr | provenance |  |
-| test_logging.rs:168:34:168:66 | MacroExpr | test_logging.rs:168:34:168:75 | ... .as_str(...) | provenance | MaD:21 |
+| test_logging.rs:166:39:166:62 | ...::Some(...) [Some] | test_logging.rs:166:16:166:63 | ...::assert_failed | provenance | MaD:8 Sink:MaD:8 |
+| test_logging.rs:166:39:166:62 | MacroExpr | test_logging.rs:166:39:166:62 | ...::Some(...) [Some] | provenance |  |
+| test_logging.rs:166:55:166:62 | password | test_logging.rs:166:39:166:62 | MacroExpr | provenance |  |
+| test_logging.rs:167:40:167:63 | ...::Some(...) [Some] | test_logging.rs:167:17:167:64 | ...::assert_failed | provenance | MaD:8 Sink:MaD:8 |
+| test_logging.rs:167:40:167:63 | MacroExpr | test_logging.rs:167:40:167:63 | ...::Some(...) [Some] | provenance |  |
+| test_logging.rs:167:56:167:63 | password | test_logging.rs:167:40:167:63 | MacroExpr | provenance |  |
+| test_logging.rs:168:34:168:66 | MacroExpr | test_logging.rs:168:34:168:75 | ... .as_str(...) | provenance | MaD:22 |
 | test_logging.rs:168:34:168:66 | res | test_logging.rs:168:42:168:65 | { ... } | provenance |  |
-| test_logging.rs:168:34:168:75 | ... .as_str(...) | test_logging.rs:168:27:168:32 | expect | provenance | MaD:8 Sink:MaD:8 |
+| test_logging.rs:168:34:168:75 | ... .as_str(...) | test_logging.rs:168:27:168:32 | expect | provenance | MaD:9 Sink:MaD:9 |
 | test_logging.rs:168:42:168:65 | ...::format(...) | test_logging.rs:168:34:168:66 | res | provenance |  |
 | test_logging.rs:168:42:168:65 | ...::must_use(...) | test_logging.rs:168:34:168:66 | MacroExpr | provenance |  |
-| test_logging.rs:168:42:168:65 | MacroExpr | test_logging.rs:168:42:168:65 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:168:42:168:65 | { ... } | test_logging.rs:168:42:168:65 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:168:42:168:65 | MacroExpr | test_logging.rs:168:42:168:65 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:168:42:168:65 | { ... } | test_logging.rs:168:42:168:65 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:168:58:168:65 | password | test_logging.rs:168:42:168:65 | MacroExpr | provenance |  |
-| test_logging.rs:174:36:174:68 | MacroExpr | test_logging.rs:174:36:174:79 | ... .as_bytes(...) | provenance | MaD:22 |
+| test_logging.rs:174:36:174:68 | MacroExpr | test_logging.rs:174:36:174:79 | ... .as_bytes(...) | provenance | MaD:23 |
 | test_logging.rs:174:36:174:68 | res | test_logging.rs:174:44:174:67 | { ... } | provenance |  |
 | test_logging.rs:174:36:174:79 | ... .as_bytes(...) | test_logging.rs:174:30:174:34 | write | provenance | MaD:3 Sink:MaD:3 |
 | test_logging.rs:174:44:174:67 | ...::format(...) | test_logging.rs:174:36:174:68 | res | provenance |  |
 | test_logging.rs:174:44:174:67 | ...::must_use(...) | test_logging.rs:174:36:174:68 | MacroExpr | provenance |  |
-| test_logging.rs:174:44:174:67 | MacroExpr | test_logging.rs:174:44:174:67 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:174:44:174:67 | { ... } | test_logging.rs:174:44:174:67 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:174:44:174:67 | MacroExpr | test_logging.rs:174:44:174:67 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:174:44:174:67 | { ... } | test_logging.rs:174:44:174:67 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:174:60:174:67 | password | test_logging.rs:174:44:174:67 | MacroExpr | provenance |  |
-| test_logging.rs:175:40:175:72 | MacroExpr | test_logging.rs:175:40:175:83 | ... .as_bytes(...) | provenance | MaD:22 |
+| test_logging.rs:175:40:175:72 | MacroExpr | test_logging.rs:175:40:175:83 | ... .as_bytes(...) | provenance | MaD:23 |
