Skip to content

Commit 993154e

Browse files
geoffw0geoffw0
committed
Rust: Avoid duplicating sinks.
1 parent 0ea28b4 commit 993154e

File tree

2 files changed

+4
-42
lines changed

2 files changed

+4
-42
lines changed

rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import rust
77
private import codeql.rust.dataflow.DataFlow
88
private import codeql.rust.dataflow.FlowSink
99
private import codeql.rust.Concepts
10+
private import codeql.rust.dataflow.internal.Node as Node
1011

1112
/**
1213
* Provides default sinks for detecting disabled certificate check
@@ -35,7 +36,9 @@ module DisabledCertificateCheckExtensions {
3536
exists(CallExprBase fc |
3637
fc.getStaticTarget().(Function).getName().getText() =
3738
["danger_accept_invalid_certs", "danger_accept_invalid_hostnames"] and
38-
fc.getArg(0) = this.asExpr()
39+
fc.getArg(0) = this.asExpr() and
40+
// don't duplicate modelled sinks
41+
not exists(ModelsAsDataSink s | s.(Node::FlowSummaryNode).getSinkElement().getCall() = fc)
3942
)
4043
}
4144
}

rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected

Lines changed: 0 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -1,38 +1,21 @@
11
#select
22
| main.rs:4:4:4:30 | danger_accept_invalid_certs | main.rs:4:32:4:35 | true | main.rs:4:4:4:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
3-
| main.rs:4:32:4:35 | true | main.rs:4:32:4:35 | true | main.rs:4:32:4:35 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
43
| main.rs:9:4:9:34 | danger_accept_invalid_hostnames | main.rs:9:36:9:39 | true | main.rs:9:4:9:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
5-
| main.rs:9:36:9:39 | true | main.rs:9:36:9:39 | true | main.rs:9:36:9:39 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
64
| main.rs:16:4:16:30 | danger_accept_invalid_certs | main.rs:16:32:16:35 | true | main.rs:16:4:16:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
7-
| main.rs:16:32:16:35 | true | main.rs:16:32:16:35 | true | main.rs:16:32:16:35 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
85
| main.rs:17:4:17:34 | danger_accept_invalid_hostnames | main.rs:17:36:17:39 | true | main.rs:17:4:17:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
9-
| main.rs:17:36:17:39 | true | main.rs:17:36:17:39 | true | main.rs:17:36:17:39 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
106
| main.rs:37:4:37:30 | danger_accept_invalid_certs | main.rs:37:32:37:35 | true | main.rs:37:4:37:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
11-
| main.rs:37:32:37:35 | true | main.rs:37:32:37:35 | true | main.rs:37:32:37:35 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
127
| main.rs:42:4:42:34 | danger_accept_invalid_hostnames | main.rs:42:36:42:39 | true | main.rs:42:4:42:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
13-
| main.rs:42:36:42:39 | true | main.rs:42:36:42:39 | true | main.rs:42:36:42:39 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
148
| main.rs:47:4:47:30 | danger_accept_invalid_certs | main.rs:47:32:47:35 | true | main.rs:47:4:47:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
15-
| main.rs:47:32:47:35 | true | main.rs:47:32:47:35 | true | main.rs:47:32:47:35 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
169
| main.rs:48:4:48:34 | danger_accept_invalid_hostnames | main.rs:48:36:48:39 | true | main.rs:48:4:48:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
17-
| main.rs:48:36:48:39 | true | main.rs:48:36:48:39 | true | main.rs:48:36:48:39 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
1810
| main.rs:55:4:55:30 | danger_accept_invalid_certs | main.rs:55:32:55:35 | true | main.rs:55:4:55:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
19-
| main.rs:55:32:55:35 | true | main.rs:55:32:55:35 | true | main.rs:55:32:55:35 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
2011
