Skip to content

Commit fbf9f7e

Browse files
paldepindpaldepind
committed
Rust: Add models for Axum
1 parent 0ea06ac commit fbf9f7e

File tree

4 files changed

+161
-25
lines changed

4 files changed

+161
-25
lines changed

rust/ql/lib/codeql/rust/frameworks/axum.model.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/rust-all
4+
extensible: sourceModel
5+
data:
6+
# Get
7+
- ["axum::routing::method_routing::get", "Argument[0].Parameter[0..7]", "remote", "manual"]
8+
- ["<axum::routing::method_routing::MethodRouter>::get", "Argument[0].Parameter[0..7]", "remote", "manual"]
9+
# Post
10+
- ["axum::routing::method_routing::post", "Argument[0].Parameter[0..7]", "remote", "manual"]
11+
- ["<axum::routing::method_routing::MethodRouter>::post", "Argument[0].Parameter[0..7]", "remote", "manual"]
12+
# Put
13+
- ["axum::routing::method_routing::put", "Argument[0].Parameter[0..7]", "remote", "manual"]
14+
- ["<axum::routing::method_routing::MethodRouter>::put", "Argument[0].Parameter[0..7]", "remote", "manual"]
15+
# Delete
16+
- ["axum::routing::method_routing::delete", "Argument[0].Parameter[0..7]", "remote", "manual"]
17+
- ["<axum::routing::method_routing::MethodRouter>::delete", "Argument[0].Parameter[0..7]", "remote", "manual"]
18+
# Patch
19+
- ["axum::routing::method_routing::patch", "Argument[0].Parameter[0..7]", "remote", "manual"]
20+
- ["<axum::routing::method_routing::MethodRouter>::patch", "Argument[0].Parameter[0..7]", "remote", "manual"]
21+
# on
22+
- ["axum::routing::method_routing::on", "Argument[1].Parameter[0..7]", "remote", "manual"]
23+
- ["<axum::routing::method_routing::MethodRouter>::on", "Argument[1].Parameter[0..7]", "remote", "manual"]