 | test_logging.rs:175:40:175:72 | res | test_logging.rs:175:48:175:71 | { ... } | provenance |  |
-| test_logging.rs:175:40:175:83 | ... .as_bytes(...) | test_logging.rs:175:30:175:38 | write_all | provenance | MaD:5 Sink:MaD:5 |
+| test_logging.rs:175:40:175:83 | ... .as_bytes(...) | test_logging.rs:175:30:175:38 | write_all | provenance | MaD:4 Sink:MaD:4 |
 | test_logging.rs:175:48:175:71 | ...::format(...) | test_logging.rs:175:40:175:72 | res | provenance |  |
 | test_logging.rs:175:48:175:71 | ...::must_use(...) | test_logging.rs:175:40:175:72 | MacroExpr | provenance |  |
-| test_logging.rs:175:48:175:71 | MacroExpr | test_logging.rs:175:48:175:71 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:175:48:175:71 | { ... } | test_logging.rs:175:48:175:71 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:175:48:175:71 | MacroExpr | test_logging.rs:175:48:175:71 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:175:48:175:71 | { ... } | test_logging.rs:175:48:175:71 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:175:64:175:71 | password | test_logging.rs:175:48:175:71 | MacroExpr | provenance |  |
-| test_logging.rs:178:15:178:47 | MacroExpr | test_logging.rs:178:15:178:58 | ... .as_bytes(...) | provenance | MaD:22 |
+| test_logging.rs:178:15:178:47 | MacroExpr | test_logging.rs:178:15:178:58 | ... .as_bytes(...) | provenance | MaD:23 |
 | test_logging.rs:178:15:178:47 | res | test_logging.rs:178:23:178:46 | { ... } | provenance |  |
 | test_logging.rs:178:15:178:58 | ... .as_bytes(...) | test_logging.rs:178:9:178:13 | write | provenance | MaD:3 Sink:MaD:3 |
 | test_logging.rs:178:23:178:46 | ...::format(...) | test_logging.rs:178:15:178:47 | res | provenance |  |
 | test_logging.rs:178:23:178:46 | ...::must_use(...) | test_logging.rs:178:15:178:47 | MacroExpr | provenance |  |
-| test_logging.rs:178:23:178:46 | MacroExpr | test_logging.rs:178:23:178:46 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:178:23:178:46 | { ... } | test_logging.rs:178:23:178:46 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:178:23:178:46 | MacroExpr | test_logging.rs:178:23:178:46 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:178:23:178:46 | { ... } | test_logging.rs:178:23:178:46 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:178:39:178:46 | password | test_logging.rs:178:23:178:46 | MacroExpr | provenance |  |
-| test_logging.rs:181:15:181:47 | MacroExpr | test_logging.rs:181:15:181:58 | ... .as_bytes(...) | provenance | MaD:22 |
+| test_logging.rs:181:15:181:47 | MacroExpr | test_logging.rs:181:15:181:58 | ... .as_bytes(...) | provenance | MaD:23 |
 | test_logging.rs:181:15:181:47 | res | test_logging.rs:181:23:181:46 | { ... } | provenance |  |
-| test_logging.rs:181:15:181:58 | ... .as_bytes(...) | test_logging.rs:181:9:181:13 | write | provenance | MaD:4 Sink:MaD:4 |
+| test_logging.rs:181:15:181:58 | ... .as_bytes(...) | test_logging.rs:181:9:181:13 | write | provenance | MaD:5 Sink:MaD:5 |
 | test_logging.rs:181:23:181:46 | ...::format(...) | test_logging.rs:181:15:181:47 | res | provenance |  |
 | test_logging.rs:181:23:181:46 | ...::must_use(...) | test_logging.rs:181:15:181:47 | MacroExpr | provenance |  |
-| test_logging.rs:181:23:181:46 | MacroExpr | test_logging.rs:181:23:181:46 | ...::format(...) | provenance | MaD:24 |
-| test_logging.rs:181:23:181:46 | { ... } | test_logging.rs:181:23:181:46 | ...::must_use(...) | provenance | MaD:23 |
+| test_logging.rs:181:23:181:46 | MacroExpr | test_logging.rs:181:23:181:46 | ...::format(...) | provenance | MaD:25 |
