Add intentionally vulnerable Rust code for CodeQL security testing

Author: fernandomatsuosantos

monorepo/.codeql.json

@@ -32,7 +32,7 @@
             "language": "javascript"
         },
         {
-            "path": "./monorepo/project-rust-1"
+            "path": "./monorepo/project-rust-2"
         }
     ]
 }

…mbiguities/comparison_in_function.kalker …orepo/project-rust-1/.github/FUNDING.ymlmonorepo/project-rust-1/tests/ambiguities/comparison_in_function.kalker renamed to monorepo/project-rust-1/.github/FUNDING.yml monorepo/project-rust-1/tests/ambiguities/comparison_in_function.kalker renamed to monorepo/project-rust-1/.github/FUNDING.yml

@@ -1,2 +1 @@
-f(a, b, c) = (a * b = c)
-f(2, 2, 4)
+github: [sharkdp, tavianator]

monorepo/project-rust-1/.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -0,0 +1,42 @@
+name: Bug Report
+description: Report a bug.
+title: "[BUG] "
+labels: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please check out the [troubleshooting section](https://github.com/sharkdp/fd#troubleshooting) first.
+  - type: checkboxes
+    attributes:
+      label: Checks
+      options:
+        - label: I have read the troubleshooting section and still think this is a bug.
+          required: true
+  - type: textarea
+    id: bug
+    attributes:
+      label: "Describe the bug you encountered:"
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: "Describe what you expected to happen:"
+  - type: input
+    id: version
+    attributes:
+      label: "What version of `fd` are you using?"
+      placeholder: "paste the output of `fd --version` here"
+    validations:
+      required: true
+  - type: textarea
+    id: os
+    attributes:
+      label: Which operating system / distribution are you on?
+      placeholder: |
+        Unix: paste the output of `uname -srm` and `lsb_release -a` here.
+        Windows: please tell us your Windows version
+      render: shell
+    validations:
+      required: true

monorepo/project-rust-1/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: true

monorepo/project-rust-1/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,8 @@
+---
+name: Feature Request
+about: Suggest an idea for this project.
+title: ''
+labels: feature-request
+assignees: ''
+
+---

monorepo/project-rust-1/.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,13 @@
+---
+name: Question
+about: Ask a question about 'fd'.
+title: ''
+labels: question
+assignees: ''
+
+---
+
+
+
+**What version of `fd` are you using?**
+[paste the output of `fd --version` here]

