Rust: add more path-injection sinks

aibaars · aibaars · commit b10a296a93eb · 2025-03-20T16:30:47.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -7,7 +7,33 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
+      - ["lang:std", "crate::fs::copy", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::copy", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::create_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::create_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::hard_link", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::hard_link", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::metadata", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read_link", "Argument[0]", "path-injection", "manual"]
       - ["lang:std", "crate::fs::read_to_string", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_file", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::rename", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::rename", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::set_permissions", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::soft_link", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::soft_link", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::symlink_metadata", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::write", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::DirBuilder>::create", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create_buffered", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create_new", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::open", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::open_buffered", "Argument[0]", "path-injection", "manual"]
 
   - addsTo:
       pack: codeql/rust-all
diff --git a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
@@ -3,14 +3,14 @@
 edges
 | main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance |  |
 | main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62  |
-| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1599 |
+| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1625 |
 | main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance |  |
 | main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance |  |
 | main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance |  |
 | main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance |  |
 | main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance |  |
-| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:72 |
-| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3022 |
+| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:98 |
+| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3048 |
 | main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | &regex | provenance |  |
 nodes
 | main.rs:4:9:4:16 | username | semmle.label | username |
diff --git a/rust/ql/test/query-tests/security/CWE-022/rust-toolchain.toml b/rust/ql/test/query-tests/security/CWE-022/rust-toolchain.toml
@@ -0,0 +1,8 @@
+# This file specifies the Rust version used to develop and test the
+# extractors written in rust. It is set to the lowest version of Rust
+# we want to support.
+
+[toolchain]
+channel = "nightly"
+profile = "minimal"
+components = [ ]
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -1,6 +1,6 @@
+#![feature(file_buffered)]
 use poem::{error::InternalServerError, handler, http::StatusCode, web::Query, Error, Result};
-use std::{fs, path::PathBuf};
-
+use std::{fs, path::Path, path::PathBuf};
 //#[handler]
 fn tainted_path_handler_bad(
     Query(file_name): Query<String>, // $ Source=remote1
@@ -59,4 +59,30 @@ fn tainted_path_handler_folder_almost_good2(
     fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink Alert[rust/path-injection]=remote5
 }
 
+fn sinks(path1: &Path, path2: &Path) {
+    let _ = std::fs::copy(path1, path2); // $ path-injection-sink
+    let _ = std::fs::create_dir(path1); // $ path-injection-sink
+    let _ = std::fs::create_dir_all(path1); // $ path-injection-sink
+    let _ = std::fs::hard_link(path1, path2); // $ path-injection-sink
+    let _ = std::fs::metadata(path1); // $ path-injection-sink
+    let _ = std::fs::read(path1); // $ path-injection-sink
+    let _ = std::fs::read_dir(path1); // $ path-injection-sink
+    let _ = std::fs::read_link(path1); // $ path-injection-sink
+    let _ = std::fs::read_to_string(path1); // $ path-injection-sink
+    let _ = std::fs::remove_dir(path1); // $ path-injection-sink
+    let _ = std::fs::remove_dir_all(path1); // $ path-injection-sink
+    let _ = std::fs::remove_file(path1); // $ path-injection-sink
+    let _ = std::fs::rename(path1, path2); // $ path-injection-sink
+    let _ = std::fs::set_permissions(path1, std::os::unix::fs::PermissionsExt::from_mode(7)); // $ path-injection-sink
+    let _ = std::fs::soft_link(path1, path2); // $ path-injection-sink
+    let _ = std::fs::symlink_metadata(path1); // $ path-injection-sink
+    let _ = std::fs::write(path1, "contents"); // $ path-injection-sink
+    let _ = std::fs::DirBuilder::new().create(path1); // $ path-injection-sink
+    let _ = std::fs::File::create(path1); // $ path-injection-sink
+    let _ = std::fs::File::create_buffered(path1); // $ path-injection-sink
+    let _ = std::fs::File::create_new(path1); // $ path-injection-sink
+    let _ = std::fs::File::open(path1); // $ path-injection-sink
+    let _ = std::fs::File::open_buffered(path1); // $ path-injection-sink
+}
+
 fn main() {}
