Rust: Add models for Warp

paldepind · paldepind · commit 1af6b37fc4da · 2025-09-17T09:18:39.000+02:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/warp.model.yml b/rust/ql/lib/codeql/rust/frameworks/warp.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sourceModel
+    data:
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[0]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[1]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[2]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[3]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[4]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[0]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[1]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[2]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[3]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[4]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[0]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[1]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[2]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[3]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[4]", "remote", "manual"]
diff --git a/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected b/rust/ql/test/library-tests/dataflow/sources/TaintSources.expected
@@ -100,3 +100,33 @@
 | web_frameworks.rs:58:14:58:15 | ms | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
 | web_frameworks.rs:68:15:68:15 | a | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:242:33:242:35 | map | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:250:46:250:49 | then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
+| web_frameworks.rs:259:50:259:57 | and_then | Flow source 'RemoteSource' of type remote (DEFAULT). |
diff --git a/rust/ql/test/library-tests/dataflow/sources/web_frameworks.rs b/rust/ql/test/library-tests/dataflow/sources/web_frameworks.rs
@@ -239,15 +239,15 @@ mod warp_test {
     async fn test_warp() {
         // A route with parameter and `map`
         let map_route =
-            warp::path::param().map(|a: String| // $ MISSING: Alert[rust/summary/taint-sources]
+            warp::path::param().map(|a: String| // $ Alert[rust/summary/taint-sources]
             {
             sink(a); // $ MISSING: hasTaintFlow
 
             "".to_string()
         });
 
         // A route with parameter and `then`
-        let then_route = warp::path::param().then( // $ MISSING: Alert[rust/summary/taint-sources]
+        let then_route = warp::path::param().then( // $ Alert[rust/summary/taint-sources]
             |a: String| async move {
                 sink(a); // $ MISSING: hasTaintFlow
 
@@ -256,7 +256,7 @@ mod warp_test {
         );
 
         // A route with parameter and `and_then`
-        let and_then_route = warp::path::param().and_then( // $ MISSING: Alert[rust/summary/taint-sources] 
+        let and_then_route = warp::path::param().and_then( // $ Alert[rust/summary/taint-sources] 
             | id: u64 |
             async move {
             if id != 0 {
