Merge pull request #18701 from geoffw0/nth

Rust: Test and model some string and iterator methods

Author: geoffw0

rust/ql/integration-tests/hello-project/summary.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 4 |
+| Taint edges - number of edges | 10 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/integration-tests/hello-workspace/summary.cargo.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 4 |
+| Taint edges - number of edges | 10 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/integration-tests/hello-workspace/summary.rust-project.expected

@@ -14,7 +14,7 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 4 |
+| Taint edges - number of edges | 10 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -8,8 +8,19 @@ extensions:
       # Hint
       - ["lang:core", "crate::hint::must_use", "Argument[0]", "ReturnValue", "value", "manual"]
       # Iterator
+      - ["lang:core", "<[_]>::iter", "Argument[Self].Element", "ReturnValue.Element", "value", "manual"]
+      - ["lang:core", "<[_]>::iter_mut", "Argument[Self].Element", "ReturnValue.Element", "value", "manual"]
+      - ["lang:core", "<[_]>::into_iter", "Argument[Self].Element", "ReturnValue.Element", "value", "manual"]
       - ["lang:core", "crate::iter::traits::iterator::Iterator::nth", "Argument[self].Element", "ReturnValue.Field[crate::option::Option::Some(0)]", "value", "manual"]
+      - ["lang:core", "crate::iter::traits::iterator::Iterator::next", "Argument[self].Element", "ReturnValue.Field[crate::option::Option::Some(0)]", "value", "manual"]
       - ["lang:core", "crate::iter::traits::iterator::Iterator::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
+      - ["lang:core", "crate::iter::traits::iterator::Iterator::map", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["lang:core", "crate::iter::traits::iterator::Iterator::for_each", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["lang:core", "<crate::slice::iter::Iter as crate::iter::traits::iterator::Iterator>::nth", "Argument[self].Element", "ReturnValue.Field[crate::option::Option::Some(0)]", "value", "manual"]
+      - ["lang:core", "<crate::slice::iter::Iter as crate::iter::traits::iterator::Iterator>::next", "Argument[self].Element", "ReturnValue.Field[crate::option::Option::Some(0)]", "value", "manual"]
+      - ["lang:core", "<crate::slice::iter::Iter as crate::iter::traits::iterator::Iterator>::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
+      - ["lang:core", "<crate::slice::iter::Iter as crate::iter::traits::iterator::Iterator>::map", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["lang:core", "<crate::slice::iter::Iter as crate::iter::traits::iterator::Iterator>::for_each", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
       # Option
       - ["lang:core", "<crate::option::Option>::expect", "Argument[self].Field[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
       # Result
@@ -24,6 +35,9 @@ extensions:
       - ["lang:core", "<crate::result::Result>::unwrap_err_unchecked", "Argument[self].Field[crate::result::Result::Err(0)]", "ReturnValue", "value", "manual"]
       - ["lang:core", "<crate::result::Result>::expect", "Argument[self].Field[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
       - ["lang:core", "<crate::result::Result>::expect_err", "Argument[self].Field[crate::result::Result::Err(0)]", "ReturnValue", "value", "manual"]
