Rust: Add XSS sink for Axum HTML response creation

Author: paldepind

rust/ql/lib/codeql/rust/security/XssExtensions.qll

@@ -59,4 +59,14 @@ module Xss {
       )
     }
   }
+
+  // TODO: Convert this to MaD once MaD supports sink for tuple struct expressions.
+  private class AxumHtmlSink extends Sink {
+    AxumHtmlSink() {
+      exists(TupleStructExpr call |
+        call.getResolvedTarget().getCanonicalPath() = "axum::response::Html" and
+        this.asExpr() = call.getSyntacticPositionalArgument(0)
+      )
+    }
+  }
 }

rust/ql/test/query-tests/security/CWE-079/axum/XSS.expected

@@ -1,4 +1,37 @@
 #select
+| main.rs:10:10:10:21 | html_content | main.rs:15:51:15:53 | get | main.rs:10:10:10:21 | html_content | Cross-site scripting vulnerability due to a $@. | main.rs:15:51:15:53 | get | user-provided value |
+| main.rs:10:10:10:21 | html_content | main.rs:15:51:15:53 | get | main.rs:10:10:10:21 | html_content | Cross-site scripting vulnerability due to a $@. | main.rs:15:51:15:53 | get | user-provided value |
 edges
+| main.rs:8:24:8:36 | Query(...) [Query] | main.rs:8:30:8:35 | params | provenance |  |
+| main.rs:8:24:8:59 | ...: Query::<...> | main.rs:9:32:9:63 | MacroExpr | provenance |  |
+| main.rs:8:24:8:59 | ...: Query::<...> [Query] | main.rs:8:24:8:36 | Query(...) [Query] | provenance |  |
+| main.rs:8:30:8:35 | params | main.rs:9:32:9:63 | MacroExpr | provenance |  |
+| main.rs:9:9:9:20 | html_content | main.rs:10:10:10:21 | html_content | provenance |  |
+| main.rs:9:32:9:63 | ...::format(...) | main.rs:9:32:9:63 | { ... } | provenance |  |
+| main.rs:9:32:9:63 | ...::must_use(...) | main.rs:9:9:9:20 | html_content | provenance |  |
+| main.rs:9:32:9:63 | MacroExpr | main.rs:9:32:9:63 | ...::format(...) | provenance | MaD:3 |
+| main.rs:9:32:9:63 | { ... } | main.rs:9:32:9:63 | ...::must_use(...) | provenance | MaD:4 |
+| main.rs:15:51:15:53 | get | main.rs:8:24:8:59 | ...: Query::<...> | provenance | Src:MaD:2  |
+| main.rs:15:51:15:53 | get | main.rs:8:24:8:59 | ...: Query::<...> [Query] | provenance | Src:MaD:1  |
+| main.rs:15:51:15:53 | get | main.rs:15:51:15:53 | get [Query] | provenance | Src:MaD:1  |
+| main.rs:15:51:15:53 | get [Query] | main.rs:8:24:8:59 | ...: Query::<...> [Query] | provenance |  |
+models
+| 1 | Source: axum::routing::method_routing::get; Argument[0].Parameter[0..7].Field[axum::extract::query::Query(0)]; remote |
+| 2 | Source: axum::routing::method_routing::get; Argument[0].Parameter[0..7]; remote |
+| 3 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
+| 4 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
+| main.rs:8:24:8:36 | Query(...) [Query] | semmle.label | Query(...) [Query] |
+| main.rs:8:24:8:59 | ...: Query::<...> | semmle.label | ...: Query::<...> |
+| main.rs:8:24:8:59 | ...: Query::<...> [Query] | semmle.label | ...: Query::<...> [Query] |
+| main.rs:8:30:8:35 | params | semmle.label | params |
+| main.rs:9:9:9:20 | html_content | semmle.label | html_content |
+| main.rs:9:32:9:63 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:9:32:9:63 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:9:32:9:63 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:9:32:9:63 | { ... } | semmle.label | { ... } |
+| main.rs:10:10:10:21 | html_content | semmle.label | html_content |
+| main.rs:15:51:15:53 | get | semmle.label | get |
+| main.rs:15:51:15:53 | get | semmle.label | get |
+| main.rs:15:51:15:53 | get [Query] | semmle.label | get [Query] |
 subpaths

rust/ql/test/query-tests/security/CWE-079/axum/main.rs

@@ -7,12 +7,12 @@ struct GreetingParams {
 
 async fn greet_handler(Query(params): Query<GreetingParams>) -> Html<String> {
     let html_content = format!("<p>Hello, {}!</p>", params.name);
-    Html(html_content) // $ MISSING: Alert[rust/xss]
+    Html(html_content) // $ Alert[rust/xss]=greet
 }
 
 #[tokio::main]
 pub async fn main() {
-    let app = Router::<()>::new().route("/greet", get(greet_handler));
+    let app = Router::<()>::new().route("/greet", get(greet_handler)); // $ Source=greet
     let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
         .await
         .unwrap();