Rust: Model async-std::fs.

geoffw0 · geoffw0 · commit 1d2ac33bb6f3 · 2025-08-22T09:58:00.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/asyncstd/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/asyncstd/fs.model.yml
@@ -0,0 +1,42 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["async_std::fs::read::read", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["async_std::fs::read_to_string::read_to_string", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["async_std::fs::read_link::read_link", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<async_std::fs::dir_entry::DirEntry>::path", "ReturnValue", "file", "manual"]
+      - ["<async_std::fs::dir_entry::DirEntry>::file_name", "ReturnValue", "file", "manual"]
+      - ["<async_std::fs::file::File>::open", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "file", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModel
+    data:
+      - ["async_std::fs::copy::copy", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::copy::copy", "Argument[1]", "path-injection", "manual"]
+      - ["async_std::fs::create_dir::create_dir", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::create_dir_all::create_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::hard_link::hard_link", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::hard_link::hard_link", "Argument[1]", "path-injection", "manual"]
+      - ["async_std::fs::metadata::metadata", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::read::read", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::read_dir::read_dir", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::read_link::read_link", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::read_to_string::read_to_string", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::remove_dir::remove_dir", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::remove_dir_all::remove_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::remove_file::remove_file", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::rename::rename", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::rename::rename", "Argument[1]", "path-injection", "manual"]
+      - ["async_std::fs::set_permissions::set_permissions", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::symlink_metadata::symlink_metadata", "Argument[0]", "path-injection", "manual"]
+      - ["async_std::fs::write::write", "Argument[0]", "path-injection", "manual"]
+      - ["<async_std::fs::dir_builder::DirBuilder>::create", "Argument[0]", "path-injection", "manual"]
+      - ["<async_std::fs::file::File>::create", "Argument[0]", "path-injection", "manual"]
+      - ["<async_std::fs::file::File>::open", "Argument[0]", "path-injection", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["async_std::fs::canonicalize::canonicalize", "Argument[0]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
diff --git a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -76,6 +76,7 @@
 | test.rs:637:21:637:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:638:21:638:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:646:21:646:41 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:660:20:660:44 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:688:26:688:53 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:707:26:707:61 | ...::connect_timeout | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | test.rs:759:28:759:57 | ...::connect | Flow source 'RemoteSource' of type remote (DEFAULT). |
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -657,7 +657,7 @@ use async_std::io::ReadExt;
 async fn test_async_std_file() -> std::io::Result<()> {
     // --- file ---
 
-    let mut file = async_std::fs::File::open("file.txt").await?; // $ MISSING: Alert[rust/summary/taint-sources]
+    let mut file = async_std::fs::File::open("file.txt").await?; // $ Alert[rust/summary/taint-sources]
 