+      # Str
+      - ["lang:core", "<str>::parse", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]
       # String
       - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:alloc", "<crate::string::String>::as_bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["lang:alloc", "<_ as crate::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -187,14 +187,23 @@ edges
 | main.rs:421:10:421:16 | mut_arr [element] | main.rs:421:10:421:19 | mut_arr[0] | provenance |  |
 | main.rs:444:9:444:9 | s | main.rs:445:10:445:10 | s | provenance |  |
 | main.rs:444:25:444:26 | source(...) | main.rs:444:9:444:9 | s | provenance |  |
-| main.rs:449:9:449:9 | a | main.rs:454:10:454:10 | a | provenance |  |
-| main.rs:449:13:449:22 | source(...) | main.rs:449:9:449:9 | a | provenance |  |
-| main.rs:451:9:451:9 | c | main.rs:452:18:452:18 | c | provenance |  |
-| main.rs:451:13:451:22 | source(...) | main.rs:451:9:451:9 | c | provenance |  |
-| main.rs:452:9:452:13 | c_ref [&ref] | main.rs:457:11:457:15 | c_ref [&ref] | provenance |  |
-| main.rs:452:17:452:18 | &c [&ref] | main.rs:452:9:452:13 | c_ref [&ref] | provenance |  |
-| main.rs:452:18:452:18 | c | main.rs:452:17:452:18 | &c [&ref] | provenance |  |
-| main.rs:457:11:457:15 | c_ref [&ref] | main.rs:457:10:457:15 | * ... | provenance |  |
+| main.rs:453:9:453:9 | a | main.rs:458:10:458:10 | a | provenance |  |
+| main.rs:453:13:453:22 | source(...) | main.rs:453:9:453:9 | a | provenance |  |
+| main.rs:465:9:465:10 | vs [element] | main.rs:467:10:467:11 | vs [element] | provenance |  |
+| main.rs:465:9:465:10 | vs [element] | main.rs:471:14:471:15 | vs [element] | provenance |  |
+| main.rs:465:14:465:34 | [...] [element] | main.rs:465:9:465:10 | vs [element] | provenance |  |
+| main.rs:465:15:465:24 | source(...) | main.rs:465:14:465:34 | [...] [element] | provenance |  |
+| main.rs:467:10:467:11 | vs [element] | main.rs:467:10:467:14 | vs[0] | provenance |  |
+| main.rs:471:9:471:9 | v | main.rs:472:14:472:14 | v | provenance |  |
+| main.rs:471:14:471:15 | vs [element] | main.rs:471:9:471:9 | v | provenance |  |
+| main.rs:502:9:502:9 | a | main.rs:507:10:507:10 | a | provenance |  |
+| main.rs:502:13:502:22 | source(...) | main.rs:502:9:502:9 | a | provenance |  |
+| main.rs:504:9:504:9 | c | main.rs:505:18:505:18 | c | provenance |  |
+| main.rs:504:13:504:22 | source(...) | main.rs:504:9:504:9 | c | provenance |  |
+| main.rs:505:9:505:13 | c_ref [&ref] | main.rs:510:11:510:15 | c_ref [&ref] | provenance |  |
+| main.rs:505:17:505:18 | &c [&ref] | main.rs:505:9:505:13 | c_ref [&ref] | provenance |  |
+| main.rs:505:18:505:18 | c | main.rs:505:17:505:18 | &c [&ref] | provenance |  |
+| main.rs:510:11:510:15 | c_ref [&ref] | main.rs:510:10:510:15 | * ... | provenance |  |
 nodes
 | main.rs:18:10:18:18 | source(...) | semmle.label | source(...) |
 | main.rs:22:9:22:9 | s | semmle.label | s |
@@ -411,16 +420,27 @@ nodes
 | main.rs:444:9:444:9 | s | semmle.label | s |
 | main.rs:444:25:444:26 | source(...) | semmle.label | source(...) |
 | main.rs:445:10:445:10 | s | semmle.label | s |
-| main.rs:449:9:449:9 | a | semmle.label | a |
-| main.rs:449:13:449:22 | source(...) | semmle.label | source(...) |
-| main.rs:451:9:451:9 | c | semmle.label | c |
-| main.rs:451:13:451:22 | source(...) | semmle.label | source(...) |