rust/ql/test/library-tests/dataflow/sources/web_frameworks/InlineFlow.expected

Lines changed: 67 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,20 @@ models
44
| 3 | Source: <_ as warp::filter::Filter>::then; Argument[0].Parameter[0..7]; remote |
55
| 4 | Source: <actix_web::resource::Resource>::to; Argument[0].Parameter[0..7]; remote |
66
| 5 | Source: <actix_web::route::Route>::to; Argument[0].Parameter[0..7]; remote |
7-
| 6 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue; taint |
8-
| 7 | Summary: <alloc::string::String>::as_bytes; Argument[self]; ReturnValue; value |
9-
| 8 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
7+
| 6 | Source: <axum::routing::method_routing::MethodRouter>::get; Argument[0].Parameter[0..7]; remote |
8+
| 7 | Source: <axum::routing::method_routing::MethodRouter>::on; Argument[1].Parameter[0..7]; remote |
9+
| 8 | Source: axum::routing::method_routing::get; Argument[0].Parameter[0..7]; remote |
10+
| 9 | Source: axum::routing::method_routing::post; Argument[0].Parameter[0..7]; remote |
11+
| 10 | Source: axum::routing::method_routing::put; Argument[0].Parameter[0..7]; remote |
12+
| 11 | Summary: <actix_web::types::path::Path>::into_inner; Argument[self]; ReturnValue; taint |
13+
| 12 | Summary: <alloc::string::String>::as_bytes; Argument[self]; ReturnValue; value |
14+
| 13 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |
1015
edges
1116
| test.rs:11:31:11:31 | a | test.rs:13:14:13:14 | a | provenance | |
1217
| test.rs:11:31:11:31 | a | test.rs:14:14:14:14 | a | provenance | |
1318
| test.rs:11:31:11:31 | a | test.rs:15:14:15:14 | a | provenance | |
14-
| test.rs:13:14:13:14 | a | test.rs:13:14:13:23 | a.as_str() | provenance | MaD:8 |
15-
| test.rs:14:14:14:14 | a | test.rs:14:14:14:25 | a.as_bytes() | provenance | MaD:7 |
19+
| test.rs:13:14:13:14 | a | test.rs:13:14:13:23 | a.as_str() | provenance | MaD:13 |
20+
| test.rs:14:14:14:14 | a | test.rs:14:14:14:25 | a.as_bytes() | provenance | MaD:12 |
1621
| test.rs:22:14:22:19 | TuplePat | test.rs:24:14:24:14 | a | provenance | |
1722
| test.rs:22:14:22:19 | TuplePat | test.rs:25:14:25:14 | b | provenance | |
1823
| test.rs:48:14:48:30 | MyStruct {...} | test.rs:50:14:50:14 | a | provenance | |
@@ -24,24 +29,42 @@ edges
2429
| test.rs:98:13:98:13 | a | test.rs:99:14:99:14 | a | provenance | |
2530
| test.rs:98:13:98:13 | a | test.rs:100:14:100:14 | a | provenance | |
2631
| test.rs:98:13:98:13 | a | test.rs:101:14:101:14 | a | provenance | |
27-
| test.rs:98:17:98:20 | path | test.rs:98:17:98:33 | path.into_inner() | provenance | MaD:6 |
32+
| test.rs:98:17:98:20 | path | test.rs:98:17:98:33 | path.into_inner() | provenance | MaD:11 |
2833
| test.rs:98:17:98:33 | path.into_inner() | test.rs:98:13:98:13 | a | provenance | |
29-
| test.rs:99:14:99:14 | a | test.rs:99:14:99:23 | a.as_str() | provenance | MaD:8 |
30-
| test.rs:100:14:100:14 | a | test.rs:100:14:100:25 | a.as_bytes() | provenance | MaD:7 |
34+
| test.rs:99:14:99:14 | a | test.rs:99:14:99:23 | a.as_str() | provenance | MaD:13 |
35+
| test.rs:100:14:100:14 | a | test.rs:100:14:100:25 | a.as_bytes() | provenance | MaD:12 |
3136
| test.rs:106:33:106:65 | ...: ...::Path::<...> | test.rs:107:22:107:25 | path | provenance | |
3237
| test.rs:107:13:107:18 | TuplePat | test.rs:109:14:109:14 | a | provenance | |
3338
| test.rs:107:13:107:18 | TuplePat | test.rs:110:14:110:14 | b | provenance | |
34-
| test.rs:107:22:107:25 | path | test.rs:107:22:107:38 | path.into_inner() | provenance | MaD:6 |
39+
| test.rs:107:22:107:25 | path | test.rs:107:22:107:38 | path.into_inner() | provenance | MaD:11 |
3540
| test.rs:107:22:107:38 | path.into_inner() | test.rs:107:13:107:18 | TuplePat | provenance | |
3641
| test.rs:115:33:115:65 | ...: ...::Query::<...> | test.rs:116:14:116:14 | a | provenance | |
3742
| test.rs:121:5:121:20 | to | test.rs:122:33:122:55 | ...: ...::Path::<...> | provenance | Src:MaD:4 |
3843
| test.rs:122:33:122:55 | ...: ...::Path::<...> | test.rs:123:17:123:20 | path | provenance | |
3944
| test.rs:123:13:123:13 | a | test.rs:124:14:124:14 | a | provenance | |
40-
| test.rs:123:17:123:20 | path | test.rs:123:17:123:33 | path.into_inner() | provenance | MaD:6 |
45+
| test.rs:123:17:123:20 | path | test.rs:123:17:123:33 | path.into_inner() | provenance | MaD:11 |
4146
| test.rs:123:17:123:33 | path.into_inner() | test.rs:123:13:123:13 | a | provenance | |
4247
| test.rs:131:41:131:42 | to | test.rs:97:33:97:55 | ...: ...::Path::<...> | provenance | Src:MaD:5 |
4348
| test.rs:132:45:132:46 | to | test.rs:106:33:106:65 | ...: ...::Path::<...> | provenance | Src:MaD:5 |
4449
| test.rs:133:41:133:42 | to | test.rs:115:33:115:65 | ...: ...::Query::<...> | provenance | Src:MaD:5 |
50+
| test.rs:147:32:147:52 | ...: Path::<...> | test.rs:148:14:148:14 | a | provenance | |
51+
| test.rs:147:32:147:52 | ...: Path::<...> | test.rs:149:14:149:14 | a | provenance | |
52+
| test.rs:147:32:147:52 | ...: Path::<...> | test.rs:150:14:150:14 | a | provenance | |
53+
| test.rs:148:14:148:14 | a | test.rs:148:14:148:23 | a.as_str() | provenance | MaD:13 |
54+
| test.rs:149:14:149:14 | a | test.rs:149:14:149:25 | a.as_bytes() | provenance | MaD:12 |
55+
| test.rs:155:32:155:67 | ...: Path::<...> | test.rs:156:14:156:14 | a | provenance | |
56+
| test.rs:155:32:155:67 | ...: Path::<...> | test.rs:157:14:157:14 | b | provenance | |
57+
| test.rs:162:32:162:76 | ...: Query::<...> | test.rs:164:18:164:20 | key | provenance | |
58+
