Rust: Allow implicit taint reads from tuple contents at sinks.

geoffw0 · geoffw0 · commit 78c58aa5f11a · 2025-01-23T17:17:05.000Z
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -773,7 +773,7 @@ final class ArrayElementContent extends Content, TArrayElement {
  * NOTE: Unlike `struct`s and `enum`s tuples are structural and not nominal,
  * hence we don't store a canonical path for them.
  */
-private class TuplePositionContent extends Content, TTuplePositionContent {
+final class TuplePositionContent extends Content, TTuplePositionContent {
   private int pos;
 
   TuplePositionContent() { this = TTuplePositionContent(pos) }
diff --git a/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql b/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
@@ -17,6 +17,7 @@ import rust
 import codeql.rust.security.CleartextLoggingExtensions
 import codeql.rust.dataflow.DataFlow
 import codeql.rust.dataflow.TaintTracking
+import codeql.rust.dataflow.internal.DataFlowImpl
 
 /**
  * A taint-tracking configuration for cleartext logging vulnerabilities.
@@ -34,6 +35,12 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from tuple content at sinks.
+    isSink(node) and
+    c.getAReadContent() instanceof TuplePositionContent
+  }
 }
 
 module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
diff --git a/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected b/rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
@@ -11,13 +11,17 @@
 | test_logging.rs:57:5:57:34 | ...::log | test_logging.rs:57:24:57:31 | password | test_logging.rs:57:5:57:34 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:57:24:57:31 | password | password |
 | test_logging.rs:58:5:58:36 | ...::log | test_logging.rs:58:24:58:31 | password | test_logging.rs:58:5:58:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:58:24:58:31 | password | password |
 | test_logging.rs:60:5:60:54 | ...::log | test_logging.rs:60:46:60:53 | password | test_logging.rs:60:5:60:54 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:60:46:60:53 | password | password |
+| test_logging.rs:61:5:61:55 | ...::log | test_logging.rs:61:21:61:28 | password | test_logging.rs:61:5:61:55 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:61:21:61:28 | password | password |
 | test_logging.rs:65:5:65:48 | ...::log | test_logging.rs:65:40:65:47 | password | test_logging.rs:65:5:65:48 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:65:40:65:47 | password | password |
 | test_logging.rs:67:5:67:66 | ...::log | test_logging.rs:67:58:67:65 | password | test_logging.rs:67:5:67:66 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:67:58:67:65 | password | password |
+| test_logging.rs:68:5:68:67 | ...::log | test_logging.rs:68:19:68:26 | password | test_logging.rs:68:5:68:67 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:68:19:68:26 | password | password |
 | test_logging.rs:72:5:72:47 | ...::log::<...> | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:5:72:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:72:39:72:46 | password | password |
 | test_logging.rs:74:5:74:65 | ...::log::<...> | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:5:74:65 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:74:57:74:64 | password | password |
+| test_logging.rs:75:5:75:51 | ...::log::<...> | test_logging.rs:75:21:75:28 | password | test_logging.rs:75:5:75:51 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:75:21:75:28 | password | password |
 | test_logging.rs:76:5:76:47 | ...::log::<...> | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:5:76:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:76:39:76:46 | password | password |
 | test_logging.rs:82:5:82:44 | ...::log::<...> | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:5:82:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:82:36:82:43 | password | password |
 | test_logging.rs:84:5:84:62 | ...::log::<...> | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:5:84:62 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:84:54:84:61 | password | password |
+| test_logging.rs:85:5:85:48 | ...::log::<...> | test_logging.rs:85:21:85:28 | password | test_logging.rs:85:5:85:48 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:85:21:85:28 | password | password |
 | test_logging.rs:86:5:86:44 | ...::log::<...> | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:5:86:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:86:36:86:43 | password | password |
 | test_logging.rs:100:5:100:19 | ...::log | test_logging.rs:99:38:99:45 | password | test_logging.rs:100:5:100:19 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:99:38:99:45 | password | password |
