Merge pull request #20878 from paldepind/rust/axum-model

Rust: Add models for Axum

Author: paldepind

rust/ql/lib/change-notes/2025-12-16-axum-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for the Axum web application framework.

rust/ql/lib/codeql/rust/frameworks/axum.model.yml

@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      # Get
+      - ["axum::routing::method_routing::get", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::get", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      # Post
+      - ["axum::routing::method_routing::post", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::post", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      # Put
+      - ["axum::routing::method_routing::put", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::put", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      # Delete
+      - ["axum::routing::method_routing::delete", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::delete", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      # Patch
+      - ["axum::routing::method_routing::patch", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::patch", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      # on
+      - ["axum::routing::method_routing::on", "Argument[1].Parameter[0..7]", "remote", "manual"]
+      - ["<axum::routing::method_routing::MethodRouter>::on", "Argument[1].Parameter[0..7]", "remote", "manual"]

rust/ql/lib/codeql/rust/security/XssExtensions.qll

@@ -59,4 +59,14 @@ module Xss {
       )
     }
   }
+
+  // TODO: Convert this to MaD once MaD supports sink for tuple struct expressions.
+  private class AxumHtmlSink extends Sink {
+    AxumHtmlSink() {
+      exists(TupleStructExpr call |
+        call.getResolvedTarget().getCanonicalPath() = "axum::response::Html" and
+        this.asExpr() = call.getSyntacticPositionalArgument(0)
+      )
+    }
+  }
 }

rust/ql/test/library-tests/dataflow/sources/web_frameworks/CONSISTENCY/TypeInferenceConsistency.expected

@@ -1,4 +1,4 @@
 nonUniqueCertainType
-| test.rs:139:30:139:39 | ...::get(...) |  |
-| test.rs:140:34:140:43 | ...::get(...) |  |
-| test.rs:141:30:141:39 | ...::get(...) |  |
+| test.rs:131:30:131:39 | ...::get(...) |  |
+| test.rs:132:34:132:43 | ...::get(...) |  |
+| test.rs:133:30:133:39 | ...::get(...) |  |

rust/ql/test/library-tests/dataflow/sources/web_frameworks/InlineFlow.expected

@@ -94,9 +94,7 @@ mod actix_test {
     use super::sink;
     use actix_web::{get, web, App};
 
-    async fn my_actix_handler_1(
-        path: web::Path<String>,
-    ) -> String {
+    async fn my_actix_handler_1(path: web::Path<String>) -> String {
         let a = path.into_inner();
         sink(a.as_str()); // $ hasTaintFlow=my_actix_handler_1
         sink(a.as_bytes()); // $ hasTaintFlow=my_actix_handler_1
@@ -105,9 +103,7 @@ mod actix_test {
         "".to_string()
     }
 
-    async fn my_actix_handler_2(
-        path: web::Path<(String, String)>,
-    ) -> String {
+    async fn my_actix_handler_2(path: web::Path<(String, String)>) -> String {
         let (a, b) = path.into_inner();
 
         sink(a); // $ hasTaintFlow=my_actix_handler_2
@@ -116,18 +112,14 @@ mod actix_test {
         "".to_string()
     }
 
-    async fn my_actix_handler_3(
-        web::Query(a): web::Query<String>,
-    ) -> String {
+    async fn my_actix_handler_3(web::Query(a): web::Query<String>) -> String {
         sink(a); // $ hasTaintFlow=my_actix_handler_3
 
         "".to_string()
     }
 
     #[get("/4/{a}")] // $ Alert[rust/summary/taint-sources]
-    async fn my_actix_handler_4(
-        path: web::Path<String>,
-    ) -> String {
+    async fn my_actix_handler_4(path: web::Path<String>) -> String {
         let a = path.into_inner();
         sink(a); // $ hasTaintFlow=my_actix_handler_4
 
@@ -148,83 +140,71 @@ mod actix_test {
 mod axum_test {
     use super::sink;
     use axum::extract::{Json, Path, Query, Request};
-    use axum::routing::get;
+    use axum::routing::{get, post, put, MethodFilter};
     use axum::Router;
     use std::collections::HashMap;
 
-    async fn my_axum_handler_1(
-        Path(a): Path<String>, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
-        sink(a.as_str()); // $ MISSING: hasTaintFlow
-        sink(a.as_bytes()); // $ MISSING: hasTaintFlow
-        sink(a); // $ MISSING: hasTaintFlow
+    async fn my_axum_handler_1(Path(a): Path<String>) -> &'static str {
+        sink(a.as_str()); // $ hasTaintFlow=my_axum_handler_1
+        sink(a.as_bytes()); // $ hasTaintFlow=my_axum_handler_1
+        sink(a); // $ hasTaintFlow=my_axum_handler_1
 
         ""
     }
 
-    async fn my_axum_handler_2(
-        Path((a, b)): Path<(String, String)>, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
-        sink(a); // $ MISSING: hasTaintFlow
-        sink(b); // $ MISSING: hasTaintFlow
+    async fn my_axum_handler_2(Path((a, b)): Path<(String, String)>) -> &'static str {
+        sink(a); // $ hasTaintFlow=my_axum_handler_2
+        sink(b); // $ hasTaintFlow=my_axum_handler_2
 
         ""
     }
 
-    async fn my_axum_handler_3(
-        Query(params): Query<HashMap<String, String>>, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
+    async fn my_axum_handler_3(Query(params): Query<HashMap<String, String>>) -> &'static str {
         for (key, value) in params {
-            sink(key); // $ MISSING: hasTaintFlow
-            sink(value); // $ MISSING: hasTaintFlow
+            sink(key); // $ hasTaintFlow=my_axum_handler_3
+            sink(value); // $ hasTaintFlow=my_axum_handler_3
         }
 
