Rust: Model std::net and tokio::net.

Author: geoffw0

rust/ql/lib/codeql/rust/frameworks/stdlib/net.model.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:std", "<crate::net::tcp::TcpStream>::connect", "ReturnValue.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
+      - ["lang:std", "<crate::net::tcp::TcpStream>::connect_timeout", "ReturnValue.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["lang:std", "<crate::net::tcp::TcpStream>::try_clone", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
+      - ["lang:std", "<crate::net::tcp::TcpStream as crate::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::net::tcp::TcpStream as crate::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::net::tcp::TcpStream as crate::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["lang:std", "<crate::net::tcp::TcpStream as crate::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/tokio/net.model.yml

@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["repo:https://github.com/tokio-rs/tokio:tokio", "<crate::net::tcp::stream::TcpStream>::connect", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["repo:https://github.com/tokio-rs/tokio:tokio", "<crate::net::tcp::stream::TcpStream>::peek", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["repo:https://github.com/tokio-rs/tokio:tokio", "crate::io::util::async_read_ext::AsyncReadExt::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["repo:https://github.com/tokio-rs/tokio:tokio", "<crate::net::tcp::stream::TcpStream>::try_read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
+      - ["repo:https://github.com/tokio-rs/tokio:tokio", "<crate::net::tcp::stream::TcpStream>::try_read_buf", "Argument[self]", "Argument[0].Reference", "taint", "manual"]

rust/ql/test/library-tests/dataflow/sources/TaintSources.expected

@@ -20,6 +20,7 @@
 | test.rs:74:26:74:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:77:26:77:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:80:24:80:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:99:18:99:47 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:113:31:113:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:120:31:120:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:210:22:210:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
@@ -68,4 +69,8 @@
 | test.rs:574:21:574:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:575:21:575:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:583:21:583:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:600:26:600:53 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:619:26:619:61 | ...::connect_timeout | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:671:28:671:57 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:753:22:753:49 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:775:16:775:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/test.rs

@@ -96,7 +96,7 @@ async fn test_hyper_http(case: i64) -> Result<(), Box<dyn std::error::Error>> {
 
     // create the connection
     println!("connecting to {}...", address);
-    let stream = tokio::net::TcpStream::connect(address).await?;
+    let stream = tokio::net::TcpStream::connect(address).await?; // $ Alert[rust/summary/taint-sources]
     let io = hyper_util::rt::TokioIo::new(stream);
     let (mut sender, conn) = hyper::client::conn::http1::handshake(io).await?;
 
@@ -597,26 +597,26 @@ async fn test_std_tcpstream(case: i64) -> std::io::Result<()> { // Result<(), Bo
 
     if case == 1 {
         // create the connection
-        let mut stream = std::net::TcpStream::connect(address)?;
+        let mut stream = std::net::TcpStream::connect(address)?; // $ Alert[rust/summary/taint-sources]
 
         // send request
         let _ = stream.write_all(b"GET / HTTP/1.1\nHost:example.com\n\n");
 
         // read response
         let mut buffer = vec![0; 32 * 1024];
-        let _ = stream.read(&mut buffer); // $ MISSING: Alert[rust/summary/taint-sources]
+        let _ = stream.read(&mut buffer);
 
         println!("data = {:?}", buffer);
-        sink(&buffer); // $ MISSING: hasTaintFlow
-        sink(buffer[0]); // $ MISSING: hasTaintFlow
+        sink(&buffer); // $ hasTaintFlow=address
+        sink(buffer[0]); // $ hasTaintFlow=address
 
         let buffer_string = String::from_utf8_lossy(&buffer);
         println!("string = {}", buffer_string);
         sink(buffer_string); // $ MISSING: hasTaintFlow
     } else {
         // create the connection
         let sock_addr = address.to_socket_addrs().unwrap().next().unwrap();
-        let mut stream = std::net::TcpStream::connect_timeout(&sock_addr, std::time::Duration::new(1, 0))?;
+        let mut stream = std::net::TcpStream::connect_timeout(&sock_addr, std::time::Duration::new(1, 0))?; // $ Alert[rust/summary/taint-sources]
 
