Rust: Add tests for std::fs::canonicalize and similar.

geoffw0 · geoffw0 · commit 8da44828a642 · 2025-08-21T16:47:12.000+01:00
diff --git a/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected b/rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected
@@ -1,20 +1,41 @@
 #select
 | src/main.rs:11:5:11:22 | ...::read_to_string | src/main.rs:7:11:7:19 | file_name | src/main.rs:11:5:11:22 | ...::read_to_string | This path depends on a $@. | src/main.rs:7:11:7:19 | file_name | user-provided value |
+| src/main.rs:104:13:104:31 | ...::open | src/main.rs:103:17:103:30 | ...::args | src/main.rs:104:13:104:31 | ...::open | This path depends on a $@. | src/main.rs:103:17:103:30 | ...::args | user-provided value |
 edges
 | src/main.rs:7:11:7:19 | file_name | src/main.rs:9:35:9:43 | file_name | provenance |  |
 | src/main.rs:9:9:9:17 | file_path | src/main.rs:11:24:11:32 | file_path | provenance |  |
 | src/main.rs:9:21:9:44 | ...::from(...) | src/main.rs:9:9:9:17 | file_path | provenance |  |
-| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:2 |
-| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:2 |
-| src/main.rs:11:24:11:32 | file_path | src/main.rs:11:5:11:22 | ...::read_to_string | provenance | MaD:1 Sink:MaD:1 |
+| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:7 |
+| src/main.rs:9:35:9:43 | file_name | src/main.rs:9:21:9:44 | ...::from(...) | provenance | MaD:7 |
+| src/main.rs:11:24:11:32 | file_path | src/main.rs:11:5:11:22 | ...::read_to_string | provenance | MaD:2 Sink:MaD:2 |
+| src/main.rs:103:9:103:13 | path1 | src/main.rs:104:33:104:37 | path1 | provenance |  |
+| src/main.rs:103:17:103:30 | ...::args | src/main.rs:103:17:103:32 | ...::args(...) [element] | provenance | Src:MaD:3  |
+| src/main.rs:103:17:103:32 | ...::args(...) [element] | src/main.rs:103:17:103:39 | ... .nth(...) [Some] | provenance | MaD:5 |
+| src/main.rs:103:17:103:39 | ... .nth(...) [Some] | src/main.rs:103:17:103:48 | ... .unwrap() | provenance | MaD:6 |
+| src/main.rs:103:17:103:48 | ... .unwrap() | src/main.rs:103:9:103:13 | path1 | provenance |  |
+| src/main.rs:104:33:104:37 | path1 | src/main.rs:104:33:104:45 | path1.clone() | provenance | MaD:4 |
+| src/main.rs:104:33:104:45 | path1.clone() | src/main.rs:104:13:104:31 | ...::open | provenance | MaD:1 Sink:MaD:1 |
 models
-| 1 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
-| 2 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
+| 1 | Sink: <std::fs::File>::open; Argument[0]; path-injection |
+| 2 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
+| 3 | Source: std::env::args; ReturnValue.Element; commandargs |
+| 4 | Summary: <_ as core::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
+| 5 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
+| 6 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
+| 7 | Summary: <std::path::PathBuf as core::convert::From>::from; Argument[0]; ReturnValue; taint |
 nodes
 | src/main.rs:7:11:7:19 | file_name | semmle.label | file_name |
 | src/main.rs:9:9:9:17 | file_path | semmle.label | file_path |
 | src/main.rs:9:21:9:44 | ...::from(...) | semmle.label | ...::from(...) |
 | src/main.rs:9:35:9:43 | file_name | semmle.label | file_name |
 | src/main.rs:11:5:11:22 | ...::read_to_string | semmle.label | ...::read_to_string |
 | src/main.rs:11:24:11:32 | file_path | semmle.label | file_path |
+| src/main.rs:103:9:103:13 | path1 | semmle.label | path1 |
+| src/main.rs:103:17:103:30 | ...::args | semmle.label | ...::args |
+| src/main.rs:103:17:103:32 | ...::args(...) [element] | semmle.label | ...::args(...) [element] |
+| src/main.rs:103:17:103:39 | ... .nth(...) [Some] | semmle.label | ... .nth(...) [Some] |
+| src/main.rs:103:17:103:48 | ... .unwrap() | semmle.label | ... .unwrap() |
+| src/main.rs:104:13:104:31 | ...::open | semmle.label | ...::open |
+| src/main.rs:104:33:104:37 | path1 | semmle.label | path1 |
+| src/main.rs:104:33:104:45 | path1.clone() | semmle.label | path1.clone() |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-022/src/main.rs b/rust/ql/test/query-tests/security/CWE-022/src/main.rs
@@ -99,6 +99,26 @@ fn tainted_path_handler_folder_almost_good3(
     fs::read_to_string(file_path).map_err(InternalServerError) // $ path-injection-sink MISSING: Alert[rust/path-injection]=remote5
 }
 
+async fn more_simple_cases() {
+    let path1 = std::env::args().nth(1).unwrap(); // $ Source=arg1
+    let _ = std::fs::File::open(path1.clone()); // $ path-injection-sink Alert[rust/path-injection]=arg1
+
+    let path2 = std::fs::canonicalize(path1.clone()).unwrap();
+    let _ = std::fs::File::open(path2); // $ path-injection-sink MISSING: Alert[rust/path-injection]=arg1
+
+    let path3 = tokio::fs::canonicalize(path1.clone()).await.unwrap();
+    let _ = tokio::fs::File::open(path3); // $ MISSING: path-injection-sink Alert[rust/path-injection]=arg1
+
+    let path4 = async_std::fs::canonicalize(path1.clone()).await.unwrap();
+    let _ = async_std::fs::File::open(path4); // $ MISSING: path-injection-sink Alert[rust/path-injection]=arg1
+
+    let path5 = std::path::Path::new(&path1);
+    let _ = std::fs::File::open(path5); // $ path-injection-sink MISSING: Alert[rust/path-injection]=arg1
+
+    let path6 = path5.canonicalize().unwrap();
+    let _ = std::fs::File::open(path6); // $ path-injection-sink MISSING: Alert[rust/path-injection]=arg1
+}
+
 fn sinks(path1: &Path, path2: &Path) {
     let _ = std::fs::copy(path1, path2); // $ path-injection-sink
     let _ = std::fs::create_dir(path1); // $ path-injection-sink
