Rust: Model reqwest.

geoffw0 · geoffw0 · commit 176e9a425ffe · 2024-11-22T09:13:47.000Z
diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -73,6 +73,19 @@ module EnvironmentSource {
   }
 }
 
+/**
+ * A data flow source for remote (network) data.
+ */
+class RemoteSource extends ThreatModelSource instanceof RemoteSource::Range { }
+
+module RemoteSource {
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "remote" }
+
+    override string getSourceType() { result = "RemoteSource" }
+  }
+}
+
 /**
  * A data-flow node that constructs a SQL statement.
  *
diff --git a/rust/ql/lib/codeql/rust/Frameworks.qll b/rust/ql/lib/codeql/rust/Frameworks.qll
@@ -2,4 +2,5 @@
  * This file imports all models of frameworks and libraries.
  */
 
+private import codeql.rust.frameworks.Reqwest
 private import codeql.rust.frameworks.stdlib.Env
diff --git a/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll b/rust/ql/lib/codeql/rust/frameworks/Reqwest.qll
@@ -0,0 +1,16 @@
+/**
+ * Provides modeling for the `reqwest` library.
+ */
+
+private import rust
+private import codeql.rust.Concepts
+
+/**
+ * A call to `reqwest::get` or `reqwest::blocking::get`.
+ */
+private class ReqwestGet extends RemoteSource::Range {
+  ReqwestGet() {
+    this.asExpr().(CallExpr).getExpr().(PathExpr).getPath().getResolvedPath() =
+      ["crate::get", "crate::blocking::get"]
+  }
+}
diff --git a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -12,3 +12,6 @@
 | test.rs:50:15:50:37 | CallExpr | CommandLineArgs (commandargs) |
 | test.rs:51:15:51:37 | CallExpr | CommandLineArgs (commandargs) |
 | test.rs:52:16:52:35 | CallExpr | CommandLineArgs (commandargs) |
+| test.rs:60:26:60:70 | CallExpr | RemoteSource (remote, DEFAULT) |
+| test.rs:63:26:63:70 | CallExpr | RemoteSource (remote, DEFAULT) |
+| test.rs:66:26:66:60 | CallExpr | RemoteSource (remote, DEFAULT) |
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -57,13 +57,13 @@ fn test_env_dirs() {
 }
 
 async fn test_reqwest() -> Result<(), reqwest::Error> {
-    let remote_string1 = reqwest::blocking::get("http://example.com/")?.text()?; // $ MISSING: Alert[rust/summary/taint-sources]
+    let remote_string1 = reqwest::blocking::get("http://example.com/")?.text()?; // $ Alert[rust/summary/taint-sources]
     sink(remote_string1); // $ MISSING: hasTaintFlow
 
-    let remote_string2 = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap(); // $ MISSING: Alert[rust/summary/taint-sources]
+    let remote_string2 = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap(); // $ Alert[rust/summary/taint-sources]
     sink(remote_string2); // $ MISSING: hasTaintFlow
 
-    let remote_string3 = reqwest::get("http://example.com/").await?.text().await?; // $ MISSING: Alert[rust/summary/taint-sources]
+    let remote_string3 = reqwest::get("http://example.com/").await?.text().await?; // $ Alert[rust/summary/taint-sources]
     sink(remote_string3); // $ MISSING: hasTaintFlow
 
     Ok(())

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,19 @@ module EnvironmentSource {`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`
	`76`	`+/**`
	`77`	`+ * A data flow source for remote (network) data.`
	`78`	`+ */`
	`79`	`+class RemoteSource extends ThreatModelSource instanceof RemoteSource::Range { }`
	`80`	`+`
	`81`	`+module RemoteSource {`
	`82`	`+ abstract class Range extends ThreatModelSource::Range {`
	`83`	`+ override string getThreatModel() { result = "remote" }`
	`84`	`+`
	`85`	`+ override string getSourceType() { result = "RemoteSource" }`
	`86`	`+ }`
	`87`	`+}`
	`88`	`+`
`76`	`89`	`/**`
`77`	`90`	`* A data-flow node that constructs a SQL statement.`
`78`	`91`	`*`