Rust: Relabel reqwest sinks as request-url

paldepind · paldepind · commit eea11dbf5f12 · 2025-09-08T13:05:58.000+02:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
@@ -9,8 +9,8 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "transmission", "manual"]
-      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "transmission", "manual"]
+      - ["<reqwest::async_impl::client::Client>::request", "Argument[1]", "request-url", "manual"]
+      - ["<reqwest::blocking::client::Client>::request", "Argument[1]", "request-url", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel
diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
@@ -53,6 +53,6 @@ module CleartextTransmission {
    * A sink defined through MaD.
    */
   private class ModelsAsDataSink extends Sink {
-    ModelsAsDataSink() { sinkNode(this, "transmission") }
+    ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
   }
 }
diff --git a/rust/ql/lib/ext/generated/reqwest.model.yml b/rust/ql/lib/ext/generated/reqwest.model.yml
@@ -424,21 +424,21 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::async_impl::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::into_stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::multipart::Form>::stream", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::async_impl::request::RequestBuilder>::multipart", "Argument[0]", "log-injection", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
-      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::delete", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::get", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::head", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::patch", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::post", "Argument[0]", "request-url", "df-generated"]
+      - ["<reqwest::blocking::client::Client>::put", "Argument[0]", "request-url", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::into_reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Form>::reader", "Argument[self]", "log-injection", "df-generated"]
       - ["<reqwest::blocking::multipart::Reader as std::io::Read>::read", "Argument[self]", "log-injection", "df-generated"]
@@ -450,9 +450,9 @@ extensions:
       - ["<reqwest::blocking::response::Response>::text_with_charset", "Argument[self]", "pointer-access", "df-generated"]
       - ["<reqwest::connect::ConnectorService as tower_service::Service>::call", "Argument[0]", "log-injection", "df-generated"]
       - ["<reqwest::error::Error>::new", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::blocking::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::blocking::get", "Argument[0]", "request-url", "df-generated"]
       - ["reqwest::blocking::wait::timeout", "Argument[1]", "pointer-access", "df-generated"]
-      - ["reqwest::get", "Argument[0]", "transmission", "df-generated"]
+      - ["reqwest::get", "Argument[0]", "request-url", "df-generated"]
   - addsTo:
       pack: codeql/rust-all
       extensible: sourceModel
diff --git a/rust/ql/test/query-tests/security/CWE-311/CleartextTransmission.expected b/rust/ql/test/query-tests/security/CWE-311/CleartextTransmission.expected
@@ -51,10 +51,10 @@ edges
 | main.rs:33:50:33:57 | password | main.rs:33:23:33:57 | MacroExpr | provenance |  |
 | main.rs:35:33:35:35 | url | main.rs:35:12:35:18 | request | provenance | MaD:2 Sink:MaD:2 |
 models
-| 1 | Sink: <reqwest::async_impl::client::Client>::post; Argument[0]; transmission |
-| 2 | Sink: <reqwest::async_impl::client::Client>::request; Argument[1]; transmission |
-| 3 | Sink: <reqwest::blocking::client::Client>::request; Argument[1]; transmission |
-| 4 | Sink: reqwest::blocking::get; Argument[0]; transmission |
+| 1 | Sink: <reqwest::async_impl::client::Client>::post; Argument[0]; request-url |
+| 2 | Sink: <reqwest::async_impl::client::Client>::request; Argument[1]; request-url |
+| 3 | Sink: <reqwest::blocking::client::Client>::request; Argument[1]; request-url |
+| 4 | Sink: reqwest::blocking::get; Argument[0]; request-url |
 | 5 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
 | 6 | Summary: <url::Url>::parse; Argument[0].Reference; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
 | 7 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@ module CleartextTransmission {`
`53`	`53`	`* A sink defined through MaD.`
`54`	`54`	`*/`
`55`	`55`	`private class ModelsAsDataSink extends Sink {`
`56`		`- ModelsAsDataSink() { sinkNode(this, "transmission") }`
	`56`	`+ ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }`
`57`	`57`	`}`
`58`	`58`	`}`