         // send request
         let _ = stream.write_all(b"GET / HTTP/1.1\nHost:example.com\n\n");
@@ -627,14 +627,14 @@ async fn test_std_tcpstream(case: i64) -> std::io::Result<()> { // Result<(), Bo
                 let mut reader = std::io::BufReader::new(stream).take(256);
                 let mut line = String::new();
                 loop {
-                    match reader.read_line(&mut line) { // $ MISSING: Alert[rust/summary/taint-sources]
+                    match reader.read_line(&mut line) {
                         Ok(0) => {
                             println!("end");
                             break;
                         }
                         Ok(_n) => {
                             println!("line = {}", line);
-                            sink(&line); // $ MISSING: hasTaintFlow
+                            sink(&line); // $ hasTaintFlow=&sock_addr
                             line.clear();
                         }
                         Err(e) => {
@@ -668,27 +668,27 @@ async fn test_tokio_tcpstream(case: i64) -> std::io::Result<()> {
 
     // create the connection
     println!("connecting to {}...", address);
-    let mut tokio_stream = tokio::net::TcpStream::connect(address).await?;
+    let mut tokio_stream = tokio::net::TcpStream::connect(address).await?; // $ Alert[rust/summary/taint-sources]
 
     // send request
     tokio_stream.write_all(b"GET / HTTP/1.1\nHost:example.com\n\n").await?;
 
     if case == 1 {
         // peek response
         let mut buffer1 = vec![0; 2 * 1024];
-        let _ = tokio_stream.peek(&mut buffer1).await?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let _ = tokio_stream.peek(&mut buffer1).await?;
 
         // read response
         let mut buffer2 = vec![0; 2 * 1024];
-        let n2 = tokio_stream.read(&mut buffer2).await?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let n2 = tokio_stream.read(&mut buffer2).await?;
 
         println!("buffer1 = {:?}", buffer1);
-        sink(&buffer1); // $ MISSING: hasTaintFlow
-        sink(buffer1[0]); // $ MISSING: hasTaintFlow
+        sink(&buffer1); // $ hasTaintFlow=address
+        sink(buffer1[0]); // $ hasTaintFlow=address
 
         println!("buffer2 = {:?}", buffer2);
-        sink(&buffer2); // $ MISSING: hasTaintFlow
-        sink(buffer2[0]); // $ MISSING: hasTaintFlow
+        sink(&buffer2); // $ hasTaintFlow=address
+        sink(buffer2[0]); // $ hasTaintFlow=address
 
         let buffer_string = String::from_utf8_lossy(&buffer2[..n2]);
         println!("string = {}", buffer_string);
@@ -703,7 +703,7 @@ async fn test_tokio_tcpstream(case: i64) -> std::io::Result<()> {
                 }
                 Ok(_n) => {
                     println!("buffer = {:?}", buffer);
-                    sink(&buffer); // $ MISSING: hasTaintFlow
+                    sink(&buffer); // $ hasTaintFlow=address
                     break; // (or we could wait for more data)
                 }
                 Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => {
@@ -726,7 +726,7 @@ async fn test_tokio_tcpstream(case: i64) -> std::io::Result<()> {
                 }
                 Ok(_n) => {
                     println!("buffer = {:?}", buffer);
-                    sink(&buffer); // $ MISSING: hasTaintFlow
+                    sink(&buffer); // $ hasTaintFlow=address
                     break; // (or we could wait for more data)
                 }
                 Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => {
@@ -750,7 +750,7 @@ async fn test_std_to_tokio_tcpstream() -> std::io::Result<()> {
 
     // create the connection
     println!("connecting to {}...", address);
-    let std_stream = std::net::TcpStream::connect(address)?;
+    let std_stream = std::net::TcpStream::connect(address)?; // $ Alert[rust/summary/taint-sources]
 
     // convert to tokio stream
     std_stream.set_nonblocking(true)?;