Rust: Use case insensitive regexps.

geoffw0 · geoffw0 · commit 4b281fdf12fb · 2025-09-16T13:02:54.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
@@ -37,8 +37,8 @@ module UseOfHttp {
     HttpStringLiteral() {
       exists(string s | this.getTextValue() = s |
         // Match HTTP URLs that are not private/local
-        s.regexpMatch("\"http://.*\"") and
-        not s.regexpMatch("\"http://(localhost|127\\.0\\.0\\.1|192\\.168\\.[0-9]+\\.[0-9]+|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.(1[6-9]|2[0-9]|3[01])\\.[0-9]+|\\[::1\\]|\\[0:0:0:0:0:0:0:1\\]).*\"")
+        s.regexpMatch("(?i)\"http://.*\"") and
+        not s.regexpMatch("(?i)\"http://(localhost|127\\.0\\.0\\.1|192\\.168\\.[0-9]+\\.[0-9]+|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.(1[6-9]|2[0-9]|3[01])\\.[0-9]+|\\[::1\\]|\\[0:0:0:0:0:0:0:1\\]).*\"")
       )
     }
   }
diff --git a/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected b/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected
@@ -1,12 +1,14 @@
 #select
 | main.rs:12:22:12:43 | ...::get | main.rs:12:45:12:68 | "http://example.com/api" | main.rs:12:22:12:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:12:45:12:68 | "http://example.com/api" | this HTTP URL |
+| main.rs:13:22:13:43 | ...::get | main.rs:13:45:13:68 | "HTTP://EXAMPLE.COM/API" | main.rs:13:22:13:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:13:45:13:68 | "HTTP://EXAMPLE.COM/API" | this HTTP URL |
 | main.rs:14:22:14:43 | ...::get | main.rs:14:45:14:73 | "http://api.example.com/data" | main.rs:14:22:14:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:14:45:14:73 | "http://api.example.com/data" | this HTTP URL |
 | main.rs:26:21:26:42 | ...::get | main.rs:23:20:23:39 | "http://example.com" | main.rs:26:21:26:42 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:23:20:23:39 | "http://example.com" | this HTTP URL |
 | main.rs:37:30:37:51 | ...::get | main.rs:34:20:34:28 | "http://" | main.rs:37:30:37:51 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:34:20:34:28 | "http://" | this HTTP URL |
 | main.rs:60:20:60:41 | ...::get | main.rs:60:43:60:65 | "http://172.32.0.0/baz" | main.rs:60:20:60:41 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:60:43:60:65 | "http://172.32.0.0/baz" | this HTTP URL |
 | main.rs:71:24:71:45 | ...::get | main.rs:68:19:68:53 | "http://example.com/sensitive-... | main.rs:71:24:71:45 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:68:19:68:53 | "http://example.com/sensitive-... | this HTTP URL |
 edges
 | main.rs:12:45:12:68 | "http://example.com/api" | main.rs:12:22:12:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:13:45:13:68 | "HTTP://EXAMPLE.COM/API" | main.rs:13:22:13:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:14:45:14:73 | "http://api.example.com/data" | main.rs:14:22:14:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | main.rs:23:9:23:16 | base_url | main.rs:25:28:25:53 | MacroExpr | provenance |  |
 | main.rs:23:20:23:39 | "http://example.com" | main.rs:23:9:23:16 | base_url | provenance |  |
@@ -39,6 +41,8 @@ models
 nodes
 | main.rs:12:22:12:43 | ...::get | semmle.label | ...::get |
 | main.rs:12:45:12:68 | "http://example.com/api" | semmle.label | "http://example.com/api" |
+| main.rs:13:22:13:43 | ...::get | semmle.label | ...::get |
+| main.rs:13:45:13:68 | "HTTP://EXAMPLE.COM/API" | semmle.label | "HTTP://EXAMPLE.COM/API" |
 | main.rs:14:22:14:43 | ...::get | semmle.label | ...::get |
 | main.rs:14:45:14:73 | "http://api.example.com/data" | semmle.label | "http://api.example.com/data" |
 | main.rs:23:9:23:16 | base_url | semmle.label | base_url |
diff --git a/rust/ql/test/query-tests/security/CWE-319/main.rs b/rust/ql/test/query-tests/security/CWE-319/main.rs
@@ -10,7 +10,7 @@ fn main() {
 fn test_direct_literals() {
     // BAD: Direct HTTP URLs that should be flagged
     let _response1 = reqwest::blocking::get("http://example.com/api").unwrap(); // $ Alert[rust/non-https-url]
-    let _response2 = reqwest::blocking::get("HTTP://EXAMPLE.COM/API").unwrap(); // $ MISSING: Alert[rust/non-https-url]
+    let _response2 = reqwest::blocking::get("HTTP://EXAMPLE.COM/API").unwrap(); // $ Alert[rust/non-https-url]
     let _response3 = reqwest::blocking::get("http://api.example.com/data").unwrap(); // $ Alert[rust/non-https-url]
 
     // GOOD: HTTPS URLs that should not be flagged

Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,8 @@ module UseOfHttp {`
`37`	`37`	`HttpStringLiteral() {`
`38`	`38`	`exists(string s \| this.getTextValue() = s \|`
`39`	`39`	`// Match HTTP URLs that are not private/local`
`40`		`- s.regexpMatch("\"http://.*\"") and`
`41`		`- not s.regexpMatch("\"http://(localhost\|127\\.0\\.0\\.1\|192\\.168\\.[0-9]+\\.[0-9]+\|10\\.[0-9]+\\.[0-9]+\\.[0-9]+\|172\\.(1[6-9]\|2[0-9]\|3[01])\\.[0-9]+\|\\[::1\\]\|\\[0:0:0:0:0:0:0:1\\]).*\"")`
	`40`	`+ s.regexpMatch("(?i)\"http://.*\"") and`
	`41`	`+ not s.regexpMatch("(?i)\"http://(localhost\|127\\.0\\.0\\.1\|192\\.168\\.[0-9]+\\.[0-9]+\|10\\.[0-9]+\\.[0-9]+\\.[0-9]+\|172\\.(1[6-9]\|2[0-9]\|3[01])\\.[0-9]+\|\\[::1\\]\|\\[0:0:0:0:0:0:0:1\\]).*\"")`
`42`	`42`	`)`
`43`	`43`	`}`
`44`	`44`	`}`