Merge pull request #20432 from github/copilot/fix-f50317f8-0a91-4bb4-a01b-353dcf0f6f3f

Rust: Implement new query for non-HTTPS URLs (CWE-319)

Author: geoffw0

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -14,6 +14,7 @@ ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql

rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides classes and predicates for reasoning about the use of
+ * non-HTTPS URLs in Rust code.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+
+/**
+ * Provides default sources, sinks and barriers for detecting use of
+ * non-HTTPS URLs, as well as extension points for adding your own.
+ */
+module UseOfHttp {
+  /**
+   * A data flow source for use of non-HTTPS URLs.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for use of non-HTTPS URLs.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "UseOfHttp" }
+  }
+
+  /**
+   * A barrier for use of non-HTTPS URLs.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A string containing an HTTP URL.
+   */
+  class HttpStringLiteral extends StringLiteralExpr {
+    HttpStringLiteral() {
+      exists(string s | this.getTextValue() = s |
+        // match HTTP URLs
+        s.regexpMatch("(?i)\"http://.*\"") and
+        // exclude private/local addresses:
+        //  - IPv4: localhost / 127.0.0.1, 192.168.x.x, 10.x.x.x, 172.16.x.x -> 172.31.x.x
+        //  - IPv6 (address inside []): ::1 (or 0:0:0:0:0:0:0:1), fc00::/7 (i.e. anything beginning `fcxx:` or `fdxx:`)
+        not s.regexpMatch("(?i)\"http://(localhost|127\\.0\\.0\\.1|192\\.168\\.[0-9]+\\.[0-9]+|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.(1[6-9]|2[0-9]|3[01])\\.[0-9]+|\\[::1\\]|\\[0:0:0:0:0:0:0:1\\]|\\[f[cd][0-9a-f]{2}:.*\\]).*\"")
+      )
+    }
+  }
+
+  /**
+   * An HTTP string literal as a source.
+   */
+  private class HttpStringLiteralAsSource extends Source {
+    HttpStringLiteralAsSource() { this.asExpr().getExpr() instanceof HttpStringLiteral }
+  }
+
+  /**
+   * A sink for use of HTTP URLs from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "request-url") }
+  }
+}

rust/ql/src/change-notes/2025-09-15-non-https-url.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/non-https-url`, for detecting the use of non-HTTPS URLs that can be intercepted by third parties.

rust/ql/src/queries/security/CWE-319/UseOfHttp.qhelp

@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Constructing URLs with the HTTP protocol can lead to insecure connections.</p>
+
+<p>Furthermore, constructing URLs with the HTTP protocol can create problems if other parts of the
+code expect HTTPS URLs. A typical pattern is to use libraries that expect secure connections,
+which may fail or fall back to insecure behavior when provided with HTTP URLs instead of HTTPS URLs.</p>
+
+</overview>
+<recommendation>
+
+<p>When you construct a URL for network requests, ensure that you use an HTTPS URL rather than an HTTP URL.
+Then, any connections that are made using that URL are secure TLS connections.</p>
+
+</recommendation>
+<example>
+
+<p>The following examples show two ways of making a network request using a URL. When the request is
+made using an HTTP URL rather than an HTTPS URL, the connection is unsecured and can be intercepted
+by attackers:</p>
+
+<sample src="UseOfHttpBad.rs" />
+
+<p>A better approach is to use HTTPS. When the request is made using an HTTPS URL, the connection
+is a secure TLS connection:</p>
+
+<sample src="UseOfHttpGood.rs" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html">Transport Layer Security Cheat Sheet</a>.
+</li>
+<li>
+OWASP Top 10:
+<a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">A08:2021 - Software and Data Integrity Failures</a>.
+</li>
+<li>Rust reqwest documentation:
+<a href="https://docs.rs/reqwest/">reqwest crate</a>.
+</li>
+
+</references>
+</qhelp>

rust/ql/src/queries/security/CWE-319/UseOfHttp.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Failure to use HTTPS URLs
+ * @description Non-HTTPS connections can be intercepted by third parties.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @precision high
+ * @id rust/non-https-url
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-345
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.UseOfHttpExtensions
+
+/**
+ * A taint configuration for HTTP URL strings that flow to URL-using sinks.
+ */
+module UseOfHttpConfig implements DataFlow::ConfigSig {
+  import UseOfHttp
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module UseOfHttpFlow = TaintTracking::Global<UseOfHttpConfig>;
+
+import UseOfHttpFlow::PathGraph
+
+from UseOfHttpFlow::PathNode sourceNode, UseOfHttpFlow::PathNode sinkNode
+where UseOfHttpFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This URL may be constructed with the HTTP protocol, from $@.", sourceNode.getNode(),
+  "this HTTP URL"

rust/ql/src/queries/security/CWE-319/UseOfHttpBad.rs

@@ -0,0 +1,10 @@
+// BAD: Using HTTP URL which can be intercepted
+use reqwest;
+
+fn main() {
+    let url = "http://example.com/sensitive-data";
+    
+    // This makes an insecure HTTP request that can be intercepted
+    let response = reqwest::blocking::get(url).unwrap();
+    println!("Response: {}", response.text().unwrap());
+}

rust/ql/src/queries/security/CWE-319/UseOfHttpGood.rs

@@ -0,0 +1,10 @@
+// GOOD: Using HTTPS URL which provides encryption
+use reqwest;
+
+fn main() {
+    let url = "https://example.com/sensitive-data";
+    
+    // This makes a secure HTTPS request that is encrypted
+    let response = reqwest::blocking::get(url).unwrap();
+    println!("Response: {}", response.text().unwrap());
+}

rust/ql/src/queries/summary/Stats.qll

@@ -27,6 +27,7 @@ private import codeql.rust.security.LogInjectionExtensions
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.TaintedPathExtensions
 private import codeql.rust.security.UncontrolledAllocationSizeExtensions
+private import codeql.rust.security.UseOfHttpExtensions
 private import codeql.rust.security.WeakSensitiveDataHashingExtensions
 private import codeql.rust.security.HardcodedCryptographicValueExtensions