| test.rs:162:32:162:76 | ...: Query::<...> | test.rs:165:18:165:22 | value | provenance | |
59+
| test.rs:179:32:179:69 | ...: Json::<...> | test.rs:181:14:181:20 | payload | provenance | |
60+
| test.rs:186:32:186:43 | ...: String | test.rs:187:14:187:17 | body | provenance | |
61+
| test.rs:192:32:192:43 | ...: String | test.rs:193:14:193:17 | body | provenance | |
62+
| test.rs:200:30:200:32 | get | test.rs:147:32:147:52 | ...: Path::<...> | provenance | Src:MaD:8 |
63+
| test.rs:201:34:201:37 | post | test.rs:155:32:155:67 | ...: Path::<...> | provenance | Src:MaD:9 |
64+
| test.rs:202:29:202:31 | put | test.rs:162:32:162:76 | ...: Query::<...> | provenance | Src:MaD:10 |
65+
| test.rs:205:40:205:41 | on | test.rs:179:32:179:69 | ...: Json::<...> | provenance | Src:MaD:7 |
66+
| test.rs:207:29:207:31 | get | test.rs:186:32:186:43 | ...: String | provenance | Src:MaD:8 |
67+
| test.rs:207:52:207:54 | get | test.rs:192:32:192:43 | ...: String | provenance | Src:MaD:6 |
4568
| test.rs:222:33:222:35 | map | test.rs:222:38:222:46 | ...: String | provenance | Src:MaD:2 |
4669
| test.rs:222:38:222:46 | ...: String | test.rs:224:18:224:18 | a | provenance | |
4770
| test.rs:230:46:230:49 | then | test.rs:231:25:231:33 | ...: String | provenance | Src:MaD:3 |
@@ -94,6 +117,30 @@ nodes
94117
| test.rs:131:41:131:42 | to | semmle.label | to |
95118
| test.rs:132:45:132:46 | to | semmle.label | to |
96119
| test.rs:133:41:133:42 | to | semmle.label | to |
120+
| test.rs:147:32:147:52 | ...: Path::<...> | semmle.label | ...: Path::<...> |
121+
| test.rs:148:14:148:14 | a | semmle.label | a |
122+
| test.rs:148:14:148:23 | a.as_str() | semmle.label | a.as_str() |
123+
| test.rs:149:14:149:14 | a | semmle.label | a |
124+
| test.rs:149:14:149:25 | a.as_bytes() | semmle.label | a.as_bytes() |
125+
| test.rs:150:14:150:14 | a | semmle.label | a |
126+
| test.rs:155:32:155:67 | ...: Path::<...> | semmle.label | ...: Path::<...> |
127+
| test.rs:156:14:156:14 | a | semmle.label | a |
128+
| test.rs:157:14:157:14 | b | semmle.label | b |
129+
| test.rs:162:32:162:76 | ...: Query::<...> | semmle.label | ...: Query::<...> |
130+
| test.rs:164:18:164:20 | key | semmle.label | key |
131+
| test.rs:165:18:165:22 | value | semmle.label | value |
132+
| test.rs:179:32:179:69 | ...: Json::<...> | semmle.label | ...: Json::<...> |
133+
| test.rs:181:14:181:20 | payload | semmle.label | payload |
134+
| test.rs:186:32:186:43 | ...: String | semmle.label | ...: String |
135+
| test.rs:187:14:187:17 | body | semmle.label | body |
136+
| test.rs:192:32:192:43 | ...: String | semmle.label | ...: String |
137+
| test.rs:193:14:193:17 | body | semmle.label | body |
138+
| test.rs:200:30:200:32 | get | semmle.label | get |
139+
| test.rs:201:34:201:37 | post | semmle.label | post |
140+
| test.rs:202:29:202:31 | put | semmle.label | put |
141+
| test.rs:205:40:205:41 | on | semmle.label | on |
142+
| test.rs:207:29:207:31 | get | semmle.label | get |
143+
| test.rs:207:52:207:54 | get | semmle.label | get |
97144
| test.rs:222:33:222:35 | map | semmle.label | map |
98145
| test.rs:222:38:222:46 | ...: String | semmle.label | ...: String |
99146
| test.rs:224:18:224:18 | a | semmle.label | a |
@@ -126,6 +173,16 @@ testFailures
126173
| test.rs:110:14:110:14 | b | test.rs:132:45:132:46 | to | test.rs:110:14:110:14 | b | $@ | test.rs:132:45:132:46 | to | to |
127174
| test.rs:116:14:116:14 | a | test.rs:133:41:133:42 | to | test.rs:116:14:116:14 | a | $@ | test.rs:133:41:133:42 | to | to |
128175
| test.rs:124:14:124:14 | a | test.rs:121:5:121:20 | to | test.rs:124:14:124:14 | a | $@ | test.rs:121:5:121:20 | to | to |
176+
| test.rs:148:14:148:23 | a.as_str() | test.rs:200:30:200:32 | get | test.rs:148:14:148:23 | a.as_str() | $@ | test.rs:200:30:200:32 | get | get |
177+
| test.rs:149:14:149:25 | a.as_bytes() | test.rs:200:30:200:32 | get | test.rs:149:14:149:25 | a.as_bytes() | $@ | test.rs:200:30:200:32 | get | get |
178+
| test.rs:150:14:150:14 | a | test.rs:200:30:200:32 | get | test.rs:150:14:150:14 | a | $@ | test.rs:200:30:200:32 | get | get |
179+
| test.rs:156:14:156:14 | a | test.rs:201:34:201:37 | post | test.rs:156:14:156:14 | a | $@ | test.rs:201:34:201:37 | post | post |
180+
| test.rs:157:14:157:14 | b | test.rs:201:34:201:37 | post | test.rs:157:14:157:14 | b | $@ | test.rs:201:34:201:37 | post | post |
181+
| test.rs:164:18:164:20 | key | test.rs:202:29:202:31 | put | test.rs:164:18:164:20 | key | $@ | test.rs:202:29:202:31 | put | put |
182+
| test.rs:165:18:165:22 | value | test.rs:202:29:202:31 | put | test.rs:165:18:165:22 | value | $@ | test.rs:202:29:202:31 | put | put |
183+
| test.rs:181:14:181:20 | payload | test.rs:205:40:205:41 | on | test.rs:181:14:181:20 | payload | $@ | test.rs:205:40:205:41 | on | on |
184+
| test.rs:187:14:187:17 | body | test.rs:207:29:207:31 | get | test.rs:187:14:187:17 | body | $@ | test.rs:207:29:207:31 | get | get |
185+
| test.rs:193:14:193:17 | body | test.rs:207:52:207:54 | get | test.rs:193:14:193:17 | body | $@ | test.rs:207:52:207:54 | get | get |
129186
| test.rs:224:18:224:18 | a | test.rs:222:33:222:35 | map | test.rs:224:18:224:18 | a | $@ | test.rs:222:33:222:35 | map | map |
130187
| test.rs:232:22:232:22 | a | test.rs:230:46:230:49 | then | test.rs:232:22:232:22 | a | $@ | test.rs:230:46:230:49 | then | then |
131188
| test.rs:243:22:243:23 | id | test.rs:239:50:239:57 | and_then | test.rs:243:22:243:23 | id | $@ | test.rs:239:50:239:57 | and_then | and_then |