         ""
     }
 
-    async fn my_axum_handler_4(
-        request: Request, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
+    async fn my_axum_handler_4(request: Request) -> &'static str {
         sink(request.body()); // $ MISSING: hasTaintFlow
         request.headers().get("header").unwrap(); // $ MISSING: hasTaintFlow
         sink(request.into_body()); // $ MISSING: hasTaintFlow
 
         ""
     }
 
-    async fn my_axum_handler_5(
-        Json(payload): Json<serde_json::Value>, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
+    async fn my_axum_handler_5(Json(payload): Json<serde_json::Value>) -> &'static str {
         sink(payload.as_str()); // $ MISSING: hasTaintFlow
-        sink(payload); // $ MISSING: hasTaintFlow
+        sink(payload); // $ hasTaintFlow=...::DELETE
 
         ""
     }
 
-    async fn my_axum_handler_6(
-        body: String, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
-        sink(body); // $ MISSING: hasTaintFlow
+    async fn my_axum_handler_6(body: String) -> &'static str {
+        sink(body); // $ hasTaintFlow=my_axum_handler_6
 
         ""
     }
 
-    async fn my_axum_handler_7(
-        body: String, // $ MISSING: Alert[rust/summary/taint-sources]
-    ) -> &'static str {
-        sink(body); // $ MISSING: hasTaintFlow
+    async fn my_axum_handler_7(body: String) -> &'static str {
+        sink(body); // $ hasTaintFlow=my_axum_handler_7
 
         ""
     }
 
     async fn test_axum() {
         let app = Router::<()>::new()
-            .route("/1/{a}", get(my_axum_handler_1))
-            .route("/2/{a}/{b}", get(my_axum_handler_2))
-            .route("/3/:a", get(my_axum_handler_3))
-            .route("/4/:a", get(my_axum_handler_4))
-            .route("/5/:a", get(my_axum_handler_5))
-            .route("/67/:a", get(my_axum_handler_6).get(my_axum_handler_7));
+            .route("/1/{a}", get(my_axum_handler_1)) // $ Alert[rust/summary/taint-sources])
+            .route("/2/{a}/{b}", post(my_axum_handler_2)) // $ Alert[rust/summary/taint-sources])
+            .route("/3/:a", put(my_axum_handler_3)) // $ Alert[rust/summary/taint-sources])
+            .route(
+                "/4/:a",
+                get(my_axum_handler_4).on(MethodFilter::DELETE, my_axum_handler_5), // $ Alert[rust/summary/taint-sources])
+            )
+            .route("/5/:a", get(my_axum_handler_6).get(my_axum_handler_7)); // $ Alert[rust/summary/taint-sources])
 
         // ...
     }

rust/ql/test/library-tests/dataflow/sources/web_frameworks/TaintSources.expected

@@ -1,4 +1,24 @@
 #select
+| main.rs:10:10:10:21 | html_content | main.rs:15:51:15:53 | get | main.rs:10:10:10:21 | html_content | Cross-site scripting vulnerability due to a $@. | main.rs:15:51:15:53 | get | user-provided value |
 edges
+| main.rs:8:24:8:59 | ...: Query::<...> | main.rs:9:32:9:63 | MacroExpr | provenance |  |
+| main.rs:9:9:9:20 | html_content | main.rs:10:10:10:21 | html_content | provenance |  |
+| main.rs:9:32:9:63 | ...::format(...) | main.rs:9:32:9:63 | { ... } | provenance |  |
+| main.rs:9:32:9:63 | ...::must_use(...) | main.rs:9:9:9:20 | html_content | provenance |  |
+| main.rs:9:32:9:63 | MacroExpr | main.rs:9:32:9:63 | ...::format(...) | provenance | MaD:2 |
+| main.rs:9:32:9:63 | { ... } | main.rs:9:32:9:63 | ...::must_use(...) | provenance | MaD:3 |
+| main.rs:15:51:15:53 | get | main.rs:8:24:8:59 | ...: Query::<...> | provenance | Src:MaD:1  |
+models
+| 1 | Source: axum::routing::method_routing::get; Argument[0].Parameter[0..7]; remote |
+| 2 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
+| 3 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
+| main.rs:8:24:8:59 | ...: Query::<...> | semmle.label | ...: Query::<...> |
+| main.rs:9:9:9:20 | html_content | semmle.label | html_content |
+| main.rs:9:32:9:63 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:9:32:9:63 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:9:32:9:63 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:9:32:9:63 | { ... } | semmle.label | { ... } |
+| main.rs:10:10:10:21 | html_content | semmle.label | html_content |
+| main.rs:15:51:15:53 | get | semmle.label | get |
 subpaths

rust/ql/test/library-tests/dataflow/sources/web_frameworks/test.rs

@@ -7,12 +7,12 @@ struct GreetingParams {
 
 async fn greet_handler(Query(params): Query<GreetingParams>) -> Html<String> {
     let html_content = format!("<p>Hello, {}!</p>", params.name);
-    Html(html_content) // $ MISSING: Alert[rust/xss]
+    Html(html_content) // $ Alert[rust/xss]=greet
 }
 
 #[tokio::main]
 pub async fn main() {
-    let app = Router::<()>::new().route("/greet", get(greet_handler));
+    let app = Router::<()>::new().route("/greet", get(greet_handler)); // $ Source=greet
     let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
         .await
         .unwrap();