Rust: Update DotDotCheck from getResolvedPath -> getCanonicalPath.

geoffw0 · geoffw0 · commit cd6975f7b743 · 2025-06-17T17:07:39.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
@@ -69,7 +69,8 @@ module SanitizerGuard {
  */
 private class DotDotCheck extends SanitizerGuard::Range, CfgNodes::MethodCallExprCfgNode {
   DotDotCheck() {
-    this.getAstNode().(Resolvable).getResolvedPath() = "<str>::contains" and
+    this.getAstNode().(CallExprBase).getStaticTarget().(Addressable).getCanonicalPath() =
+      "alloc::string::String::contains" and
     this.getArgument(0).getAstNode().(LiteralExpr).getTextValue() =
       ["\"..\"", "\"../\"", "\"..\\\""]
   }
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -1,5 +1,6 @@
 #select
 | src/main.rs:10:5:10:22 | ...::read_to_string | src/main.rs:6:11:6:19 | file_name | src/main.rs:10:5:10:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:6:11:6:19 | file_name | user-provided value |
+| src/main.rs:20:5:20:22 | ...::read_to_string | src/main.rs:14:36:14:44 | file_name | src/main.rs:20:5:20:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:14:36:14:44 | file_name | user-provided value |
 | src/main.rs:45:5:45:22 | ...::read_to_string | src/main.rs:37:11:37:19 | file_path | src/main.rs:45:5:45:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:37:11:37:19 | file_path | user-provided value |
 | src/main.rs:59:5:59:22 | ...::read_to_string | src/main.rs:50:11:50:19 | file_path | src/main.rs:59:5:59:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:50:11:50:19 | file_path | user-provided value |
 edges
@@ -9,6 +10,12 @@ edges
 | src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:4 |
 | src/main.rs:8:35:8:43 | file_name | src/main.rs:8:21:8:44 | ...::from(...) | provenance | MaD:4 |
 | src/main.rs:10:24:10:32 | file_path | src/main.rs:10:5:10:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:14:36:14:44 | file_name | src/main.rs:19:35:19:43 | file_name | provenance |  |
+| src/main.rs:19:9:19:17 | file_path | src/main.rs:20:24:20:32 | file_path | provenance |  |
+| src/main.rs:19:21:19:44 | ...::from(...) | src/main.rs:19:9:19:17 | file_path | provenance |  |
+| src/main.rs:19:35:19:43 | file_name | src/main.rs:19:21:19:44 | ...::from(...) | provenance | MaD:4 |
+| src/main.rs:19:35:19:43 | file_name | src/main.rs:19:21:19:44 | ...::from(...) | provenance | MaD:4 |
+| src/main.rs:20:24:20:32 | file_path | src/main.rs:20:5:20:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
 | src/main.rs:37:11:37:19 | file_path | src/main.rs:40:52:40:60 | file_path | provenance |  |
 | src/main.rs:40:9:40:17 | file_path | src/main.rs:45:24:45:32 | file_path | provenance |  |
 | src/main.rs:40:21:40:62 | public_path.join(...) | src/main.rs:40:9:40:17 | file_path | provenance |  |
@@ -38,6 +45,12 @@ nodes
 | src/main.rs:8:35:8:43 | file_name | semmle.label | file_name |
 | src/main.rs:10:5:10:22 | ...::read_to_string | semmle.label | ...::read_to_string |
 | src/main.rs:10:24:10:32 | file_path | semmle.label | file_path |
+| src/main.rs:14:36:14:44 | file_name | semmle.label | file_name |
+| src/main.rs:19:9:19:17 | file_path | semmle.label | file_path |
+| src/main.rs:19:21:19:44 | ...::from(...) | semmle.label | ...::from(...) |
+| src/main.rs:19:35:19:43 | file_name | semmle.label | file_name |
+| src/main.rs:20:5:20:22 | ...::read_to_string | semmle.label | ...::read_to_string |
+| src/main.rs:20:24:20:32 | file_path | semmle.label | file_path |
 | src/main.rs:37:11:37:19 | file_path | semmle.label | file_path |
 | src/main.rs:40:9:40:17 | file_path | semmle.label | file_path |
 | src/main.rs:40:21:40:62 | public_path.join(...) | semmle.label | public_path.join(...) |
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -11,13 +11,13 @@ fn tainted_path_handler_bad(
 }
 
 //#[handler]
-fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> {
+fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> { // $ SPURIOUS: Source=remote2
     // GOOD: ensure that the filename has no path separators or parent directory references
     if file_name.contains("..") || file_name.contains("/") || file_name.contains("\\") {
         return Err(Error::from_status(StatusCode::BAD_REQUEST));
     }
     let file_path = PathBuf::from(file_name);
-    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink
+    fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote2
 }
 
 //#[handler]

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,13 @@ fn tainted_path_handler_bad(`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`//#[handler]`
`14`		`-fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> {`
	`14`	`+fn tainted_path_handler_good(Query(file_name): Query<String>) -> Result<String> { // $ SPURIOUS: Source=remote2`
`15`	`15`	`// GOOD: ensure that the filename has no path separators or parent directory references`
`16`	`16`	`if file_name.contains("..") \|\| file_name.contains("/") \|\| file_name.contains("\\") {`
`17`	`17`	`return Err(Error::from_status(StatusCode::BAD_REQUEST));`
`18`	`18`	`}`
`19`	`19`	`let file_path = PathBuf::from(file_name);`
`20`		`- fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink`
	`20`	`+ fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink SPURIOUS: Alert[rust/path-injection]=remote2`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`//#[handler]`