Rust: Add a test case for getrandom.

geoffw0 · geoffw0 · commit a34f9bef2b27 · 2025-03-10T11:33:29.000Z
diff --git a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -14,6 +14,8 @@
 | test_cipher.rs:125:19:125:19 | 0 | test_cipher.rs:125:19:125:19 | 0 | test_cipher.rs:127:21:127:27 | encrypt | This hard-coded value is used as $@. | test_cipher.rs:127:21:127:27 | encrypt | a nonce |
 | test_cipher.rs:129:34:129:37 | 0xff | test_cipher.rs:129:34:129:37 | 0xff | test_cipher.rs:132:19:132:32 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:132:19:132:32 | ...::new | a key |
 | test_cipher.rs:131:28:131:31 | 0xff | test_cipher.rs:131:28:131:31 | 0xff | test_cipher.rs:133:21:133:27 | encrypt | This hard-coded value is used as $@. | test_cipher.rs:133:21:133:27 | encrypt | a nonce |
+| test_cipher.rs:137:21:137:23 | 0u8 | test_cipher.rs:137:21:137:23 | 0u8 | test_cipher.rs:141:19:141:32 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:141:19:141:32 | ...::new | a key |
+| test_cipher.rs:138:23:138:25 | 0u8 | test_cipher.rs:138:23:138:25 | 0u8 | test_cipher.rs:142:21:142:27 | encrypt | This hard-coded value is used as $@. | test_cipher.rs:142:21:142:27 | encrypt | a nonce |
 edges
 | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | test_cipher.rs:19:73:19:78 | const1 [&ref, element] | provenance |  |
 | test_cipher.rs:18:28:18:36 | &... [&ref, element] | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | provenance |  |
@@ -107,6 +109,16 @@ edges
 | test_cipher.rs:132:35:132:38 | key3 [&ref, element] | test_cipher.rs:132:34:132:38 | &key3 [&ref, &ref, element] | provenance |  |
 | test_cipher.rs:133:29:133:42 | &... [&ref, element] | test_cipher.rs:133:21:133:27 | encrypt | provenance | MaD:94 Sink:MaD:94 Sink:MaD:94 |
 | test_cipher.rs:133:30:133:42 | nonce3.into(...) [element] | test_cipher.rs:133:29:133:42 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:137:9:137:16 | mut key4 [element] | test_cipher.rs:141:35:141:45 | key4.into(...) [element] | provenance | MaD:105 |
+| test_cipher.rs:137:20:137:27 | [0u8; 32] [element] | test_cipher.rs:137:9:137:16 | mut key4 [element] | provenance |  |
+| test_cipher.rs:137:21:137:23 | 0u8 | test_cipher.rs:137:20:137:27 | [0u8; 32] [element] | provenance |  |
+| test_cipher.rs:138:9:138:18 | mut nonce4 [element] | test_cipher.rs:142:30:142:42 | nonce4.into(...) [element] | provenance | MaD:105 |
+| test_cipher.rs:138:22:138:29 | [0u8; 12] [element] | test_cipher.rs:138:9:138:18 | mut nonce4 [element] | provenance |  |
+| test_cipher.rs:138:23:138:25 | 0u8 | test_cipher.rs:138:22:138:29 | [0u8; 12] [element] | provenance |  |
+| test_cipher.rs:141:34:141:45 | &... [&ref, element] | test_cipher.rs:141:19:141:32 | ...::new | provenance | MaD:93 Sink:MaD:93 Sink:MaD:93 |
+| test_cipher.rs:141:35:141:45 | key4.into(...) [element] | test_cipher.rs:141:34:141:45 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:142:29:142:42 | &... [&ref, element] | test_cipher.rs:142:21:142:27 | encrypt | provenance | MaD:94 Sink:MaD:94 Sink:MaD:94 |
+| test_cipher.rs:142:30:142:42 | nonce4.into(...) [element] | test_cipher.rs:142:29:142:42 | &... [&ref, element] | provenance |  |
 nodes
 | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | semmle.label | const1 [&ref, element] |
 | test_cipher.rs:18:28:18:36 | &... [&ref, element] | semmle.label | &... [&ref, element] |
@@ -211,4 +223,16 @@ nodes
 | test_cipher.rs:133:21:133:27 | encrypt | semmle.label | encrypt |
 | test_cipher.rs:133:29:133:42 | &... [&ref, element] | semmle.label | &... [&ref, element] |
 | test_cipher.rs:133:30:133:42 | nonce3.into(...) [element] | semmle.label | nonce3.into(...) [element] |
+| test_cipher.rs:137:9:137:16 | mut key4 [element] | semmle.label | mut key4 [element] |
+| test_cipher.rs:137:20:137:27 | [0u8; 32] [element] | semmle.label | [0u8; 32] [element] |
+| test_cipher.rs:137:21:137:23 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:138:9:138:18 | mut nonce4 [element] | semmle.label | mut nonce4 [element] |
+| test_cipher.rs:138:22:138:29 | [0u8; 12] [element] | semmle.label | [0u8; 12] [element] |
+| test_cipher.rs:138:23:138:25 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:141:19:141:32 | ...::new | semmle.label | ...::new |
+| test_cipher.rs:141:34:141:45 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:141:35:141:45 | key4.into(...) [element] | semmle.label | key4.into(...) [element] |
+| test_cipher.rs:142:21:142:27 | encrypt | semmle.label | encrypt |
+| test_cipher.rs:142:29:142:42 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:142:30:142:42 | nonce4.into(...) [element] | semmle.label | nonce4.into(...) [element] |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-798/options.yml b/rust/ql/test/query-tests/security/CWE-798/options.yml
@@ -6,3 +6,5 @@ qltest_dependencies:
     - aes-gcm = { version = "0.10.3" }
     - cfb-mode = { version = "0.8.2" }
     - base64 = { version = "0.22.1" }
+    - getrandom = { version = "0.3.1" }
+    - getrandom2 = { package = "getrandom", version = "0.2.15" }
diff --git a/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
@@ -131,4 +131,13 @@ fn test_aes_gcm(
     let nonce3: [u8;12] = [0xff;12]; // $ Alert[rust/hardcoded-cryptographic-value]
     let cipher3 = Aes256Gcm::new(&key3); // $ Sink
     let _ = cipher3.encrypt(&nonce3.into(), b"plaintext".as_ref()).unwrap(); // $ Sink
+
+    // with barrier
+
+    let mut key4 = [0u8;32]; // $ SPURIOUS: Alert[rust/hardcoded-cryptographic-value]
+    let mut nonce4 = [0u8;12]; // $ SPURIOUS: Alert[rust/hardcoded-cryptographic-value]
+    _ = getrandom::fill(&mut key4).unwrap();
+    _ = getrandom2::getrandom(&mut nonce4).unwrap();
+    let cipher4 = Aes256Gcm::new(&key4.into()); // $ Sink
+    let _ = cipher2.encrypt(&nonce4.into(), b"plaintext".as_ref()).unwrap(); // $ Sink
 }
