feat(rust): Add ReSQLite source support

Author: GeekMasher

rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml

@@ -9,3 +9,12 @@ extensions:
       - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::prepare_with_flags", "Argument[0]", "sql-injection", "manual"]
       - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row", "Argument[0]", "sql-injection", "manual"]
       - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::Connection>::query_row_and_then", "Argument[0]", "sql-injection", "manual"]
+
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_unwrap", "ReturnValue", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]
+      - ["repo:https://github.com/rusqlite/rusqlite:rusqlite", "<crate::row::Row>::get_ref_unwrap", "ReturnValue", "database", "manual"]

rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql

@@ -4,7 +4,7 @@ import codeql.rust.Concepts
 import utils.test.InlineExpectationsTest
 
 module RusqliteTest implements TestSig {
-  string getARelevantTag() { result = ["sql-sink"] }
+  string getARelevantTag() { result = ["sql-sink", "database-read"] }
 
   predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(SqlInjection::Sink sink |
@@ -14,6 +14,14 @@ module RusqliteTest implements TestSig {
       tag = "sql-sink" and
       value = ""
     )
+    or
+    exists(ModeledDatabaseSource sink |
+      location = sink.getLocation() and
+      location.getFile().getBaseName() != "" and
+      element = sink.toString() and
+      tag = "database-read" and
+      value = ""
+    )
   }
 }
 

rust/ql/test/library-tests/frameworks/rusqlite/main.rs

@@ -31,18 +31,18 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
 
     let person = connection.query_row(&query, (), |row| {    // $ sql-sink
         Ok(Person {
-            id: row.get(0)?,
-            name: row.get(1)?,
-            age: row.get(2)?,
+            id: row.get(0)?,        // $ database-read
+            name: row.get(1)?,      // $ database-read
+            age: row.get(2)?,       // $ database-read
         })
     })?;
 
     let mut stmt = connection.prepare("SELECT id, name, age FROM person")?;      // $ sql-sink
     let people = stmt.query_map([], |row| {
         Ok(Person {
-            id: row.get(0)?,
-            name: row.get(1)?,
-            age: row.get(2)?,
+            id: row.get_unwrap(0),      // $ database-read
+            name: row.get_unwrap(1),    // $ database-read
+            age: row.get_unwrap(2),     // $ database-read
         })
     })?;