Rust: Add request forgery query

paldepind · paldepind · commit 3ee2fa01af34 · 2025-09-08T13:08:05.000+02:00
diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll
@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for reasoning about request forgery
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.Concepts
+private import codeql.rust.security.CleartextTransmissionExtensions
+
+/**
+ * Provides default sources, sinks and barriers for detecting request forgery
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module RequestForgery {
+  /**
+   * A data flow source for request forgery vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for request forgery vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    /**
+     * Gets the name of a part of the request that may be tainted by this sink,
+     * such as the URL or the host.
+     */
+    override string getSinkType() { result = "RequestForgery" }
+  }
+
+  /**
+   * A barrier for request forgery vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  // TODO: Do this in a cleaner way
+  //   private class ClearTextTransmissionSink extends Sink instanceof CleartextTransmission::Sink { }
+  /**
+   * A sink for request forgery from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "request-url") }
+  }
+}
diff --git a/rust/ql/src/queries/security/CWE-918/RequestForgery.ql b/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
@@ -0,0 +1,41 @@
+/**
+ * @name Server-side request forgery
+ * @description Making a network request with user-controlled data in the URL allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id rust/request-forgery
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+private import rust
+private import codeql.rust.dataflow.TaintTracking
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.rust.security.CleartextTransmissionExtensions
+private import codeql.rust.security.RequestForgeryExtensions
+
+/**
+ * A taint-tracking configuration for detecting request forgery vulnerabilities.
+ */
+module RequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RequestForgery::Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
+
+import RequestForgeryFlow::PathGraph
+
+from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
+where RequestForgeryFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "The $@ of this request depends on a $@.", sink, "URL",
+  source.getNode(), "user-provided value"
diff --git a/rust/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/rust/ql/test/query-tests/security/CWE-918/RequestForgery.expected
@@ -0,0 +1,105 @@
+#select
+| request_forgery_tests.rs:68:24:68:35 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:68:24:68:35 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:68:24:68:35 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:68:24:68:35 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:68:24:68:35 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:68:24:68:35 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:78:25:78:36 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:78:25:78:36 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:78:25:78:36 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:82:25:82:36 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:82:25:82:36 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:82:25:82:36 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:86:25:86:36 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:86:25:86:36 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:86:25:86:36 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:92:29:92:40 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:92:29:92:40 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:92:29:92:40 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:92:29:92:40 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:92:29:92:40 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:92:29:92:40 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:98:37:98:48 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:98:37:98:48 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:98:37:98:48 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+| request_forgery_tests.rs:98:37:98:48 | ...::get | request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:98:37:98:48 | ...::get | The $@ of this request depends on a $@. | request_forgery_tests.rs:98:37:98:48 | ...::get | URL | request_forgery_tests.rs:65:29:65:36 | user_url | user-provided value |
+edges
+| request_forgery_tests.rs:64:5:64:14 | res | request_forgery_tests.rs:77:27:77:49 | { ... } | provenance |  |
+| request_forgery_tests.rs:64:5:64:14 | res | request_forgery_tests.rs:81:27:81:57 | { ... } | provenance |  |
+| request_forgery_tests.rs:64:5:64:14 | res | request_forgery_tests.rs:85:27:85:70 | { ... } | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:68:38:68:45 | user_url | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:68:38:68:45 | user_url | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:77:27:77:49 | MacroExpr | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:81:27:81:57 | MacroExpr | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:85:27:85:70 | MacroExpr | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:92:43:92:50 | user_url | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:92:43:92:50 | user_url | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:98:51:98:58 | user_url | provenance |  |
+| request_forgery_tests.rs:65:29:65:36 | user_url | request_forgery_tests.rs:98:51:98:58 | user_url | provenance |  |
+| request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | request_forgery_tests.rs:68:24:68:35 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | request_forgery_tests.rs:68:24:68:35 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:68:38:68:45 | user_url | request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:68:38:68:45 | user_url | request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:77:13:77:15 | url | request_forgery_tests.rs:78:39:78:41 | url | provenance |  |
+| request_forgery_tests.rs:77:27:77:49 | ...::format(...) | request_forgery_tests.rs:64:5:64:14 | res | provenance |  |
+| request_forgery_tests.rs:77:27:77:49 | ...::must_use(...) | request_forgery_tests.rs:77:13:77:15 | url | provenance |  |
+| request_forgery_tests.rs:77:27:77:49 | MacroExpr | request_forgery_tests.rs:77:27:77:49 | ...::format(...) | provenance | MaD:291 |