-| main.rs:452:9:452:13 | c_ref [&ref] | semmle.label | c_ref [&ref] |
-| main.rs:452:17:452:18 | &c [&ref] | semmle.label | &c [&ref] |
-| main.rs:452:18:452:18 | c | semmle.label | c |
-| main.rs:454:10:454:10 | a | semmle.label | a |
-| main.rs:457:10:457:15 | * ... | semmle.label | * ... |
-| main.rs:457:11:457:15 | c_ref [&ref] | semmle.label | c_ref [&ref] |
+| main.rs:453:9:453:9 | a | semmle.label | a |
+| main.rs:453:13:453:22 | source(...) | semmle.label | source(...) |
+| main.rs:458:10:458:10 | a | semmle.label | a |
+| main.rs:465:9:465:10 | vs [element] | semmle.label | vs [element] |
+| main.rs:465:14:465:34 | [...] [element] | semmle.label | [...] [element] |
+| main.rs:465:15:465:24 | source(...) | semmle.label | source(...) |
+| main.rs:467:10:467:11 | vs [element] | semmle.label | vs [element] |
+| main.rs:467:10:467:14 | vs[0] | semmle.label | vs[0] |
+| main.rs:471:9:471:9 | v | semmle.label | v |
+| main.rs:471:14:471:15 | vs [element] | semmle.label | vs [element] |
+| main.rs:472:14:472:14 | v | semmle.label | v |
+| main.rs:502:9:502:9 | a | semmle.label | a |
+| main.rs:502:13:502:22 | source(...) | semmle.label | source(...) |
+| main.rs:504:9:504:9 | c | semmle.label | c |
+| main.rs:504:13:504:22 | source(...) | semmle.label | source(...) |
+| main.rs:505:9:505:13 | c_ref [&ref] | semmle.label | c_ref [&ref] |
+| main.rs:505:17:505:18 | &c [&ref] | semmle.label | &c [&ref] |
+| main.rs:505:18:505:18 | c | semmle.label | c |
+| main.rs:507:10:507:10 | a | semmle.label | a |
+| main.rs:510:10:510:15 | * ... | semmle.label | * ... |
+| main.rs:510:11:510:15 | c_ref [&ref] | semmle.label | c_ref [&ref] |
 subpaths
 testFailures
 #select
@@ -466,5 +486,8 @@ testFailures
 | main.rs:420:10:420:10 | d | main.rs:418:18:418:27 | source(...) | main.rs:420:10:420:10 | d | $@ | main.rs:418:18:418:27 | source(...) | source(...) |
 | main.rs:421:10:421:19 | mut_arr[0] | main.rs:418:18:418:27 | source(...) | main.rs:421:10:421:19 | mut_arr[0] | $@ | main.rs:418:18:418:27 | source(...) | source(...) |
 | main.rs:445:10:445:10 | s | main.rs:444:25:444:26 | source(...) | main.rs:445:10:445:10 | s | $@ | main.rs:444:25:444:26 | source(...) | source(...) |
-| main.rs:454:10:454:10 | a | main.rs:449:13:449:22 | source(...) | main.rs:454:10:454:10 | a | $@ | main.rs:449:13:449:22 | source(...) | source(...) |
-| main.rs:457:10:457:15 | * ... | main.rs:451:13:451:22 | source(...) | main.rs:457:10:457:15 | * ... | $@ | main.rs:451:13:451:22 | source(...) | source(...) |
+| main.rs:458:10:458:10 | a | main.rs:453:13:453:22 | source(...) | main.rs:458:10:458:10 | a | $@ | main.rs:453:13:453:22 | source(...) | source(...) |
+| main.rs:467:10:467:14 | vs[0] | main.rs:465:15:465:24 | source(...) | main.rs:467:10:467:14 | vs[0] | $@ | main.rs:465:15:465:24 | source(...) | source(...) |
+| main.rs:472:14:472:14 | v | main.rs:465:15:465:24 | source(...) | main.rs:472:14:472:14 | v | $@ | main.rs:465:15:465:24 | source(...) | source(...) |
+| main.rs:507:10:507:10 | a | main.rs:502:13:502:22 | source(...) | main.rs:507:10:507:10 | a | $@ | main.rs:502:13:502:22 | source(...) | source(...) |
+| main.rs:510:10:510:15 | * ... | main.rs:504:13:504:22 | source(...) | main.rs:510:10:510:15 | * ... | $@ | main.rs:504:13:504:22 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/local/inline-flow.expected

