Rust: Generate more sinks and update query description

paldepind · paldepind · commit abf0a0129302 · 2025-03-13T15:22:17.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml b/rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml
@@ -9,7 +9,6 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
-      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "manual"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::request", "Argument[1]", "transmission", "manual"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::request", "Argument[1]", "transmission", "manual"]
   - addsTo:
diff --git a/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml b/rust/ql/lib/ext/generated/reqwest/repo-https-github.com-seanmonstar-reqwest-reqwest.model.yml
@@ -10,6 +10,14 @@ extensions:
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::delete", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::get", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::head", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::patch", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::post", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::blocking::client::Client>::put", "Argument[0]", "transmission", "df-generated"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::connect::Connector as crate::Service>::call", "Argument[0]", "log-injection", "df-generated"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::connect::ConnectorService as crate::Service>::call", "Argument[0]", "log-injection", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::get", "Argument[0]", "transmission", "df-generated"]
+      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::blocking::wait::timeout", "Argument[1]", "log-injection", "df-generated"]
       - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "crate::get", "Argument[0]", "transmission", "df-generated"]
diff --git a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp
@@ -22,11 +22,15 @@ sensitive information when it is not necessary to.
 
 <p>
 The following example shows three cases of transmitting information. In the
-'BAD' case, the data transmitted is sensitive (a password) and is not encrypted
-as it occurs as a URL parameter. In the 'GOOD' cases, the data is either not
-sensitive, or is protected with encryption. When encryption is used, take care
-to select a secure modern encryption algorithm, and put suitable key management
-practices into place.
+'BAD' case, the transmitted data is sensitive (a credit card number) and is
+included as cleartext in the URL. URLs are often logged or otherwise visible in
+cleartext, and should not contain sensitive information.
+</p>
+
+<p>
+In the 'GOOD' cases, the data is either not sensitive, or is protected with
+encryption. When encryption is used, take care to select a secure modern
+encryption algorithm, and put suitable key management practices into place.
 </p>
 
 <sample src="CleartextTransmission.rs" />
diff --git a/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs b/rust/ql/src/queries/security/CWE-311/CleartextTransmission.rs
@@ -2,14 +2,14 @@ func getData() {
 	// ...
 
 	// GOOD: not sensitive information
-	let body = reqwest::get("https://example.com/data").await?.text().await?;
+	let body = reqwest::get("https://example.com/song/{faveSong}").await?.text().await?;
 
-	// BAD: sensitive information sent in cleartext
-	let body = reqwest::get(format!("https://example.com/data?password={password}")).await?.text().await?;
+	// BAD: sensitive information sent in cleartext in the URL
+	let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?;
 
-	// GOOD: encrypted sensitive information sent
+	// GOOD: encrypted sensitive information sent in the URL
 	let encryptedPassword = encrypt(password, encryptionKey);
-	let body = reqwest::get(format!("https://example.com/data?password={encryptedPassword}")).await?.text().await?;
+	let body = reqwest::get(format!("https://example.com/card/{creditCardNo}")).await?.text().await?;
 
 	// ...
 }