rust/ql/test/library-tests/dataflow/sources/web_frameworks/TaintSources.expected

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,62 @@
3535
| test.rs:133:41:133:42 | to | Flow source 'RemoteSource' of type remote (DEFAULT). |
3636
| test.rs:133:41:133:42 | to | Flow source 'RemoteSource' of type remote (DEFAULT). |
3737
| test.rs:133:41:133:42 | to | Flow source 'RemoteSource' of type remote (DEFAULT). |
38+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
39+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
40+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
41+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
42+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
43+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
44+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
45+
| test.rs:200:30:200:32 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
46+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
47+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
48+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
49+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
50+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
51+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
52+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
53+
| test.rs:201:34:201:37 | post | Flow source 'RemoteSource' of type remote (DEFAULT). |
54+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
55+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
56+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
57+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
58+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
59+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
60+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
61+
| test.rs:202:29:202:31 | put | Flow source 'RemoteSource' of type remote (DEFAULT). |
62+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
63+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
64+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
65+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
66+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
67+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
68+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
69+
| test.rs:205:17:205:19 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
70+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
71+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
72+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
73+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
74+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
75+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
76+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
77+
| test.rs:205:40:205:41 | on | Flow source 'RemoteSource' of type remote (DEFAULT). |
78+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
79+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
80+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
81+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
82+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
83+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
84+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
85+
| test.rs:207:29:207:31 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
86+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
87+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
88+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
89+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
90+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
91+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
92+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
93+
| test.rs:207:52:207:54 | get | Flow source 'RemoteSource' of type remote (DEFAULT). |
3894
| test.rs:222:33:222:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
3995
| test.rs:222:33:222:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
4096
| test.rs:222:33:222:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |

0 commit comments

Comments
 (0)