     {
         let mut buffer = [0u8; 100];
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -1,28 +1,40 @@
 #select
 | src/main.rs:11:5:11:22 | ...::read_to_string | src/main.rs:7:11:7:19 | file_name | src/main.rs:11:5:11:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:7:11:7:19 | file_name | user-provided value |
 | src/main.rs:104:13:104:31 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:104:13:104:31 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
+| src/main.rs:113:13:113:37 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:113:13:113:37 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
 edges
 | src/main.rs:7:11:7:19 | file_name | src/main.rs:9:35:9:43 | file_name | provenance |  |
 | src/main.rs:9:9:9:17 | file_path | src/main.rs:11:24:11:32 | file_path | provenance |  |
 | src/main.rs:9:21:9:44 | ...::from(...) | src/main.rs:9:9:9:17 | file_path | provenance |  |
-| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:7 |
-| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:7 |
-| src/main.rs:11:24:11:32 | file_path | src/main.rs:11:5:11:22 | ...::read_to_string | provenance | MaD:2 Sink:MaD:2 |
+| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:9 |
+| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:9 |
+| src/main.rs:11:24:11:32 | file_path | src/main.rs:11:5:11:22 | ...::read_to_string | provenance | MaD:3 Sink:MaD:3 |
 | src/main.rs:103:9:103:13 | path1 | src/main.rs:104:33:104:37 | path1 | provenance |  |
-| src/main.rs:103:17:103:30 | ...::args | src/main.rs:103:17:103:32 | ...::args(...) [element] | provenance | Src:MaD:3  |
-| src/main.rs:103:17:103:32 | ...::args(...) [element] | src/main.rs:103:17:103:39 | ... .nth(...) [Some] | provenance | MaD:5 |
-| src/main.rs:103:17:103:39 | ... .nth(...) [Some] | src/main.rs:103:17:103:48 | ... .unwrap() | provenance | MaD:6 |
+| src/main.rs:103:9:103:13 | path1 | src/main.rs:112:45:112:49 | path1 | provenance |  |
+| src/main.rs:103:17:103:30 | ...::args | src/main.rs:103:17:103:32 | ...::args(...) [element] | provenance | Src:MaD:4  |
+| src/main.rs:103:17:103:32 | ...::args(...) [element] | src/main.rs:103:17:103:39 | ... .nth(...) [Some] | provenance | MaD:6 |
+| src/main.rs:103:17:103:39 | ... .nth(...) [Some] | src/main.rs:103:17:103:48 | ... .unwrap() | provenance | MaD:7 |
 | src/main.rs:103:17:103:48 | ... .unwrap() | src/main.rs:103:9:103:13 | path1 | provenance |  |
-| src/main.rs:104:33:104:37 | path1 | src/main.rs:104:33:104:45 | path1.clone() | provenance | MaD:4 |
-| src/main.rs:104:33:104:45 | path1.clone() | src/main.rs:104:13:104:31 | ...::open | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:104:33:104:37 | path1 | src/main.rs:104:33:104:45 | path1.clone() | provenance | MaD:5 |
+| src/main.rs:104:33:104:45 | path1.clone() | src/main.rs:104:13:104:31 | ...::open | provenance | MaD:2 Sink:MaD:2 |
+| src/main.rs:112:9:112:13 | path4 | src/main.rs:113:39:113:43 | path4 | provenance |  |
+| src/main.rs:112:17:112:58 | ...::canonicalize(...) [future, Ok] | src/main.rs:112:17:112:64 | await ... [Ok] | provenance |  |
+| src/main.rs:112:17:112:64 | await ... [Ok] | src/main.rs:112:17:112:73 | ... .unwrap() | provenance | MaD:8 |
+| src/main.rs:112:17:112:73 | ... .unwrap() | src/main.rs:112:9:112:13 | path4 | provenance |  |
+| src/main.rs:112:45:112:49 | path1 | src/main.rs:112:45:112:57 | path1.clone() | provenance | MaD:5 |
+| src/main.rs:112:45:112:57 | path1.clone() | src/main.rs:112:17:112:58 | ...::canonicalize(...) [future, Ok] | provenance | MaD:10 |
+| src/main.rs:113:39:113:43 | path4 | src/main.rs:113:13:113:37 | ...::open | provenance | MaD:1 Sink:MaD:1 |
 models
-| 1 | Sink: <std::fs::File>::open; Argument[0]; path-injection |
-| 2 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
-| 3 | Source: std::env::args; ReturnValue.Element; commandargs |
-| 4 | Summary: <_ as core::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
-| 5 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
-| 6 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
-| 7 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
+| 1 | Sink: <async_std::fs::file::File>::open; Argument[0]; path-injection |
+| 2 | Sink: <std::fs::File>::open; Argument[0]; path-injection |
+| 3 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
+| 4 | Source: std::env::args; ReturnValue.Element; commandargs |
+| 5 | Summary: <_ as core::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
+| 6 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
+| 7 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 8 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
+| 9 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
+| 10 | Summary: async_std::fs::canonicalize::canonicalize; Argument[0]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
 nodes
 | src/main.rs:7:11:7:19 | file_name | semmle.label | file_name |
 | src/main.rs:9:9:9:17 | file_path | semmle.label | file_path |
@@ -38,4 +50,12 @@ nodes
 | src/main.rs:104:13:104:31 | ...::open | semmle.label | ...::open |
 | src/main.rs:104:33:104:37 | path1 | semmle.label | path1 |
 | src/main.rs:104:33:104:45 | path1.clone() | semmle.label | path1.clone() |
+| src/main.rs:112:9:112:13 | path4 | semmle.label | path4 |
+| src/main.rs:112:17:112:58 | ...::canonicalize(...) [future, Ok] | semmle.label | ...::canonicalize(...) [future, Ok] |
+| src/main.rs:112:17:112:64 | await ... [Ok] | semmle.label | await ... [Ok] |
+| src/main.rs:112:17:112:73 | ... .unwrap() | semmle.label | ... .unwrap() |
+| src/main.rs:112:45:112:49 | path1 | semmle.label | path1 |
+| src/main.rs:112:45:112:57 | path1.clone() | semmle.label | path1.clone() |
+| src/main.rs:113:13:113:37 | ...::open | semmle.label | ...::open |
+| src/main.rs:113:39:113:43 | path4 | semmle.label | path4 |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -110,7 +110,7 @@ async fn more_simple_cases() {
     let _ = tokio::fs::File::open(path3); // $ MISSING: path-injection-sink Alert[rust/path-injection]=arg1
 
