Skip to content

Commit 62b7d84

Browse files
geoffw0geoffw0
committed
Rust: Add Sqlx as MaD sinks instead.
1 parent 87deab8 commit 62b7d84

File tree

3 files changed

+106
-45
lines changed

3 files changed

+106
-45
lines changed

rust/ql/lib/codeql/rust/frameworks/sqlx.model.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/rust-all
4+
extensible: sinkModel
5+
data:
6+
- ["sqlx_core::query::query", "Argument[0]", "sql-injection", "manual"]
7+
- ["sqlx_core::query_as::query_as", "Argument[0]", "sql-injection", "manual"]
8+
- ["sqlx_core::query_with::query_with", "Argument[0]", "sql-injection", "manual"]
9+
- ["sqlx_core::query_as_with::query_as_with", "Argument[0]", "sql-injection", "manual"]
10+
- ["sqlx_core::query_scalar::query_scalar", "Argument[0]", "sql-injection", "manual"]
11+
- ["sqlx_core::query_scalar_with::query_scalar_with", "Argument[0]", "sql-injection", "manual"]
12+
- ["sqlx_core::raw_sql::raw_sql", "Argument[0]", "sql-injection", "manual"]
13+
- ["sqlx_core::executor::Executor::execute", "Argument[0]", "sql-injection", "manual"]

rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected

Lines changed: 93 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,97 @@
11
#select
2+
| sqlx.rs:77:13:77:23 | ...::query | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:77:13:77:23 | ...::query | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value |
3+
| sqlx.rs:78:13:78:23 | ...::query | sqlx.rs:47:22:47:35 | ...::args | sqlx.rs:78:13:78:23 | ...::query | This query depends on a $@. | sqlx.rs:47:22:47:35 | ...::args | user-provided value |
4+
| sqlx.rs:80:17:80:27 | ...::query | sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:80:17:80:27 | ...::query | This query depends on a $@. | sqlx.rs:48:25:48:46 | ...::get | user-provided value |
25
edges
6+
| sqlx.rs:47:9:47:18 | arg_string | sqlx.rs:53:27:53:36 | arg_string | provenance | |
7+
| sqlx.rs:47:22:47:35 | ...::args | sqlx.rs:47:22:47:37 | ...::args(...) [element] | provenance | Src:MaD:3 |
8+
| sqlx.rs:47:22:47:37 | ...::args(...) [element] | sqlx.rs:47:22:47:44 | ... .nth(...) [Some] | provenance | MaD:4 |
9+
| sqlx.rs:47:22:47:44 | ... .nth(...) [Some] | sqlx.rs:47:22:47:77 | ... .unwrap_or(...) | provenance | MaD:6 |
10+
| sqlx.rs:47:22:47:77 | ... .unwrap_or(...) | sqlx.rs:47:9:47:18 | arg_string | provenance | |
11+
| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:49:25:49:52 | remote_string.parse() [Ok] | provenance | MaD:10 |
12+
| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:49:25:49:52 | remote_string.parse() [Ok] | provenance | MaD:10 |
13+
| sqlx.rs:48:9:48:21 | remote_string | sqlx.rs:54:27:54:39 | remote_string | provenance | |
14+
| sqlx.rs:48:25:48:46 | ...::get | sqlx.rs:48:25:48:69 | ...::get(...) [Ok] | provenance | Src:MaD:2 |
15+
| sqlx.rs:48:25:48:69 | ...::get(...) [Ok] | sqlx.rs:48:25:48:78 | ... .unwrap() | provenance | MaD:7 |
16+
| sqlx.rs:48:25:48:78 | ... .unwrap() | sqlx.rs:48:25:48:85 | ... .text() [Ok] | provenance | MaD:11 |
17+
| sqlx.rs:48:25:48:85 | ... .text() [Ok] | sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | provenance | MaD:8 |
18+
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | sqlx.rs:48:9:48:21 | remote_string | provenance | |
19+
| sqlx.rs:49:9:49:21 | remote_number | sqlx.rs:52:32:52:87 | MacroExpr | provenance | |
20+
| sqlx.rs:49:25:49:52 | remote_string.parse() [Ok] | sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | provenance | MaD:8 |
21+
| sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | sqlx.rs:49:9:49:21 | remote_number | provenance | |
22+
| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:77:25:77:36 | safe_query_3 | provenance | |
23+
| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() | provenance | MaD:9 |
24+
| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() | provenance | MaD:5 |
25+
| sqlx.rs:52:9:52:20 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() | provenance | MaD:9 |
26+
| sqlx.rs:52:24:52:88 | res | sqlx.rs:52:32:52:87 | { ... } | provenance | |
27+
| sqlx.rs:52:32:52:87 | ...::format(...) | sqlx.rs:52:24:52:88 | res | provenance | |
28+
| sqlx.rs:52:32:52:87 | ...::must_use(...) | sqlx.rs:52:9:52:20 | safe_query_3 | provenance | |
29+
| sqlx.rs:52:32:52:87 | MacroExpr | sqlx.rs:52:32:52:87 | ...::format(...) | provenance | MaD:12 |
30+
| sqlx.rs:52:32:52:87 | { ... } | sqlx.rs:52:32:52:87 | ...::must_use(...) | provenance | MaD:13 |
31+
| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:78:25:78:47 | unsafe_query_1.as_str() [&ref] | provenance | MaD:9 |
32+
| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:78:25:78:47 | unsafe_query_1.as_str() [&ref] | provenance | MaD:5 |
33+
| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | sqlx.rs:78:25:78:47 | unsafe_query_1.as_str() [&ref] | provenance | MaD:9 |
34+
| sqlx.rs:53:26:53:36 | &arg_string [&ref] | sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | provenance | |
35+
| sqlx.rs:53:27:53:36 | arg_string | sqlx.rs:53:26:53:36 | &arg_string [&ref] | provenance | |
36+
| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:80:29:80:51 | unsafe_query_2.as_str() [&ref] | provenance | MaD:9 |
37+
| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:80:29:80:51 | unsafe_query_2.as_str() [&ref] | provenance | MaD:5 |
38+
| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | sqlx.rs:80:29:80:51 | unsafe_query_2.as_str() [&ref] | provenance | MaD:9 |
39+
| sqlx.rs:54:26:54:39 | &remote_string [&ref] | sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | provenance | |
40+
| sqlx.rs:54:27:54:39 | remote_string | sqlx.rs:54:26:54:39 | &remote_string [&ref] | provenance | |
41+
| sqlx.rs:77:25:77:36 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() [&ref] | provenance | MaD:9 |
42+
| sqlx.rs:77:25:77:36 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() [&ref] | provenance | MaD:5 |
43+
