Rust: Add XSS sink for Axum HTML response creation

paldepind · paldepind · commit cbdab994979a · 2025-12-16T12:41:44.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll
@@ -59,4 +59,14 @@ module Xss {
       )
     }
   }
+
+  // TODO: Convert this to MaD once MaD supports sink for tuple struct expressions.
+  private class AxumHtmlSink extends Sink {
+    AxumHtmlSink() {
+      exists(TupleStructExpr call |
+        call.getResolvedTarget().getCanonicalPath() = "axum::response::Html" and
+        this.asExpr() = call.getSyntacticPositionalArgument(0)
+      )
+    }
+  }
 }
diff --git a/rust/ql/test/query-tests/security/CWE-079/axum/XSS.expected b/rust/ql/test/query-tests/security/CWE-079/axum/XSS.expected
@@ -1,4 +1,24 @@
 #select
+| main.rs:10:10:10:21 | html_content | main.rs:15:51:15:53 | get | main.rs:10:10:10:21 | html_content | Cross-site scripting vulnerability due to a $@. | main.rs:15:51:15:53 | get | user-provided value |
 edges
+| main.rs:8:24:8:59 | ...: Query::<...> | main.rs:9:32:9:63 | MacroExpr | provenance |  |
+| main.rs:9:9:9:20 | html_content | main.rs:10:10:10:21 | html_content | provenance |  |
+| main.rs:9:32:9:63 | ...::format(...) | main.rs:9:32:9:63 | { ... } | provenance |  |
+| main.rs:9:32:9:63 | ...::must_use(...) | main.rs:9:9:9:20 | html_content | provenance |  |
+| main.rs:9:32:9:63 | MacroExpr | main.rs:9:32:9:63 | ...::format(...) | provenance | MaD:2 |
+| main.rs:9:32:9:63 | { ... } | main.rs:9:32:9:63 | ...::must_use(...) | provenance | MaD:3 |
+| main.rs:15:51:15:53 | get | main.rs:8:24:8:59 | ...: Query::<...> | provenance | Src:MaD:1  |
+models
+| 1 | Source: axum::routing::method_routing::get; Argument[0].Parameter[0..7]; remote |
+| 2 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
+| 3 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
+| main.rs:8:24:8:59 | ...: Query::<...> | semmle.label | ...: Query::<...> |
+| main.rs:9:9:9:20 | html_content | semmle.label | html_content |
+| main.rs:9:32:9:63 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:9:32:9:63 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:9:32:9:63 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:9:32:9:63 | { ... } | semmle.label | { ... } |
+| main.rs:10:10:10:21 | html_content | semmle.label | html_content |
+| main.rs:15:51:15:53 | get | semmle.label | get |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-079/axum/main.rs b/rust/ql/test/query-tests/security/CWE-079/axum/main.rs
@@ -7,12 +7,12 @@ struct GreetingParams {
 
 async fn greet_handler(Query(params): Query<GreetingParams>) -> Html<String> {
     let html_content = format!("<p>Hello, {}!</p>", params.name);
-    Html(html_content) // $ MISSING: Alert[rust/xss]
+    Html(html_content) // $ Alert[rust/xss]=greet
 }
 
 #[tokio::main]
 pub async fn main() {
-    let app = Router::<()>::new().route("/greet", get(greet_handler));
+    let app = Router::<()>::new().route("/greet", get(greet_handler)); // $ Source=greet
     let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
         .await
         .unwrap();

Original file line number	Diff line number	Diff line change
`@@ -59,4 +59,14 @@ module Xss {`
`59`	`59`	`)`
`60`	`60`	`}`
`61`	`61`	`}`
	`62`	`+`
	`63`	`+ // TODO: Convert this to MaD once MaD supports sink for tuple struct expressions.`
	`64`	`+ private class AxumHtmlSink extends Sink {`
	`65`	`+ AxumHtmlSink() {`
	`66`	`+ exists(TupleStructExpr call \|`
	`67`	`+ call.getResolvedTarget().getCanonicalPath() = "axum::response::Html" and`
	`68`	`+ this.asExpr() = call.getSyntacticPositionalArgument(0)`
	`69`	`+ )`
	`70`	`+ }`
	`71`	`+ }`
`62`	`72`	`}`