Rust: Fill a gap in the std::fs model.

geoffw0 · geoffw0 · commit 29e7b6ad2c89 · 2025-08-22T09:58:01.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -45,6 +45,7 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
+      - ["std::fs::canonicalize", "Argument[0]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["<std::path::PathBuf as core::convert::From>::from", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::join", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::join", "Argument[0]", "ReturnValue", "taint", "manual"]
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -1,6 +1,7 @@
 #select
 | src/main.rs:11:5:11:22 | ...::read_to_string | src/main.rs:7:11:7:19 | file_name | src/main.rs:11:5:11:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:7:11:7:19 | file_name | user-provided value |
 | src/main.rs:104:13:104:31 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:104:13:104:31 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
+| src/main.rs:107:13:107:31 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:107:13:107:31 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
 | src/main.rs:113:13:113:37 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:113:13:113:37 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
 edges
 | src/main.rs:7:11:7:19 | file_name | src/main.rs:9:35:9:43 | file_name | provenance |  |
@@ -10,13 +11,20 @@ edges
 | src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:9 |
 | src/main.rs:11:24:11:32 | file_path | src/main.rs:11:5:11:22 | ...::read_to_string | provenance | MaD:3 Sink:MaD:3 |
 | src/main.rs:103:9:103:13 | path1 | src/main.rs:104:33:104:37 | path1 | provenance |  |
+| src/main.rs:103:9:103:13 | path1 | src/main.rs:106:39:106:43 | path1 | provenance |  |
 | src/main.rs:103:9:103:13 | path1 | src/main.rs:112:45:112:49 | path1 | provenance |  |
 | src/main.rs:103:17:103:30 | ...::args | src/main.rs:103:17:103:32 | ...::args(...) [element] | provenance | Src:MaD:4  |
 | src/main.rs:103:17:103:32 | ...::args(...) [element] | src/main.rs:103:17:103:39 | ... .nth(...) [Some] | provenance | MaD:6 |
 | src/main.rs:103:17:103:39 | ... .nth(...) [Some] | src/main.rs:103:17:103:48 | ... .unwrap() | provenance | MaD:7 |
 | src/main.rs:103:17:103:48 | ... .unwrap() | src/main.rs:103:9:103:13 | path1 | provenance |  |
 | src/main.rs:104:33:104:37 | path1 | src/main.rs:104:33:104:45 | path1.clone() | provenance | MaD:5 |
 | src/main.rs:104:33:104:45 | path1.clone() | src/main.rs:104:13:104:31 | ...::open | provenance | MaD:2 Sink:MaD:2 |
+| src/main.rs:106:9:106:13 | path2 | src/main.rs:107:33:107:37 | path2 | provenance |  |
+| src/main.rs:106:17:106:52 | ...::canonicalize(...) [Ok] | src/main.rs:106:17:106:61 | ... .unwrap() | provenance | MaD:8 |
+| src/main.rs:106:17:106:61 | ... .unwrap() | src/main.rs:106:9:106:13 | path2 | provenance |  |
+| src/main.rs:106:39:106:43 | path1 | src/main.rs:106:39:106:51 | path1.clone() | provenance | MaD:5 |
+| src/main.rs:106:39:106:51 | path1.clone() | src/main.rs:106:17:106:52 | ...::canonicalize(...) [Ok] | provenance | MaD:11 |
+| src/main.rs:107:33:107:37 | path2 | src/main.rs:107:13:107:31 | ...::open | provenance | MaD:2 Sink:MaD:2 |
 | src/main.rs:112:9:112:13 | path4 | src/main.rs:113:39:113:43 | path4 | provenance |  |
 | src/main.rs:112:17:112:58 | ...::canonicalize(...) [future, Ok] | src/main.rs:112:17:112:64 | await ... [Ok] | provenance |  |
 | src/main.rs:112:17:112:64 | await ... [Ok] | src/main.rs:112:17:112:73 | ... .unwrap() | provenance | MaD:8 |
@@ -35,6 +43,7 @@ models
 | 8 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
 | 9 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
 | 10 | Summary: async_std::fs::canonicalize::canonicalize; Argument[0]; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
+| 11 | Summary: std::fs::canonicalize; Argument[0]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
 nodes
 | src/main.rs:7:11:7:19 | file_name | semmle.label | file_name |
 | src/main.rs:9:9:9:17 | file_path | semmle.label | file_path |
@@ -50,6 +59,13 @@ nodes
 | src/main.rs:104:13:104:31 | ...::open | semmle.label | ...::open |
 | src/main.rs:104:33:104:37 | path1 | semmle.label | path1 |
 | src/main.rs:104:33:104:45 | path1.clone() | semmle.label | path1.clone() |
+| src/main.rs:106:9:106:13 | path2 | semmle.label | path2 |
+| src/main.rs:106:17:106:52 | ...::canonicalize(...) [Ok] | semmle.label | ...::canonicalize(...) [Ok] |
+| src/main.rs:106:17:106:61 | ... .unwrap() | semmle.label | ... .unwrap() |
+| src/main.rs:106:39:106:43 | path1 | semmle.label | path1 |
+| src/main.rs:106:39:106:51 | path1.clone() | semmle.label | path1.clone() |
+| src/main.rs:107:13:107:31 | ...::open | semmle.label | ...::open |
+| src/main.rs:107:33:107:37 | path2 | semmle.label | path2 |
 | src/main.rs:112:9:112:13 | path4 | semmle.label | path4 |
 | src/main.rs:112:17:112:58 | ...::canonicalize(...) [future, Ok] | semmle.label | ...::canonicalize(...) [future, Ok] |
 | src/main.rs:112:17:112:64 | await ... [Ok] | semmle.label | await ... [Ok] |
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -104,7 +104,7 @@ async fn more_simple_cases() {
     let _ = std::fs::File::open(path1.clone()); // $ path-injection-sink Alert[rust/path-injection]=arg1
 
     let path2 = std::fs::canonicalize(path1.clone()).unwrap();
-    let _ = std::fs::File::open(path2); // $ path-injection-sink MISSING: Alert[rust/path-injection]=arg1
+    let _ = std::fs::File::open(path2); // $ path-injection-sink Alert[rust/path-injection]=arg1
 
     let path3 = tokio::fs::canonicalize(path1.clone()).await.unwrap();
     let _ = tokio::fs::File::open(path3); // $ MISSING: path-injection-sink Alert[rust/path-injection]=arg1