| sqlx.rs:77:25:77:36 | safe_query_3 | sqlx.rs:77:25:77:45 | safe_query_3.as_str() [&ref] | provenance | MaD:9 |
44+
| sqlx.rs:77:25:77:45 | safe_query_3.as_str() | sqlx.rs:77:13:77:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
45+
| sqlx.rs:77:25:77:45 | safe_query_3.as_str() [&ref] | sqlx.rs:77:13:77:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
46+
| sqlx.rs:78:25:78:47 | unsafe_query_1.as_str() [&ref] | sqlx.rs:78:13:78:23 | ...::query | provenance | MaD:1 Sink:MaD:1 |
47+
| sqlx.rs:80:29:80:51 | unsafe_query_2.as_str() [&ref] | sqlx.rs:80:17:80:27 | ...::query | provenance | MaD:1 Sink:MaD:1 |
48+
models
49+
| 1 | Sink: sqlx_core::query::query; Argument[0]; sql-injection |
50+
| 2 | Source: reqwest::blocking::get; ReturnValue.Field[core::result::Result::Ok(0)]; remote |
51+
| 3 | Source: std::env::args; ReturnValue.Element; commandargs |
52+
| 4 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
53+
| 5 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
54+
| 6 | Summary: <core::option::Option>::unwrap_or; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
55+
| 7 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
56+
| 8 | Summary: <core::result::Result>::unwrap_or; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
57+
| 9 | Summary: <core::str>::as_str; Argument[self]; ReturnValue; value |
58+
| 10 | Summary: <core::str>::parse; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
59+
| 11 | Summary: <reqwest::blocking::response::Response>::text; Argument[self]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
60+
| 12 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
61+
| 13 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
362
nodes
63+
| sqlx.rs:47:9:47:18 | arg_string | semmle.label | arg_string |
64+
| sqlx.rs:47:22:47:35 | ...::args | semmle.label | ...::args |
65+
| sqlx.rs:47:22:47:37 | ...::args(...) [element] | semmle.label | ...::args(...) [element] |
66+
| sqlx.rs:47:22:47:44 | ... .nth(...) [Some] | semmle.label | ... .nth(...) [Some] |
67+
| sqlx.rs:47:22:47:77 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
68+
| sqlx.rs:48:9:48:21 | remote_string | semmle.label | remote_string |
69+
| sqlx.rs:48:25:48:46 | ...::get | semmle.label | ...::get |
70+
| sqlx.rs:48:25:48:69 | ...::get(...) [Ok] | semmle.label | ...::get(...) [Ok] |
71+
| sqlx.rs:48:25:48:78 | ... .unwrap() | semmle.label | ... .unwrap() |
72+
| sqlx.rs:48:25:48:85 | ... .text() [Ok] | semmle.label | ... .text() [Ok] |
73+
| sqlx.rs:48:25:48:118 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
74+
| sqlx.rs:49:9:49:21 | remote_number | semmle.label | remote_number |
75+
| sqlx.rs:49:25:49:52 | remote_string.parse() [Ok] | semmle.label | remote_string.parse() [Ok] |
76+
| sqlx.rs:49:25:49:65 | ... .unwrap_or(...) | semmle.label | ... .unwrap_or(...) |
77+
| sqlx.rs:52:9:52:20 | safe_query_3 | semmle.label | safe_query_3 |
78+
| sqlx.rs:52:24:52:88 | res | semmle.label | res |
79+
| sqlx.rs:52:32:52:87 | ...::format(...) | semmle.label | ...::format(...) |
80+
| sqlx.rs:52:32:52:87 | ...::must_use(...) | semmle.label | ...::must_use(...) |
81+
| sqlx.rs:52:32:52:87 | MacroExpr | semmle.label | MacroExpr |
82+
| sqlx.rs:52:32:52:87 | { ... } | semmle.label | { ... } |
83+
| sqlx.rs:53:9:53:22 | unsafe_query_1 [&ref] | semmle.label | unsafe_query_1 [&ref] |
84+
| sqlx.rs:53:26:53:36 | &arg_string [&ref] | semmle.label | &arg_string [&ref] |
85+
| sqlx.rs:53:27:53:36 | arg_string | semmle.label | arg_string |
86+
| sqlx.rs:54:9:54:22 | unsafe_query_2 [&ref] | semmle.label | unsafe_query_2 [&ref] |
87+
| sqlx.rs:54:26:54:39 | &remote_string [&ref] | semmle.label | &remote_string [&ref] |
88+
| sqlx.rs:54:27:54:39 | remote_string | semmle.label | remote_string |
89+
| sqlx.rs:77:13:77:23 | ...::query | semmle.label | ...::query |
90+
| sqlx.rs:77:25:77:36 | safe_query_3 | semmle.label | safe_query_3 |
91+
| sqlx.rs:77:25:77:45 | safe_query_3.as_str() | semmle.label | safe_query_3.as_str() |
92+
| sqlx.rs:77:25:77:45 | safe_query_3.as_str() [&ref] | semmle.label | safe_query_3.as_str() [&ref] |
93+
| sqlx.rs:78:13:78:23 | ...::query | semmle.label | ...::query |
94+
| sqlx.rs:78:25:78:47 | unsafe_query_1.as_str() [&ref] | semmle.label | unsafe_query_1.as_str() [&ref] |
95+
| sqlx.rs:80:17:80:27 | ...::query | semmle.label | ...::query |
96+
| sqlx.rs:80:29:80:51 | unsafe_query_2.as_str() [&ref] | semmle.label | unsafe_query_2.as_str() [&ref] |
497
subpaths
5-
testFailures
6-
| sqlx.rs:47:80:47:96 | //... | Missing result: Source=args1 |
7-
| sqlx.rs:48:121:48:139 | //... | Missing result: Source=remote1 |
8-
| sqlx.rs:77:71:77:129 | //... | Fixed spurious result: Alert[rust/sql-injection]=remote1 |
9-
| sqlx.rs:78:73:78:117 | //... | Missing result: Alert[rust/sql-injection]=args1 |
10-
| sqlx.rs:80:77:80:123 | //... | Missing result: Alert[rust/sql-injection]=remote1 |