| main.rs:56:4:56:34 | danger_accept_invalid_hostnames | main.rs:56:36:56:39 | true | main.rs:56:4:56:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
21-
| main.rs:56:36:56:39 | true | main.rs:56:36:56:39 | true | main.rs:56:36:56:39 | true | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
2212
| main.rs:83:4:83:30 | danger_accept_invalid_certs | main.rs:74:15:74:18 | true | main.rs:83:4:83:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
23-
| main.rs:83:32:83:37 | always | main.rs:74:15:74:18 | true | main.rs:83:32:83:37 | always | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
2413
| main.rs:88:4:88:30 | danger_accept_invalid_certs | main.rs:75:22:75:25 | true | main.rs:88:4:88:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
25-
| main.rs:88:32:88:40 | sometimes | main.rs:75:22:75:25 | true | main.rs:88:32:88:40 | sometimes | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
2614
| main.rs:93:4:93:30 | danger_accept_invalid_certs | main.rs:154:17:154:20 | true | main.rs:93:4:93:30 | danger_accept_invalid_certs | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
27-
| main.rs:93:32:93:47 | sometimes_global | main.rs:154:17:154:20 | true | main.rs:93:32:93:47 | sometimes_global | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
2815
| main.rs:109:4:109:34 | danger_accept_invalid_hostnames | main.rs:107:17:107:31 | ...::exists | main.rs:109:4:109:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
29-
| main.rs:109:36:109:37 | b1 | main.rs:107:17:107:31 | ...::exists | main.rs:109:36:109:37 | b1 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
3016
| main.rs:115:4:115:34 | danger_accept_invalid_hostnames | main.rs:113:43:113:50 | metadata | main.rs:115:4:115:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
31-
| main.rs:115:36:115:37 | b2 | main.rs:113:43:113:50 | metadata | main.rs:115:36:115:37 | b2 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
3217
| main.rs:121:4:121:34 | danger_accept_invalid_hostnames | main.rs:119:11:119:27 | ...::metadata | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
33-
| main.rs:121:36:121:37 | b3 | main.rs:119:11:119:27 | ...::metadata | main.rs:121:36:121:37 | b3 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
3418
| main.rs:146:4:146:34 | danger_accept_invalid_hostnames | main.rs:144:39:144:42 | true | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
35-
| main.rs:146:36:146:37 | b6 | main.rs:144:39:144:42 | true | main.rs:146:36:146:37 | b6 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
3619
edges
3720
| main.rs:4:32:4:35 | true | main.rs:4:4:4:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
3821
| main.rs:9:36:9:39 | true | main.rs:9:4:9:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
@@ -45,38 +28,31 @@ edges
4528
| main.rs:55:32:55:35 | true | main.rs:55:4:55:30 | danger_accept_invalid_certs | provenance | MaD:5 Sink:MaD:5 |
4629
| main.rs:56:36:56:39 | true | main.rs:56:4:56:34 | danger_accept_invalid_hostnames | provenance | MaD:6 Sink:MaD:6 |
4730
| main.rs:73:19:73:40 | ...: bool | main.rs:93:32:93:47 | sometimes_global | provenance | |
48-
| main.rs:73:19:73:40 | ...: bool | main.rs:93:32:93:47 | sometimes_global | provenance | |
49-
| main.rs:74:6:74:11 | always | main.rs:83:32:83:37 | always | provenance | |
5031
| main.rs:74:6:74:11 | always | main.rs:83:32:83:37 | always | provenance | |
5132
| main.rs:74:15:74:18 | true | main.rs:74:6:74:11 | always | provenance | |
5233
| main.rs:75:6:75:18 | mut sometimes | main.rs:88:32:88:40 | sometimes | provenance | |
53-
| main.rs:75:6:75:18 | mut sometimes | main.rs:88:32:88:40 | sometimes | provenance | |
5434
| main.rs:75:22:75:25 | true | main.rs:75:6:75:18 | mut sometimes | provenance | |
5535
| main.rs:83:32:83:37 | always | main.rs:83:4:83:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
5636
| main.rs:88:32:88:40 | sometimes | main.rs:88:4:88:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
