Merge pull request #20398 from paldepind/rust/warp-model

Rust: Add tests and models for Warp

Author: paldepind

rust/ql/lib/codeql/rust/frameworks/warp.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[0..7]", "remote", "manual"]

rust/ql/test/library-tests/dataflow/sources/Cargo.lock

@@ -100,3 +100,67 @@
 | web_frameworks.rs:58:14:58:15 | ms | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:272:75:272:77 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/TaintSources.expected

@@ -16,3 +16,4 @@ qltest_dependencies:
     - rustls = { version = "0.23.27" }
     - futures-rustls = { version = "0.26.0" }
     - async-std = { version = "1.13.1" }
+    - warp = { version = "0.4.2", features = ["server"] }

rust/ql/test/library-tests/dataflow/sources/options.yml

@@ -229,3 +229,61 @@ mod axum_test {
         // ...
     }
 }
+
+mod warp_test {
+    use super::sink;
+    use warp::Filter;
+
+    #[tokio::main]
+    #[rustfmt::skip]
+    async fn test_warp() {
+        // A route with parameter and `map`
+        let map_route =
+            warp::path::param().map(|a: String| // $ Alert[rust/summary/taint-sources]
+            {
+            sink(a); // $ MISSING: hasTaintFlow
+
+            "".to_string()
+        });
+
+        // A route with parameter and `then`
+        let then_route = warp::path::param().then( // $ Alert[rust/summary/taint-sources]
+            async move |a: String| {
+                sink(a); // $ MISSING: hasTaintFlow
+
+                "".to_string()
+            },
+        );
+
+        // A route with parameter and `and_then`
+        let and_then_route = warp::path::param().and_then( // $ Alert[rust/summary/taint-sources] 
+            async move | id: u64 |
+            {
+            if id != 0 {
+                sink(id); // $ MISSING: hasTaintFlow
+                Ok("".to_string())
+            } else {
+                Err(warp::reject::not_found())
+            }
+        },
+        );
+
+        // A route with path, parameter, and `and_then`
+        let path_and_map_route = warp::path("1").and(warp::path::param()).map( // $ Alert[rust/summary/taint-sources] 
+            | a: String |
+            {
+                sink(a); // $ MISSING: hasTaintFlow
+
+                "".to_string()
+             },
+        );
+
+        let routes = warp::get().and(
+            map_route
+                .or(then_route)
+                .or(and_then_route)
+                .or(path_and_map_route),
+        );
+        warp::serve(routes).run(([127, 0, 0, 1], 3030)).await;
+    }
+}