@@ -445,6 +445,59 @@ fn macro_invocation() {
     sink(s); // $ hasValueFlow=37
 }
 
+fn sink_string(s: String) {
+    println!("{}", s);
+}
+
+fn parse() {
+    let a = source(90);
+    let b = a.to_string();
+    let c = b.parse::<i64>().unwrap();
+    let d : i64 = b.parse().unwrap();
+
+    sink(a); // $ hasValueFlow=90
+    sink_string(b); // $ hasTaintFlow=90
+    sink(c); // $ hasTaintFlow=90
+    sink(d); // $ hasTaintFlow=90
+}
+
+fn iterators() {
+    let vs = [source(91), 2, 3, 4];
+
+    sink(vs[0]); // $ hasValueFlow=91
+    sink(*vs.iter().next().unwrap()); // $ MISSING: hasValueFlow=91
+    sink(*vs.iter().nth(0).unwrap()); // $ MISSING: hasValueFlow=91
+
+    for v in vs {
+        sink(v); // $ hasValueFlow=91
+    }
+    for &v in vs.iter() {
+        sink(v); // $ MISSING: hasValueFlow=91
+    }
+
+    let vs2 : Vec<&i64> = vs.iter().collect();
+    for &v in vs2 {
+        sink(v); // $ MISSING: hasValueFlow=91
+    }
+
+    vs.iter().map(|x| sink(*x)); // $ MISSING: hasValueFlow=91
+    vs.iter().for_each(|x| sink(*x)); // $ MISSING: hasValueFlow=91
+
+    for v in vs.into_iter() {
+        sink(v); // $ MISSING: hasValueFlow=91
+    }
+
+    let mut vs_mut = [source(92), 2, 3, 4];
+
+    sink(vs_mut[0]); // $ MISSING: hasValueFlow=92
+    sink(*vs_mut.iter().next().unwrap()); // $ MISSING: hasValueFlow=92
+    sink(*vs_mut.iter().nth(0).unwrap()); // $ MISSING: hasValueFlow=92
+
+    for &mut v in vs_mut.iter_mut() {
+        sink(v); // $ MISSING: hasValueFlow=92
+    }
+}
+
 fn references() {
     let a = source(40);
     let b = source(41);
@@ -494,5 +547,7 @@ fn main() {
     array_assignment();
     captured_variable_and_continue(vec![]);
     macro_invocation();
+    parse();
+    iterators();
     references();
 }

rust/ql/test/library-tests/dataflow/local/main.rs

@@ -7,18 +7,19 @@
 | test.rs:29:29:29:42 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
 | test.rs:32:16:32:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
 | test.rs:33:16:33:32 | ...::args_os | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:40:16:40:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:44:16:44:32 | ...::args_os | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:50:15:50:35 | ...::current_dir | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:51:15:51:35 | ...::current_exe | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:52:16:52:33 | ...::home_dir | Flow source 'CommandLineArgs' of type commandargs. |
-| test.rs:60:26:60:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:63:26:63:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:66:26:66:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:69:26:69:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:72:26:72:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:75:26:75:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:78:24:78:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:110:35:110:46 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:117:31:117:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
-| test.rs:201:16:201:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:34:16:34:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:42:16:42:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:46:16:46:32 | ...::args_os | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:52:15:52:35 | ...::current_dir | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:53:15:53:35 | ...::current_exe | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:54:16:54:33 | ...::home_dir | Flow source 'CommandLineArgs' of type commandargs. |
+| test.rs:62:26:62:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:65:26:65:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:68:26:68:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:71:26:71:47 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:74:26:74:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:77:26:77:37 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:80:24:80:35 | ...::get | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:112:35:112:46 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:119:31:119:42 | send_request | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| test.rs:203:16:203:29 | ...::args | Flow source 'CommandLineArgs' of type commandargs. |

rust/ql/test/library-tests/dataflow/sources/TaintSources.expected

@@ -31,11 +31,13 @@ fn test_env_args() {
     let arg1 = &args[1];
     let arg2 = std::env::args().nth(2).unwrap(); // $ Alert[rust/summary/taint-sources]
     let arg3 = std::env::args_os().nth(3).unwrap(); // $ Alert[rust/summary/taint-sources]
+    let arg4 = std::env::args().nth(4).unwrap().parse::<usize>().unwrap(); // $ Alert[rust/summary/taint-sources]
 
     sink(my_path); // $ hasTaintFlow
     sink(arg1); // $ hasTaintFlow
     sink(arg2); // $ hasTaintFlow
     sink(arg3); // $ hasTaintFlow
+    sink(arg4); // $ hasTaintFlow
 
     for arg in std::env::args() { // $ Alert[rust/summary/taint-sources]
         sink(arg); // $ hasTaintFlow