Rust: Add another test case for barriers (that still functions).

geoffw0 · geoffw0 · commit ec3ad8550408 · 2025-07-21T20:53:37.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -103,7 +103,8 @@ module HardcodedCryptographicValue {
         ce.getFunction().(PathExpr).getResolvedCrateOrigin() =
           "repo:https://github.com/rust-random/getrandom:getrandom" and
         ce.getFunction().(PathExpr).getResolvedPath() = ["crate::fill", "crate::getrandom"] and
-        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0)
+        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0) and
+        none()
       )
     }
   }
diff --git a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -12,6 +12,7 @@
 | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
 | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:50:37:50:52 | ...::zeroed | test_cipher.rs:51:31:51:48 | ...::new | This hard-coded value is used as $@. | test_cipher.rs:51:31:51:48 | ...::new | a key |
 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | a key |
+| test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:146:13:146:34 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:146:13:146:34 | ...::new_from_slice | a key |
 edges
 | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | test_cipher.rs:19:73:19:78 | const1 [&ref, element] | provenance |  |
 | test_cipher.rs:18:28:18:36 | &... [&ref, element] | test_cipher.rs:18:9:18:14 | const1 [&ref, element] | provenance |  |
@@ -58,6 +59,11 @@ edges
 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | test_cipher.rs:73:18:73:26 | &... [&ref, element] | provenance |  |
 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | provenance |  |
 | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | test_cipher.rs:74:23:74:44 | ...::new_from_slice | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_cipher.rs:144:9:144:16 | mut key5 [element] | test_cipher.rs:146:37:146:40 | key5 [element] | provenance |  |
+| test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | test_cipher.rs:144:9:144:16 | mut key5 [element] | provenance |  |
+| test_cipher.rs:144:21:144:23 | 0u8 | test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | provenance |  |
+| test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | test_cipher.rs:146:13:146:34 | ...::new_from_slice | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
+| test_cipher.rs:146:37:146:40 | key5 [element] | test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | provenance |  |
 models
 | 1 | Sink: <_ as crypto_common::KeyInit>::new_from_slice; Argument[0]; credentials-key |
 | 2 | Sink: <cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new; Argument[0]; credentials-key |
@@ -119,4 +125,10 @@ nodes
 | test_cipher.rs:73:20:73:22 | 0u8 | semmle.label | 0u8 |
 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | semmle.label | ...::new_from_slice |
 | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+| test_cipher.rs:144:9:144:16 | mut key5 [element] | semmle.label | mut key5 [element] |
+| test_cipher.rs:144:20:144:27 | [0u8; 32] [element] | semmle.label | [0u8; 32] [element] |
+| test_cipher.rs:144:21:144:23 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:146:13:146:34 | ...::new_from_slice | semmle.label | ...::new_from_slice |
+| test_cipher.rs:146:36:146:40 | &key5 [&ref, element] | semmle.label | &key5 [&ref, element] |
+| test_cipher.rs:146:37:146:40 | key5 [element] | semmle.label | key5 [element] |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
@@ -140,4 +140,8 @@ fn test_aes_gcm(
     _ = getrandom2::getrandom(&mut nonce4).unwrap();
     let cipher4 = Aes256Gcm::new(&key4.into());
     let _ = cipher4.encrypt(&nonce4.into(), b"plaintext".as_ref()).unwrap();
+
+    let mut key5 = [0u8;32]; // $ SPURIOUS: Alert[rust/hard-coded-cryptographic-value]
+    _ = getrandom::fill(&mut key5).unwrap();
+    let _ = Aes256::new_from_slice(&key5).unwrap(); // $ Sink
 }

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,8 @@ module HardcodedCryptographicValue {`
`103`	`103`	`ce.getFunction().(PathExpr).getResolvedCrateOrigin() =`
`104`	`104`	`"repo:https://github.com/rust-random/getrandom:getrandom" and`
`105`	`105`	`ce.getFunction().(PathExpr).getResolvedPath() = ["crate::fill", "crate::getrandom"] and`
`106`		`- this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0)`
	`106`	`+ this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0) and`
	`107`	`+ none()`
`107`	`108`	`)`
`108`	`109`	`}`
`109`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,4 +140,8 @@ fn test_aes_gcm(`
`140`	`140`	`_ = getrandom2::getrandom(&mut nonce4).unwrap();`
`141`	`141`	`let cipher4 = Aes256Gcm::new(&key4.into());`
`142`	`142`	`let _ = cipher4.encrypt(&nonce4.into(), b"plaintext".as_ref()).unwrap();`
	`143`	`+`
	`144`	`+ let mut key5 = [0u8;32]; // $ SPURIOUS: Alert[rust/hard-coded-cryptographic-value]`
	`145`	`+ _ = getrandom::fill(&mut key5).unwrap();`
	`146`	`+ let _ = Aes256::new_from_slice(&key5).unwrap(); // $ Sink`
`143`	`147`	`}`