 | test_logging.rs:118:5:118:42 | ...::log | test_logging.rs:118:28:118:41 | get_password(...) | test_logging.rs:118:5:118:42 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:118:28:118:41 | get_password(...) | get_password(...) |
@@ -66,20 +70,40 @@ edges
 | test_logging.rs:58:24:58:31 | password | test_logging.rs:58:12:58:35 | MacroExpr | provenance |  |
 | test_logging.rs:60:30:60:53 | MacroExpr | test_logging.rs:60:5:60:54 | ...::log | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:60:46:60:53 | password | test_logging.rs:60:30:60:53 | MacroExpr | provenance |  |
+| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:61:5:61:55 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:61:5:61:55 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:61:20:61:28 | &password [&ref] | test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | provenance |  |
+| test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | provenance |  |
+| test_logging.rs:61:21:61:28 | password | test_logging.rs:61:20:61:28 | &password [&ref] | provenance |  |
 | test_logging.rs:65:24:65:47 | MacroExpr | test_logging.rs:65:5:65:48 | ...::log | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:65:40:65:47 | password | test_logging.rs:65:24:65:47 | MacroExpr | provenance |  |
 | test_logging.rs:67:42:67:65 | MacroExpr | test_logging.rs:67:5:67:66 | ...::log | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:67:58:67:65 | password | test_logging.rs:67:42:67:65 | MacroExpr | provenance |  |
+| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | test_logging.rs:68:5:68:67 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | test_logging.rs:68:5:68:67 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:68:18:68:26 | &password [&ref] | test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | provenance |  |
+| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | provenance |  |
+| test_logging.rs:68:19:68:26 | password | test_logging.rs:68:18:68:26 | &password [&ref] | provenance |  |
 | test_logging.rs:72:23:72:46 | MacroExpr | test_logging.rs:72:5:72:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:23:72:46 | MacroExpr | provenance |  |
 | test_logging.rs:74:41:74:64 | MacroExpr | test_logging.rs:74:5:74:65 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:41:74:64 | MacroExpr | provenance |  |
+| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:75:20:75:28 | &password [&ref] | test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | provenance |  |
+| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | provenance |  |
+| test_logging.rs:75:21:75:28 | password | test_logging.rs:75:20:75:28 | &password [&ref] | provenance |  |
 | test_logging.rs:76:23:76:46 | MacroExpr | test_logging.rs:76:5:76:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:23:76:46 | MacroExpr | provenance |  |
 | test_logging.rs:82:20:82:43 | MacroExpr | test_logging.rs:82:5:82:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:20:82:43 | MacroExpr | provenance |  |
 | test_logging.rs:84:38:84:61 | MacroExpr | test_logging.rs:84:5:84:62 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:38:84:61 | MacroExpr | provenance |  |
+| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_logging.rs:85:20:85:28 | &password [&ref] | test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | provenance |  |
+| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | provenance |  |
+| test_logging.rs:85:21:85:28 | password | test_logging.rs:85:20:85:28 | &password [&ref] | provenance |  |
 | test_logging.rs:86:20:86:43 | MacroExpr | test_logging.rs:86:5:86:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
 | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:20:86:43 | MacroExpr | provenance |  |
 | test_logging.rs:99:9:99:10 | m3 | test_logging.rs:100:11:100:18 | MacroExpr | provenance |  |
@@ -207,18 +231,33 @@ nodes
 | test_logging.rs:60:5:60:54 | ...::log | semmle.label | ...::log |
 | test_logging.rs:60:30:60:53 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:60:46:60:53 | password | semmle.label | password |
+| test_logging.rs:61:5:61:55 | ...::log | semmle.label | ...::log |
+| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
+| test_logging.rs:61:20:61:28 | &password [&ref] | semmle.label | &password [&ref] |
+| test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
+| test_logging.rs:61:21:61:28 | password | semmle.label | password |
 | test_logging.rs:65:5:65:48 | ...::log | semmle.label | ...::log |
 | test_logging.rs:65:24:65:47 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:65:40:65:47 | password | semmle.label | password |