5737
| main.rs:93:32:93:47 | sometimes_global | main.rs:93:4:93:30 | danger_accept_invalid_certs | provenance | MaD:1 Sink:MaD:1 |
5838
| main.rs:107:6:107:7 | b1 | main.rs:109:36:109:37 | b1 | provenance | |
59-
| main.rs:107:6:107:7 | b1 | main.rs:109:36:109:37 | b1 | provenance | |
6039
| main.rs:107:17:107:31 | ...::exists | main.rs:107:17:107:42 | ...::exists(...) [Ok] | provenance | Src:MaD:8 |
6140
| main.rs:107:17:107:42 | ...::exists(...) [Ok] | main.rs:107:17:107:51 | ... .unwrap() | provenance | MaD:10 |
6241
| main.rs:107:17:107:51 | ... .unwrap() | main.rs:107:6:107:7 | b1 | provenance | |
6342
| main.rs:109:36:109:37 | b1 | main.rs:109:4:109:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
6443
| main.rs:113:6:113:7 | b2 | main.rs:115:36:115:37 | b2 | provenance | |
65-
| main.rs:113:6:113:7 | b2 | main.rs:115:36:115:37 | b2 | provenance | |
6644
| main.rs:113:11:113:52 | ... .metadata() [Ok] | main.rs:113:11:113:61 | ... .unwrap() | provenance | MaD:10 |
6745
| main.rs:113:11:113:61 | ... .unwrap() | main.rs:113:11:113:71 | ... .is_file() | provenance | MaD:12 |
6846
| main.rs:113:11:113:71 | ... .is_file() | main.rs:113:6:113:7 | b2 | provenance | |
6947
| main.rs:113:43:113:50 | metadata | main.rs:113:11:113:52 | ... .metadata() [Ok] | provenance | Src:MaD:7 |
7048
| main.rs:115:36:115:37 | b2 | main.rs:115:4:115:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
7149
| main.rs:119:6:119:7 | b3 | main.rs:121:36:121:37 | b3 | provenance | |
72-
| main.rs:119:6:119:7 | b3 | main.rs:121:36:121:37 | b3 | provenance | |
7350
| main.rs:119:11:119:27 | ...::metadata | main.rs:119:11:119:38 | ...::metadata(...) [Ok] | provenance | Src:MaD:9 |
7451
| main.rs:119:11:119:38 | ...::metadata(...) [Ok] | main.rs:119:11:119:47 | ... .unwrap() | provenance | MaD:10 |
7552
| main.rs:119:11:119:47 | ... .unwrap() | main.rs:119:11:119:56 | ... .is_dir() | provenance | MaD:11 |
7653
| main.rs:119:11:119:56 | ... .is_dir() | main.rs:119:6:119:7 | b3 | provenance | |
7754
| main.rs:121:36:121:37 | b3 | main.rs:121:4:121:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
7855
| main.rs:144:6:144:7 | b6 | main.rs:146:36:146:37 | b6 | provenance | |
79-
| main.rs:144:6:144:7 | b6 | main.rs:146:36:146:37 | b6 | provenance | |
8056
| main.rs:144:39:144:42 | true | main.rs:144:6:144:7 | b6 | provenance | |
8157
| main.rs:146:36:146:37 | b6 | main.rs:146:4:146:34 | danger_accept_invalid_hostnames | provenance | MaD:2 Sink:MaD:2 |
8258
| main.rs:154:17:154:20 | true | main.rs:73:19:73:40 | ...: bool | provenance | |
@@ -96,75 +72,58 @@ models
9672
nodes
9773
| main.rs:4:4:4:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
9874
| main.rs:4:32:4:35 | true | semmle.label | true |
99-
| main.rs:4:32:4:35 | true | semmle.label | true |
10075
| main.rs:9:4:9:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
10176
| main.rs:9:36:9:39 | true | semmle.label | true |
102-
| main.rs:9:36:9:39 | true | semmle.label | true |
10377
| main.rs:16:4:16:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
10478
| main.rs:16:32:16:35 | true | semmle.label | true |
105-
| main.rs:16:32:16:35 | true | semmle.label | true |
10679
| main.rs:17:4:17:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
10780
| main.rs:17:36:17:39 | true | semmle.label | true |
108-
| main.rs:17:36:17:39 | true | semmle.label | true |
10981
| main.rs:37:4:37:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
11082
| main.rs:37:32:37:35 | true | semmle.label | true |
111-
| main.rs:37:32:37:35 | true | semmle.label | true |
11283
| main.rs:42:4:42:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
11384
| main.rs:42:36:42:39 | true | semmle.label | true |
114-
| main.rs:42:36:42:39 | true | semmle.label | true |
11585
| main.rs:47:4:47:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