+| request_forgery_tests.rs:77:27:77:49 | { ... } | request_forgery_tests.rs:77:27:77:49 | ...::must_use(...) | provenance | MaD:10629 |
+| request_forgery_tests.rs:78:38:78:41 | &url [&ref] | request_forgery_tests.rs:78:25:78:36 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:78:39:78:41 | url | request_forgery_tests.rs:78:38:78:41 | &url [&ref] | provenance |  |
+| request_forgery_tests.rs:81:13:81:15 | url | request_forgery_tests.rs:82:39:82:41 | url | provenance |  |
+| request_forgery_tests.rs:81:27:81:57 | ...::format(...) | request_forgery_tests.rs:64:5:64:14 | res | provenance |  |
+| request_forgery_tests.rs:81:27:81:57 | ...::must_use(...) | request_forgery_tests.rs:81:13:81:15 | url | provenance |  |
+| request_forgery_tests.rs:81:27:81:57 | MacroExpr | request_forgery_tests.rs:81:27:81:57 | ...::format(...) | provenance | MaD:291 |
+| request_forgery_tests.rs:81:27:81:57 | { ... } | request_forgery_tests.rs:81:27:81:57 | ...::must_use(...) | provenance | MaD:10629 |
+| request_forgery_tests.rs:82:38:82:41 | &url [&ref] | request_forgery_tests.rs:82:25:82:36 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:82:39:82:41 | url | request_forgery_tests.rs:82:38:82:41 | &url [&ref] | provenance |  |
+| request_forgery_tests.rs:85:13:85:15 | url | request_forgery_tests.rs:86:39:86:41 | url | provenance |  |
+| request_forgery_tests.rs:85:27:85:70 | ...::format(...) | request_forgery_tests.rs:64:5:64:14 | res | provenance |  |
+| request_forgery_tests.rs:85:27:85:70 | ...::must_use(...) | request_forgery_tests.rs:85:13:85:15 | url | provenance |  |
+| request_forgery_tests.rs:85:27:85:70 | MacroExpr | request_forgery_tests.rs:85:27:85:70 | ...::format(...) | provenance | MaD:291 |
+| request_forgery_tests.rs:85:27:85:70 | { ... } | request_forgery_tests.rs:85:27:85:70 | ...::must_use(...) | provenance | MaD:10629 |
+| request_forgery_tests.rs:86:38:86:41 | &url [&ref] | request_forgery_tests.rs:86:25:86:36 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:86:39:86:41 | url | request_forgery_tests.rs:86:38:86:41 | &url [&ref] | provenance |  |
+| request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | request_forgery_tests.rs:92:29:92:40 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | request_forgery_tests.rs:92:29:92:40 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:92:43:92:50 | user_url | request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:92:43:92:50 | user_url | request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | request_forgery_tests.rs:98:37:98:48 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | request_forgery_tests.rs:98:37:98:48 | ...::get | provenance | MaD:3680 Sink:MaD:3680 |
+| request_forgery_tests.rs:98:51:98:58 | user_url | request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:98:51:98:58 | user_url | request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | provenance |  |
+nodes
+| request_forgery_tests.rs:64:5:64:14 | res | semmle.label | res |
+| request_forgery_tests.rs:64:5:64:14 | res | semmle.label | res |
+| request_forgery_tests.rs:64:5:64:14 | res | semmle.label | res |
+| request_forgery_tests.rs:65:29:65:36 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:65:29:65:36 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:68:24:68:35 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:68:24:68:35 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:68:37:68:45 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:68:38:68:45 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:68:38:68:45 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:77:13:77:15 | url | semmle.label | url |
+| request_forgery_tests.rs:77:27:77:49 | ...::format(...) | semmle.label | ...::format(...) |
+| request_forgery_tests.rs:77:27:77:49 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| request_forgery_tests.rs:77:27:77:49 | MacroExpr | semmle.label | MacroExpr |
+| request_forgery_tests.rs:77:27:77:49 | { ... } | semmle.label | { ... } |
+| request_forgery_tests.rs:78:25:78:36 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:78:38:78:41 | &url [&ref] | semmle.label | &url [&ref] |
+| request_forgery_tests.rs:78:39:78:41 | url | semmle.label | url |
+| request_forgery_tests.rs:81:13:81:15 | url | semmle.label | url |
+| request_forgery_tests.rs:81:27:81:57 | ...::format(...) | semmle.label | ...::format(...) |
+| request_forgery_tests.rs:81:27:81:57 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| request_forgery_tests.rs:81:27:81:57 | MacroExpr | semmle.label | MacroExpr |
+| request_forgery_tests.rs:81:27:81:57 | { ... } | semmle.label | { ... } |
+| request_forgery_tests.rs:82:25:82:36 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:82:38:82:41 | &url [&ref] | semmle.label | &url [&ref] |
+| request_forgery_tests.rs:82:39:82:41 | url | semmle.label | url |
+| request_forgery_tests.rs:85:13:85:15 | url | semmle.label | url |
+| request_forgery_tests.rs:85:27:85:70 | ...::format(...) | semmle.label | ...::format(...) |
+| request_forgery_tests.rs:85:27:85:70 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| request_forgery_tests.rs:85:27:85:70 | MacroExpr | semmle.label | MacroExpr |
+| request_forgery_tests.rs:85:27:85:70 | { ... } | semmle.label | { ... } |
+| request_forgery_tests.rs:86:25:86:36 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:86:38:86:41 | &url [&ref] | semmle.label | &url [&ref] |
+| request_forgery_tests.rs:86:39:86:41 | url | semmle.label | url |
+| request_forgery_tests.rs:92:29:92:40 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:92:29:92:40 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:92:42:92:50 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:92:43:92:50 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:92:43:92:50 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:98:37:98:48 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:98:37:98:48 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:98:50:98:58 | &user_url [&ref] | semmle.label | &user_url [&ref] |
+| request_forgery_tests.rs:98:51:98:58 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:98:51:98:58 | user_url | semmle.label | user_url |
+subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-918/RequestForgery.qlref b/rust/ql/test/query-tests/security/CWE-918/RequestForgery.qlref
@@ -0,0 +1,2 @@
+query: queries/security/CWE-918/RequestForgery.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+query: queries/security/CWE-918/RequestForgery.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`