Rust: Add source models for io.

geoffw0 · geoffw0 · commit 7a9ea52bc79a · 2025-04-14T10:47:30.000+01:00
diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll
@@ -128,6 +128,32 @@ module FileSource {
   }
 }
 
+/**
+ * A data flow source corresponding to standard input.
+ */
+final class StdInSource = StdInSource::Range;
+
+/**
+ * An externally modeled source for data from standard input.
+ */
+class ModeledStdInSourceSource extends StdInSource::Range {
+  ModeledStdInSourceSource() { sourceNode(this, "stdin") }
+}
+
+/**
+ * Provides a class for modeling new sources for standard input.
+ */
+module StdInSource {
+  /**
+   * A data flow source corresponding to standard input.
+   */
+  abstract class Range extends ThreatModelSource::Range {
+    override string getThreatModel() { result = "stdin" }
+
+    override string getSourceType() { result = "StdInSource" }
+  }
+}
+
 /**
  * A data flow source corresponding to the program's database reads.
  */
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["lang:std", "crate::io::stdio::stdin", "ReturnValue", "stdin", "manual"]
diff --git a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -28,8 +28,22 @@
 | test.rs:221:22:221:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:222:27:222:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:228:22:228:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:243:22:243:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:249:22:249:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:255:22:255:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:261:9:261:22 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:265:17:265:30 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
 | test.rs:271:20:271:38 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:304:50:304:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:310:50:310:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:317:50:317:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:324:50:324:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:331:56:331:69 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:338:50:338:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:345:50:345:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
+| test.rs:351:50:351:63 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
 | test.rs:360:25:360:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:361:25:361:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:369:25:369:43 | ...::open | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:377:22:377:35 | ...::stdin | Flow source 'StdInSource' of type stdin (DEFAULT). |
 | test.rs:386:16:386:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs (DEFAULT). |
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -240,29 +240,29 @@ fn test_io_fs() -> std::io::Result<()> {
 
     {
         let mut buffer = [0u8; 100];
-        let _bytes = std::io::stdin().read(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let _bytes = std::io::stdin().read(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = Vec::<u8>::new();
-        let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = String::new();
-        let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = [0; 100];
-        std::io::stdin().read_exact(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]
+        std::io::stdin().read_exact(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
-    for byte in std::io::stdin().bytes() { // $ MISSING: Alert[rust/summary/taint-sources]
+    for byte in std::io::stdin().bytes() { // $ Alert[rust/summary/taint-sources]
         sink(byte); // $ MISSING: hasTaintFlow
     }
 
@@ -301,54 +301,54 @@ fn test_io_fs() -> std::io::Result<()> {
     // --- BufReader ---
 
     {
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         let data = reader.fill_buf()?;
         sink(&data); // $ MISSING: hasTaintFlow
     }
 
     {
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         let data = reader.buffer();
         sink(&data); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = String::new();
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         reader.read_line(&mut buffer)?;
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = Vec::<u8>::new();
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         reader.read_until(b',', &mut buffer)?;
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 
     {
         let mut buffer = Vec::<u8>::new();
-        let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ Alert[rust/summary/taint-sources]
         while let Some(chunk) = reader_split.next() {
             sink(chunk.unwrap()); // $ MISSING: hasTaintFlow
         }
     }
 
     {
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         for line in reader.lines() {
             sink(line); // $ MISSING: Alert[rust/summary/taint-sources]
         }
     }
 
     {
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         let line = reader.lines().nth(1).unwrap();
         sink(line.unwrap().clone()); // $ MISSING: hasTaintFlow
     }
 
     {
-        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]
+        let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]
         let lines: Vec<_> = reader.lines().collect();
         sink(lines[1].as_ref().unwrap().clone()); // $ MISSING: hasTaintFlow
     }
@@ -374,7 +374,7 @@ fn test_io_fs() -> std::io::Result<()> {
 
     {
         let mut buffer = String::new();
-        let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]
+        let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]
         sink(&buffer); // $ MISSING: hasTaintFlow
     }
 