     let path4 = async_std::fs::canonicalize(path1.clone()).await.unwrap();
-    let _ = async_std::fs::File::open(path4); // $ MISSING: path-injection-sink Alert[rust/path-injection]=arg1
+    let _ = async_std::fs::File::open(path4); // $ path-injection-sink Alert[rust/path-injection]=arg1
 
     let path5 = std::path::Path::new(&path1);
     let _ = std::fs::File::open(path5); // $ path-injection-sink MISSING: Alert[rust/path-injection]=arg1
@@ -153,11 +153,11 @@ fn sinks(path1: &Path, path2: &Path) {
     let _ = tokio::fs::DirBuilder::new().recursive(true).create(path1); // $ MISSING: path-injection-sink
     let _ = tokio::fs::OpenOptions::new().open(path1); // $ MISSING: path-injection-sink
 
-    let _ = async_std::fs::read(path1); // $ MISSING: path-injection-sink
-    let _ = async_std::fs::read_to_string(path1); // $ MISSING: path-injection-sink
-    let _ = async_std::fs::remove_file(path1); // $ MISSING: path-injection-sink
-    let _ = async_std::fs::DirBuilder::new().create(path1); // $ MISSING: path-injection-sink
-    let _ = async_std::fs::DirBuilder::new().recursive(true).create(path1); // $ MISSING: path-injection-sink
+    let _ = async_std::fs::read(path1); // $ path-injection-sink
+    let _ = async_std::fs::read_to_string(path1); // $ path-injection-sink
+    let _ = async_std::fs::remove_file(path1); // $ path-injection-sink
+    let _ = async_std::fs::DirBuilder::new().create(path1); // $ path-injection-sink
+    let _ = async_std::fs::DirBuilder::new().recursive(true).create(path1); // $ path-injection-sink
     let _ = async_std::fs::OpenOptions::new().open(path1); // $ MISSING: path-injection-sink
 }
 

Original file line number	Diff line number	Diff line change
`@@ -657,7 +657,7 @@ use async_std::io::ReadExt;`
`657`	`657`	`async fn test_async_std_file() -> std::io::Result<()> {`
`658`	`658`	`// --- file ---`
`659`	`659`
`660`		`- let mut file = async_std::fs::File::open("file.txt").await?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`660`	`+ let mut file = async_std::fs::File::open("file.txt").await?; // $ Alert[rust/summary/taint-sources]`
`661`	`661`
`662`	`662`	`{`
`663`	`663`	`let mut buffer = [0u8; 100];`