11686
| main.rs:47:32:47:35 | true | semmle.label | true |
117-
| main.rs:47:32:47:35 | true | semmle.label | true |
11887
| main.rs:48:4:48:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
11988
| main.rs:48:36:48:39 | true | semmle.label | true |
120-
| main.rs:48:36:48:39 | true | semmle.label | true |
12189
| main.rs:55:4:55:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
12290
| main.rs:55:32:55:35 | true | semmle.label | true |
123-
| main.rs:55:32:55:35 | true | semmle.label | true |
12491
| main.rs:56:4:56:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
12592
| main.rs:56:36:56:39 | true | semmle.label | true |
126-
| main.rs:56:36:56:39 | true | semmle.label | true |
12793
| main.rs:73:19:73:40 | ...: bool | semmle.label | ...: bool |
12894
| main.rs:74:6:74:11 | always | semmle.label | always |
12995
| main.rs:74:15:74:18 | true | semmle.label | true |
13096
| main.rs:75:6:75:18 | mut sometimes | semmle.label | mut sometimes |
13197
| main.rs:75:22:75:25 | true | semmle.label | true |
13298
| main.rs:83:4:83:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
13399
| main.rs:83:32:83:37 | always | semmle.label | always |
134-
| main.rs:83:32:83:37 | always | semmle.label | always |
135100
| main.rs:88:4:88:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
136101
| main.rs:88:32:88:40 | sometimes | semmle.label | sometimes |
137-
| main.rs:88:32:88:40 | sometimes | semmle.label | sometimes |
138102
| main.rs:93:4:93:30 | danger_accept_invalid_certs | semmle.label | danger_accept_invalid_certs |
139103
| main.rs:93:32:93:47 | sometimes_global | semmle.label | sometimes_global |
140-
| main.rs:93:32:93:47 | sometimes_global | semmle.label | sometimes_global |
141104
| main.rs:107:6:107:7 | b1 | semmle.label | b1 |
142105
| main.rs:107:17:107:31 | ...::exists | semmle.label | ...::exists |
143106
| main.rs:107:17:107:42 | ...::exists(...) [Ok] | semmle.label | ...::exists(...) [Ok] |
144107
| main.rs:107:17:107:51 | ... .unwrap() | semmle.label | ... .unwrap() |
145108
| main.rs:109:4:109:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
146109
| main.rs:109:36:109:37 | b1 | semmle.label | b1 |
147-
| main.rs:109:36:109:37 | b1 | semmle.label | b1 |
148110
| main.rs:113:6:113:7 | b2 | semmle.label | b2 |
149111
| main.rs:113:11:113:52 | ... .metadata() [Ok] | semmle.label | ... .metadata() [Ok] |
150112
| main.rs:113:11:113:61 | ... .unwrap() | semmle.label | ... .unwrap() |
151113
| main.rs:113:11:113:71 | ... .is_file() | semmle.label | ... .is_file() |
152114
| main.rs:113:43:113:50 | metadata | semmle.label | metadata |
153115
| main.rs:115:4:115:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
154116
| main.rs:115:36:115:37 | b2 | semmle.label | b2 |
155-
| main.rs:115:36:115:37 | b2 | semmle.label | b2 |
156117
| main.rs:119:6:119:7 | b3 | semmle.label | b3 |
157118
| main.rs:119:11:119:27 | ...::metadata | semmle.label | ...::metadata |
158119
| main.rs:119:11:119:38 | ...::metadata(...) [Ok] | semmle.label | ...::metadata(...) [Ok] |
159120
| main.rs:119:11:119:47 | ... .unwrap() | semmle.label | ... .unwrap() |
160121
| main.rs:119:11:119:56 | ... .is_dir() | semmle.label | ... .is_dir() |
161122
| main.rs:121:4:121:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
162123
| main.rs:121:36:121:37 | b3 | semmle.label | b3 |
163-
| main.rs:121:36:121:37 | b3 | semmle.label | b3 |
164124
| main.rs:144:6:144:7 | b6 | semmle.label | b6 |
165125
| main.rs:144:39:144:42 | true | semmle.label | true |
166126
| main.rs:146:4:146:34 | danger_accept_invalid_hostnames | semmle.label | danger_accept_invalid_hostnames |
167127
| main.rs:146:36:146:37 | b6 | semmle.label | b6 |
168-
| main.rs:146:36:146:37 | b6 | semmle.label | b6 |
169128
| main.rs:154:17:154:20 | true | semmle.label | true |
170129
subpaths

0 commit comments

Comments
 (0)