Merge pull request #20381 from paldepind/rust/request-forgery-query

Rust: Add basic request forgery query

Author: paldepind

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -19,6 +19,7 @@ ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -22,6 +22,7 @@ ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -21,6 +21,7 @@ ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
 ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+ql/rust/ql/src/queries/security/CWE-918/RequestForgery.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql
 ql/rust/ql/src/queries/summary/NodesWithTypeAtLengthLimit.ql

rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml

@@ -9,8 +9,8 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "transmission", "manual"]
-      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "transmission", "manual"]
+      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "request-url", "manual"]
+      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "request-url", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll

@@ -53,6 +53,6 @@ module CleartextTransmission {
    * A sink defined through MaD.
    */
   private class ModelsAsDataSink extends Sink {
-    ModelsAsDataSink() { sinkNode(this, "transmission") }
+    ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
   }
 }

rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides classes and predicates for reasoning about request forgery
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.Concepts
+
+/**
+ * Provides default sources, sinks and barriers for detecting request forgery
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module RequestForgery {
+  /**
+   * A data flow source for request forgery vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for request forgery vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    /**
+     * Gets the name of a part of the request that may be tainted by this sink,
+     * such as the URL or the host.
+     */
+    override string getSinkType() { result = "RequestForgery" }
+  }
+
+  /**
+   * A barrier for request forgery vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  /**
+   * A sink for request forgery from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "request-url") }
+  }
+}

rust/ql/lib/ext/generated/reqwest.model.yml

@@ -424,21 +424,21 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::into_stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::request::RequestBuilder>::multipart", "Argument[0]", "log-injection", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::into_reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Reader as std::io::Read>::read", "Argument[self]", "log-injection", "df-generated"]
@@ -450,9 +450,9 @@ extensions:
       - ["<reqwest::blocking::response::Response>::text_with_charset", "Argument[self]", "pointer-access", "df-generated"]
       - ["<reqwest::connect::ConnectorService as tower_service::Service>::call", "Argument[0]", "log-injection", "df-generated"]
       - ["<reqwest::error::Error>::new", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::blocking::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::blocking::get", "Argument[0]", "request-url", "df-generated"]
       - ["reqwest::blocking::wait::timeout", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::get", "Argument[0]", "request-url", "df-generated"]
   - addsTo:
       pack: codeql/rust-all
       extensible: sourceModel

rust/ql/src/change-notes/2025-09-09-request-forgery.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/request-forgery`, for detecting server-side request forgery vulnerabilities.

rust/ql/src/queries/security/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly incorporating user input into an HTTP request without validating the
+input can facilitate server-side request forgery (SSRF) attacks. In these
+attacks, the server may be tricked into making a request to an unintended API
+endpoint or resource.
+
+If the server is connected to an internal network, attackers can bypass security
+boundaries to target internal services.
+
+Forged requests can execute unintended actions, leak data if redirected to an
+external server, or compromise the server if responses are handled insecurely.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against SSRF attacks, you should avoid putting user-provided input
+directly into a request URL. Instead, maintain a list of authorized URLs on the
+server; then choose from that list based on the input provided. Alternatively,
+ensure requests constructed from user input are limited to a particular host or
+a more restrictive URL prefix.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an HTTP request parameter being used directly to
+form a new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a
+known fixed string.
+</p>
+
+<sample src="RequestForgery.rs" />
+</example>
+
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP Server Side Request Forgery</a>.
+  </li>
+</references>
+
+</qhelp>

rust/ql/src/queries/security/CWE-918/RequestForgery.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Server-side request forgery
+ * @description Making a network request with user-controlled data in the URL allows for request forgery attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id rust/request-forgery
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+private import rust
+private import codeql.rust.dataflow.TaintTracking
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.security.RequestForgeryExtensions
+
+/**
+ * A taint-tracking configuration for detecting request forgery vulnerabilities.
+ */
+module RequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RequestForgery::Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
+
+import RequestForgeryFlow::PathGraph
+
+from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
+where RequestForgeryFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
+  "user-provided value"