Skip to content

Commit 7f65980

Browse files
committed
Rust: Fix the canonical path.
1 parent cfe2559 commit 7f65980

File tree

3 files changed

+3
-16
lines changed

3 files changed

+3
-16
lines changed

rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ module SanitizerGuard {
7070
private class DotDotCheck extends SanitizerGuard::Range, CfgNodes::MethodCallExprCfgNode {
7171
DotDotCheck() {
7272
this.getAstNode().(CallExprBase).getStaticTarget().(Addressable).getCanonicalPath() =
73-
"alloc::string::String::contains" and
73+
["<alloc::string::String>::contains", "<core::str>::contains"] and
7474
this.getArgument(0).getAstNode().(LiteralExpr).getTextValue() =
7575
["\"..\"", "\"../\"", "\"..\\\""]
7676
}
Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,12 @@
11
#select
22
| src/main.rs:10:5:10:22 | ...::read_to_string | src/main.rs:6:11:6:19 | file_name | src/main.rs:10:5:10:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:6:11:6:19 | file_name | user-provided value |
3-
| src/main.rs:20:5:20:22 | ...::read_to_string | src/main.rs:14:36:14:44 | file_name | src/main.rs:20:5:20:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:14:36:14:44 | file_name | user-provided value |
43
edges
54
| src/main.rs:6:11:6:19 | file_name | src/main.rs:8:35:8:43 | file_name | provenance | |
65
| src/main.rs:8:9:8:17 | file_path | src/main.rs:10:24:10:32 | file_path | provenance | |
76
| src/main.rs:8:21:8:44 | ...::from(...) | src/main.rs:8:9:8:17 | file_path | provenance | |
87
| src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:2 |
98
| src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:2 |
109
| src/main.rs:10:24:10:32 | file_path | src/main.rs:10:5:10:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
11-
| src/main.rs:14:36:14:44 | file_name | src/main.rs:19:35:19:43 | file_name | provenance | |
12-
| src/main.rs:19:9:19:17 | file_path | src/main.rs:20:24:20:32 | file_path | provenance | |
13-
| src/main.rs:19:21:19:44 | ...::from(...) | src/main.rs:19:9:19:17 | file_path | provenance | |
14-
| src/main.rs:19:35:19:43 | file_name | src/main.rs:19:21:19:44 | ...::from(...) | provenance | MaD:2 |
15-
| src/main.rs:19:35:19:43 | file_name | src/main.rs:19:21:19:44 | ...::from(...) | provenance | MaD:2 |
16-
| src/main.rs:20:24:20:32 | file_path | src/main.rs:20:5:20:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
1710
models
1811
| 1 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
1912
| 2 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
@@ -24,10 +17,4 @@ nodes
2417
| src/main.rs:8:35:8:43 | file_name | semmle.label | file_name |
2518
| src/main.rs:10:5:10:22 | ...::read_to_string | semmle.label | ...::read_to_string |
2619
| src/main.rs:10:24:10:32 | file_path | semmle.label | file_path |
27-
| src/main.rs:14:36:14:44 | file_name | semmle.label | file_name |
28-
| src/main.rs:19:9:19:17 | file_path | semmle.label | file_path |
29-
| src/main.rs:19:21:19:44 | ...::from(...) | semmle.label | ...::from(...) |
30-
| src/main.rs:19:35:19:43 | file_name | semmle.label | file_name |
31-
| src/main.rs:20:5:20:22 | ...::read_to_string | semmle.label | ...::read_to_string |
32-
| src/main.rs:20:24:20:32 | file_path | semmle.label | file_path |
3320
subpaths

rust/ql/test/query-tests/security/CWE-022/src/main.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,13 @@ fn tainted_path_handler_bad(
1111
}
1212

1313
//#[handler]
14-
fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> { // $ SPURIOUS: Source=remote2
14+
fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> {
1515
// GOOD: ensure that the filename has no path separators or parent directory references
1616
if file_name.contains("..") || file_name.contains("/") || file_name.contains("\\") {
1717
return Err(Error::from_status(StatusCode::BAD_REQUEST));
1818
}
1919
let file_path = PathBuf::from(file_name);
20-
fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote2
20+
fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink
2121
}
2222

2323
//#[handler]

0 commit comments

Comments
 (0)