+| test_logging.rs:181:23:181:46 | { ... } | test_logging.rs:181:23:181:46 | ...::must_use(...) | provenance | MaD:24 |
 | test_logging.rs:181:39:181:46 | password | test_logging.rs:181:23:181:46 | MacroExpr | provenance |  |
 nodes
 | test_logging.rs:42:5:42:36 | ...::log | semmle.label | ...::log |
@@ -261,9 +277,25 @@ nodes
 | test_logging.rs:162:16:162:55 | ...::panic_fmt | semmle.label | ...::panic_fmt |
 | test_logging.rs:162:31:162:54 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:162:47:162:54 | password | semmle.label | password |
+| test_logging.rs:163:16:163:57 | ...::assert_failed | semmle.label | ...::assert_failed |
+| test_logging.rs:163:33:163:56 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] |
+| test_logging.rs:163:33:163:56 | MacroExpr | semmle.label | MacroExpr |
+| test_logging.rs:163:49:163:56 | password | semmle.label | password |
+| test_logging.rs:164:16:164:57 | ...::assert_failed | semmle.label | ...::assert_failed |
+| test_logging.rs:164:33:164:56 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] |
+| test_logging.rs:164:33:164:56 | MacroExpr | semmle.label | MacroExpr |
+| test_logging.rs:164:49:164:56 | password | semmle.label | password |
 | test_logging.rs:165:16:165:61 | ...::panic_fmt | semmle.label | ...::panic_fmt |
 | test_logging.rs:165:37:165:60 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:165:53:165:60 | password | semmle.label | password |
+| test_logging.rs:166:16:166:63 | ...::assert_failed | semmle.label | ...::assert_failed |
+| test_logging.rs:166:39:166:62 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] |
+| test_logging.rs:166:39:166:62 | MacroExpr | semmle.label | MacroExpr |
+| test_logging.rs:166:55:166:62 | password | semmle.label | password |
+| test_logging.rs:167:17:167:64 | ...::assert_failed | semmle.label | ...::assert_failed |
+| test_logging.rs:167:40:167:63 | ...::Some(...) [Some] | semmle.label | ...::Some(...) [Some] |
+| test_logging.rs:167:40:167:63 | MacroExpr | semmle.label | MacroExpr |
+| test_logging.rs:167:56:167:63 | password | semmle.label | password |
 | test_logging.rs:168:27:168:32 | expect | semmle.label | expect |
 | test_logging.rs:168:34:168:66 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:168:34:168:66 | res | semmle.label | res |
diff --git a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs
@@ -160,11 +160,11 @@ fn test_std(password: String, i: i32, opt_i: Option<i32>) {
         3 => { unimplemented!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
         4 => { unreachable!("message = {}", password); } // $ Source Alert[rust/cleartext-logging]
         5 => { assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
-        6 => { assert_eq!(1, 2, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
-        7 => { assert_ne!(1, 1, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
+        6 => { assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
+        7 => { assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
         8 => { debug_assert!(false, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
-        9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
-        10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ MISSING: Alert[rust/cleartext-logging]
+        9 => { debug_assert_eq!(1, 2, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
+        10 => { debug_assert_ne!(1, 1, "message = {}", password); } // $ Source Alert[rust/cleartext-logging]
         11 => { _ = opt_i.expect(format!("message = {}", password).as_str()); } // $ Source Alert[rust/cleartext-logging]
         _ => {}
     }
