Rust: Add examples as tests (and fix them).

geoffw0 · geoffw0 · commit 4662e42584d1 · 2025-09-22T16:12:27.000+01:00
diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookieBad.rs b/rust/ql/src/queries/security/CWE-614/InsecureCookieBad.rs
@@ -1,6 +1,6 @@
 use cookie::Cookie;
 
 // BAD: creating a cookie without specifying the `secure` attribute
-let cookie = Cookie::build("session", "abcd1234").build();
+let cookie = Cookie::build(("session", "abcd1234")).build();
 let mut jar = cookie::CookieJar::new();
 jar.add(cookie.clone());
diff --git a/rust/ql/src/queries/security/CWE-614/InsecureCookieGood.rs b/rust/ql/src/queries/security/CWE-614/InsecureCookieGood.rs
@@ -1,7 +1,7 @@
 use cookie::Cookie;
 
 // GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPS
-let secure_cookie = Cookie::build("session", "abcd1234").secure(true).build();
+let secure_cookie = Cookie::build(("session", "abcd1234")).secure(true).build();
 let mut jar = cookie::CookieJar::new();
 jar.add(secure_cookie.clone());
 
diff --git a/rust/ql/test/query-tests/security/CWE-614/CookieSet.expected b/rust/ql/test/query-tests/security/CWE-614/CookieSet.expected
@@ -49,3 +49,6 @@
 | main.rs:138:13:138:13 | d | secure | true |
 | main.rs:142:13:142:13 | e | partitioned | false |
 | main.rs:146:13:146:13 | f | secure | false |
+| main.rs:180:29:180:66 | ...::build(...) | secure | true |
+| main.rs:186:9:186:22 | [SSA] secure_cookie2 | secure | true |
+| main.rs:186:9:186:22 | secure_cookie2 | secure | true |
diff --git a/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected b/rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected
@@ -77,6 +77,7 @@
 | main.rs:165:13:165:18 | insert | main.rs:155:13:155:41 | ...::new | main.rs:165:13:165:18 | insert | Cookie attribute 'Secure' is not set to true. |
 | main.rs:166:13:166:18 | insert | main.rs:155:13:155:41 | ...::new | main.rs:166:13:166:18 | insert | Cookie attribute 'Secure' is not set to true. |
 | main.rs:167:13:167:18 | insert | main.rs:155:13:155:41 | ...::new | main.rs:167:13:167:18 | insert | Cookie attribute 'Secure' is not set to true. |
+| main.rs:173:61:173:65 | build | main.rs:173:22:173:34 | ...::build | main.rs:173:61:173:65 | build | Cookie attribute 'Secure' is not set to true. |
 edges
 | main.rs:8:19:8:31 | ...::build | main.rs:8:19:8:50 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
 | main.rs:8:19:8:50 | ...::build(...) | main.rs:8:19:8:64 | ... .secure(...) | provenance | MaD:41 |
@@ -311,6 +312,8 @@ edges
 | main.rs:167:20:167:20 | i | main.rs:167:20:167:28 | i.clone() | provenance | MaD:17 |
 | main.rs:167:20:167:28 | i.clone() | main.rs:167:20:167:45 | ... .make_permanent() | provenance | MaD:18 |
 | main.rs:167:20:167:45 | ... .make_permanent() | main.rs:167:13:167:18 | insert | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:173:22:173:34 | ...::build | main.rs:173:22:173:59 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
+| main.rs:173:22:173:59 | ...::build(...) | main.rs:173:61:173:65 | build | provenance | MaD:2 Sink:MaD:2 |
 models
 | 1 | Sink: <biscotti::response_cookies::ResponseCookies>::insert; Argument[0]; cookie-use |
 | 2 | Sink: <cookie::builder::CookieBuilder>::build; Argument[self]; cookie-use |
@@ -588,4 +591,7 @@ nodes
 | main.rs:167:20:167:20 | i | semmle.label | i |
 | main.rs:167:20:167:28 | i.clone() | semmle.label | i.clone() |
 | main.rs:167:20:167:45 | ... .make_permanent() | semmle.label | ... .make_permanent() |
+| main.rs:173:22:173:34 | ...::build | semmle.label | ...::build |
+| main.rs:173:22:173:59 | ...::build(...) | semmle.label | ...::build(...) |
+| main.rs:173:61:173:65 | build | semmle.label | build |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-614/main.rs b/rust/ql/test/query-tests/security/CWE-614/main.rs
@@ -167,8 +167,30 @@ fn test_biscotti() {
     cookies.insert(i.clone().make_permanent()); // $ Alert[rust/insecure-cookie]
 }
 
+fn test_qhelp_examples() {use cookie::Cookie;
+    {
+        // BAD: creating a cookie without specifying the `secure` attribute
+        let cookie = Cookie::build(("session", "abcd1234")).build(); // $ Alert[rust/insecure-cookie]
+        let mut jar = cookie::CookieJar::new();
+        jar.add(cookie.clone());
+    }
+
+    {
+        // GOOD: set the `CookieBuilder` 'Secure' attribute so that the cookie is only sent over HTTPS
+        let secure_cookie = Cookie::build(("session", "abcd1234")).secure(true).build();
+        let mut jar = cookie::CookieJar::new();
+        jar.add(secure_cookie.clone());
+
+        // GOOD: alternatively, set the 'Secure' attribute on an existing `Cookie`
+        let mut secure_cookie2 = Cookie::new("session", "abcd1234");
+        secure_cookie2.set_secure(true);
+        jar.add(secure_cookie2);
+    }
+}
+
 fn main() {
     test_cookie(true);
     test_cookie(false);
     test_biscotti();
+    test_qhelp_examples();
 }