rust/ql/test/query-tests/security/CWE-089/SqlSinks.expected

Lines changed: 0 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +0,0 @@
1-
| sqlx.rs:75:71:75:83 | //... | Missing result: sql-sink |
2-
| sqlx.rs:76:71:76:83 | //... | Missing result: sql-sink |
3-
| sqlx.rs:77:71:77:129 | //... | Missing result: sql-sink |
4-
| sqlx.rs:78:73:78:117 | //... | Missing result: sql-sink |
5-
| sqlx.rs:80:77:80:123 | //... | Missing result: sql-sink |
6-
| sqlx.rs:81:77:81:132 | //... | Missing result: sql-sink |
7-
| sqlx.rs:82:77:82:132 | //... | Missing result: sql-sink |
8-
| sqlx.rs:84:94:84:106 | //... | Missing result: sql-sink |
9-
| sqlx.rs:85:92:85:104 | //... | Missing result: sql-sink |
10-
| sqlx.rs:87:99:87:111 | //... | Missing result: sql-sink |
11-
| sqlx.rs:88:99:88:111 | //... | Missing result: sql-sink |
12-
| sqlx.rs:111:77:111:89 | //... | Missing result: sql-sink |
13-
| sqlx.rs:113:83:113:138 | //... | Missing result: sql-sink |
14-
| sqlx.rs:117:75:117:87 | //... | Missing result: sql-sink |
15-
| sqlx.rs:118:99:118:111 | //... | Missing result: sql-sink |
16-
| sqlx.rs:120:81:120:136 | //... | Missing result: sql-sink |
17-
| sqlx.rs:121:104:121:116 | //... | Missing result: sql-sink |
18-
| sqlx.rs:124:66:124:78 | //... | Missing result: sql-sink |
19-
| sqlx.rs:125:90:125:102 | //... | Missing result: sql-sink |
20-
| sqlx.rs:127:72:127:127 | //... | Missing result: sql-sink |
21-
| sqlx.rs:128:95:128:107 | //... | Missing result: sql-sink |
22-
| sqlx.rs:131:106:131:118 | //... | Missing result: sql-sink |
23-
| sqlx.rs:133:130:133:142 | //... | Missing result: sql-sink |
24-
| sqlx.rs:136:109:136:164 | //... | Missing result: sql-sink |
25-
| sqlx.rs:137:132:137:144 | //... | Missing result: sql-sink |
26-
| sqlx.rs:140:129:140:141 | //... | Missing result: sql-sink |
27-
| sqlx.rs:142:153:142:165 | //... | Missing result: sql-sink |
28-
| sqlx.rs:145:132:145:189 | //... | Missing result: sql-sink |
29-
| sqlx.rs:146:155:146:167 | //... | Missing result: sql-sink |
30-
| sqlx.rs:149:77:149:89 | //... | Missing result: sql-sink |
31-
| sqlx.rs:150:101:150:113 | //... | Missing result: sql-sink |
32-
| sqlx.rs:151:116:151:128 | //... | Missing result: sql-sink |
33-
| sqlx.rs:153:83:153:138 | //... | Missing result: sql-sink |
34-
| sqlx.rs:154:106:154:118 | //... | Missing result: sql-sink |
35-
| sqlx.rs:155:121:155:133 | //... | Missing result: sql-sink |
36-
| sqlx.rs:185:71:185:83 | //... | Missing result: sql-sink |
37-
| sqlx.rs:186:95:186:107 | //... | Missing result: sql-sink |
38-
| sqlx.rs:188:77:188:132 | //... | Missing result: sql-sink |
39-
| sqlx.rs:189:100:189:112 | //... | Missing result: sql-sink |

0 commit comments

Comments
 (0)