 | test_logging.rs:67:5:67:66 | ...::log | semmle.label | ...::log |
 | test_logging.rs:67:42:67:65 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:67:58:67:65 | password | semmle.label | password |
+| test_logging.rs:68:5:68:67 | ...::log | semmle.label | ...::log |
+| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
+| test_logging.rs:68:18:68:26 | &password [&ref] | semmle.label | &password [&ref] |
+| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
+| test_logging.rs:68:19:68:26 | password | semmle.label | password |
 | test_logging.rs:72:5:72:47 | ...::log::<...> | semmle.label | ...::log::<...> |
 | test_logging.rs:72:23:72:46 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:72:39:72:46 | password | semmle.label | password |
 | test_logging.rs:74:5:74:65 | ...::log::<...> | semmle.label | ...::log::<...> |
 | test_logging.rs:74:41:74:64 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:74:57:74:64 | password | semmle.label | password |
+| test_logging.rs:75:5:75:51 | ...::log::<...> | semmle.label | ...::log::<...> |
+| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
+| test_logging.rs:75:20:75:28 | &password [&ref] | semmle.label | &password [&ref] |
+| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
+| test_logging.rs:75:21:75:28 | password | semmle.label | password |
 | test_logging.rs:76:5:76:47 | ...::log::<...> | semmle.label | ...::log::<...> |
 | test_logging.rs:76:23:76:46 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:76:39:76:46 | password | semmle.label | password |
@@ -228,6 +267,11 @@ nodes
 | test_logging.rs:84:5:84:62 | ...::log::<...> | semmle.label | ...::log::<...> |
 | test_logging.rs:84:38:84:61 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:84:54:84:61 | password | semmle.label | password |
+| test_logging.rs:85:5:85:48 | ...::log::<...> | semmle.label | ...::log::<...> |
+| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
+| test_logging.rs:85:20:85:28 | &password [&ref] | semmle.label | &password [&ref] |
+| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
+| test_logging.rs:85:21:85:28 | password | semmle.label | password |
 | test_logging.rs:86:5:86:44 | ...::log::<...> | semmle.label | ...::log::<...> |
 | test_logging.rs:86:20:86:43 | MacroExpr | semmle.label | MacroExpr |
 | test_logging.rs:86:36:86:43 | password | semmle.label | password |
diff --git a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs
@@ -58,21 +58,21 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
     debug!("message = {password:?}"); // $ Source Alert[rust/cleartext-logging]
     debug!(target: "target", "message = {}", harmless);
     debug!(target: "target", "message = {}", password); // $ Source Alert[rust/cleartext-logging]
-    debug!(target: &password, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
+    debug!(target: &password, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging]
 
     // log! macro, various formatting
     log!(Level::Error, "message = {}", harmless);
     log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
     log!(target: "target", Level::Error, "message = {}", harmless);
     log!(target: "target", Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
-    log!(target: &password, Level::Error, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
+    log!(target: &password, Level::Error, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging]
 
     // structured logging
     error!(value = 1; "message = {}", harmless);
     error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
     error!(target: "target", value = 1; "message");
     error!(target: "target", value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
-    error!(target: &password, value = 1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
+    error!(target: &password, value = 1; "message"); // $ Source Alert[rust/cleartext-logging]
     error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
     error!(value = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
     error!(value:? = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
@@ -82,7 +82,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
     error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
     error!(target: "target", value1; "message");
     error!(target: "target", value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
-    error!(target: &password, value1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
+    error!(target: &password, value1; "message"); // $ Source Alert[rust/cleartext-logging]
     error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
 
     let value2 = password.as_str();