Original file line number	Diff line number	Diff line change
`@@ -240,29 +240,29 @@ fn test_io_fs() -> std::io::Result<()> {`
`240`	`240`
`241`	`241`	`{`
`242`	`242`	`let mut buffer = [0u8; 100];`
`243`		`- let _bytes = std::io::stdin().read(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`243`	`+ let _bytes = std::io::stdin().read(&mut buffer)?; // $ Alert[rust/summary/taint-sources]`
`244`	`244`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`245`	`245`	`}`
`246`	`246`
`247`	`247`	`{`
`248`	`248`	`let mut buffer = Vec::<u8>::new();`
`249`		`- let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`249`	`+ let _bytes = std::io::stdin().read_to_end(&mut buffer)?; // $ Alert[rust/summary/taint-sources]`
`250`	`250`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`251`	`251`	`}`
`252`	`252`
`253`	`253`	`{`
`254`	`254`	`let mut buffer = String::new();`
`255`		`- let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`255`	`+ let _bytes = std::io::stdin().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]`
`256`	`256`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`{`
`260`	`260`	`let mut buffer = [0; 100];`
`261`		`- std::io::stdin().read_exact(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`261`	`+ std::io::stdin().read_exact(&mut buffer)?; // $ Alert[rust/summary/taint-sources]`
`262`	`262`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`263`	`263`	`}`
`264`	`264`
`265`		`- for byte in std::io::stdin().bytes() { // $ MISSING: Alert[rust/summary/taint-sources]`
	`265`	`+ for byte in std::io::stdin().bytes() { // $ Alert[rust/summary/taint-sources]`
`266`	`266`	`sink(byte); // $ MISSING: hasTaintFlow`
`267`	`267`	`}`
`268`	`268`
`@@ -301,54 +301,54 @@ fn test_io_fs() -> std::io::Result<()> {`
`301`	`301`	`// --- BufReader ---`
`302`	`302`
`303`	`303`	`{`
`304`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`304`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`305`	`305`	`let data = reader.fill_buf()?;`
`306`	`306`	`sink(&data); // $ MISSING: hasTaintFlow`
`307`	`307`	`}`
`308`	`308`
`309`	`309`	`{`
`310`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`310`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`311`	`311`	`let data = reader.buffer();`
`312`	`312`	`sink(&data); // $ MISSING: hasTaintFlow`
`313`	`313`	`}`
`314`	`314`
`315`	`315`	`{`
`316`	`316`	`let mut buffer = String::new();`
`317`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`317`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`318`	`318`	`reader.read_line(&mut buffer)?;`
`319`	`319`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`320`	`320`	`}`
`321`	`321`
`322`	`322`	`{`
`323`	`323`	`let mut buffer = Vec::<u8>::new();`
`324`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`324`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`325`	`325`	`reader.read_until(b',', &mut buffer)?;`
`326`	`326`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`327`	`327`	`}`
`328`	`328`
`329`	`329`	`{`
`330`	`330`	`let mut buffer = Vec::<u8>::new();`
`331`		`- let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ MISSING: Alert[rust/summary/taint-sources]`
	`331`	`+ let mut reader_split = std::io::BufReader::new(std::io::stdin()).split(b','); // $ Alert[rust/summary/taint-sources]`
`332`	`332`	`while let Some(chunk) = reader_split.next() {`
`333`	`333`	`sink(chunk.unwrap()); // $ MISSING: hasTaintFlow`
`334`	`334`	`}`
`335`	`335`	`}`
`336`	`336`
`337`	`337`	`{`
`338`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`338`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`339`	`339`	`for line in reader.lines() {`
`340`	`340`	`sink(line); // $ MISSING: Alert[rust/summary/taint-sources]`
`341`	`341`	`}`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`{`
`345`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`345`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`346`	`346`	`let line = reader.lines().nth(1).unwrap();`
`347`	`347`	`sink(line.unwrap().clone()); // $ MISSING: hasTaintFlow`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`{`
`351`		`- let mut reader = std::io::BufReader::new(std::io::stdin()); // $ MISSING: Alert[rust/summary/taint-sources]`
	`351`	`+ let mut reader = std::io::BufReader::new(std::io::stdin()); // $ Alert[rust/summary/taint-sources]`
`352`	`352`	`let lines: Vec<_> = reader.lines().collect();`
`353`	`353`	`sink(lines[1].as_ref().unwrap().clone()); // $ MISSING: hasTaintFlow`
`354`	`354`	`}`
`@@ -374,7 +374,7 @@ fn test_io_fs() -> std::io::Result<()> {`
`374`	`374`
`375`	`375`	`{`
`376`	`376`	`let mut buffer = String::new();`
`377`		`- let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ MISSING: Alert[rust/summary/taint-sources]`
	`377`	`+ let _bytes = std::io::stdin().lock().read_to_string(&mut buffer)?; // $ Alert[rust/summary/taint-sources]`
`378`	`378`	`sink(&buffer); // $ MISSING: hasTaintFlow`
`379`	`379`	`}`
`380`	`380`