monorepo/project-rust-1/.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

monorepo/project-rust-1/.github/workflows/CICD.yml

@@ -0,0 +1,266 @@
+name: CICD
+
+env:
+  CICD_INTERMEDIATES_DIR: "_cicd-intermediates"
+  MSRV_FEATURES: "--all-features"
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - master
+    tags:
+      - '*'
+
+jobs:
+  crate_metadata:
+    name: Extract crate metadata
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Extract crate information
+      id: crate_metadata
+      run: |
+        echo "name=fd" | tee -a $GITHUB_OUTPUT
+        cargo metadata --no-deps --format-version 1 | jq -r '"version=" + .packages[0].version' | tee -a $GITHUB_OUTPUT
+        cargo metadata --no-deps --format-version 1 | jq -r '"maintainer=" + .packages[0].authors[0]' | tee -a $GITHUB_OUTPUT
+        cargo metadata --no-deps --format-version 1 | jq -r '"homepage=" + .packages[0].homepage' | tee -a $GITHUB_OUTPUT
+        cargo metadata --no-deps --format-version 1 | jq -r '"msrv=" + .packages[0].rust_version' | tee -a $GITHUB_OUTPUT
+    outputs:
+      name: ${{ steps.crate_metadata.outputs.name }}
+      version: ${{ steps.crate_metadata.outputs.version }}
+      maintainer: ${{ steps.crate_metadata.outputs.maintainer }}
+      homepage: ${{ steps.crate_metadata.outputs.homepage }}
+      msrv: ${{ steps.crate_metadata.outputs.msrv }}
+
+  ensure_cargo_fmt:
+    name: Ensure 'cargo fmt' has been run
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: dtolnay/rust-toolchain@stable
+      with:
+        components: rustfmt
+    - uses: actions/checkout@v4
+    - run: cargo fmt -- --check
+
+  lint_check:
+    name: Ensure 'cargo clippy' has no warnings
+    runs-on: ubuntu-latest
+    steps:
+    - uses: dtolnay/rust-toolchain@stable
+      with:
+        components: clippy
+    - uses: actions/checkout@v4
+    - run: cargo clippy --all-targets --all-features -- -Dwarnings
+
+  min_version:
+    name: Minimum supported rust version
+    runs-on: ubuntu-22.04
+    needs: crate_metadata
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v4
+
+    - name: Install rust toolchain (v${{ needs.crate_metadata.outputs.msrv }})
+      uses: dtolnay/rust-toolchain@master
+      with:
+        toolchain: ${{ needs.crate_metadata.outputs.msrv }}
+        components: clippy
+    - name: Run clippy (on minimum supported rust version to prevent warnings we can't fix)
+      run: cargo clippy --locked --all-targets ${{ env.MSRV_FEATURES }}
+    - name: Run tests
+      run: cargo test --locked ${{ env.MSRV_FEATURES }}
+
+  build:
+    name: ${{ matrix.job.target }} (${{ matrix.job.os }})
+    runs-on: ${{ matrix.job.os }}
+    needs: crate_metadata
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { target: aarch64-unknown-linux-gnu   , os: ubuntu-22.04, use-cross: true }
+          - { target: aarch64-unknown-linux-musl  , os: ubuntu-22.04, use-cross: true }
+          - { target: arm-unknown-linux-gnueabihf , os: ubuntu-22.04, use-cross: true }
+          - { target: arm-unknown-linux-musleabihf, os: ubuntu-22.04, use-cross: true }
+          - { target: i686-pc-windows-msvc        , os: windows-2022                  }
+          - { target: i686-unknown-linux-gnu      , os: ubuntu-22.04, use-cross: true }
+          - { target: i686-unknown-linux-musl     , os: ubuntu-22.04, use-cross: true }
+          - { target: x86_64-apple-darwin         , os: macos-13                      }
+          - { target: aarch64-apple-darwin        , os: macos-14                      }
+          - { target: x86_64-pc-windows-gnu       , os: windows-2022                  }
+          - { target: x86_64-pc-windows-msvc      , os: windows-2022                  }
+          - { target: aarch64-pc-windows-msvc     , os: windows-11-arm                }
+          - { target: x86_64-unknown-linux-gnu    , os: ubuntu-22.04, use-cross: true }
+          - { target: x86_64-unknown-linux-musl   , os: ubuntu-22.04, use-cross: true }
+    env:
+      BUILD_CMD: cargo
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v4
+
+    - name: Install prerequisites
+      shell: bash
+      run: |
+        case ${{ matrix.job.target }} in
+          arm-unknown-linux-*) sudo apt-get -y update ; sudo apt-get -y install gcc-arm-linux-gnueabihf ;;
+          aarch64-unknown-linux-gnu) sudo apt-get -y update ; sudo apt-get -y install gcc-aarch64-linux-gnu ;;
+        esac
+
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        targets: ${{ matrix.job.target }}
+        # On windows, for now build with 1.77.2, so that it works on windows 7.
+        # When we update the MSRV again, we'll need to revisit this, and probably drop support for Win7
+        toolchain: "${{ contains(matrix.job.target, 'windows-') && '1.77.2' || 'stable' }}"
+
+    - name: Install cross
+      if: matrix.job.use-cross
+      uses: taiki-e/install-action@v2
+      with:
+        tool: cross
+
+    - name: Overwrite build command env variable
+      if: matrix.job.use-cross
+      shell: bash
+      run: echo "BUILD_CMD=cross" >> $GITHUB_ENV
+
+    - name: Show version information (Rust, cargo, GCC)
+      shell: bash
+      run: |
+        gcc --version || true
+        rustup -V
+        rustup toolchain list
+        rustup default
+        cargo -V
+        rustc -V
+
+    - name: Build
+      shell: bash
+      run: $BUILD_CMD build --locked --release --target=${{ matrix.job.target }}
+
+    - name: Set binary name & path
+      id: bin
+      shell: bash
+      run: |
+        # Figure out suffix of binary
+        EXE_suffix=""
+        case ${{ matrix.job.target }} in
+          *-pc-windows-*) EXE_suffix=".exe" ;;
+        esac;
+
+        # Setup paths
+        BIN_NAME="${{ needs.crate_metadata.outputs.name }}${EXE_suffix}"
+        BIN_PATH="target/${{ matrix.job.target }}/release/${BIN_NAME}"
+
+        # Let subsequent steps know where to find the binary
+        echo "BIN_PATH=${BIN_PATH}" >> $GITHUB_OUTPUT
+        echo "BIN_NAME=${BIN_NAME}" >> $GITHUB_OUTPUT
+
+    - name: Set testing options
+      id: test-options
+      shell: bash
+      run: |
+        # test only library unit tests and binary for arm-type targets
+        unset CARGO_TEST_OPTIONS
+        unset CARGO_TEST_OPTIONS ; case ${{ matrix.job.target }} in arm-* | aarch64-*) CARGO_TEST_OPTIONS="--bin ${{ needs.crate_metadata.outputs.name }}" ;; esac;
+        echo "CARGO_TEST_OPTIONS=${CARGO_TEST_OPTIONS}" >> $GITHUB_OUTPUT
+
+    - name: Run tests
+      shell: bash
+      run: $BUILD_CMD test --locked --target=${{ matrix.job.target }} ${{ steps.test-options.outputs.CARGO_TEST_OPTIONS}}
+
+    - name: Generate completions
+      id: completions
+      shell: bash
+      run: make completions
+
+    - name: Create tarball
+      id: package
+      shell: bash
+      run: |
+        PKG_suffix=".tar.gz" ; case ${{ matrix.job.target }} in *-pc-windows-*) PKG_suffix=".zip" ;; esac;
+        PKG_BASENAME=${{ needs.crate_metadata.outputs.name }}-v${{ needs.crate_metadata.outputs.version }}-${{ matrix.job.target }}
+        PKG_NAME=${PKG_BASENAME}${PKG_suffix}
+        echo "PKG_NAME=${PKG_NAME}" >> $GITHUB_OUTPUT
+
+        PKG_STAGING="${{ env.CICD_INTERMEDIATES_DIR }}/package"
+        ARCHIVE_DIR="${PKG_STAGING}/${PKG_BASENAME}/"
+        mkdir -p "${ARCHIVE_DIR}"
+
+        # Binary
+        cp "${{ steps.bin.outputs.BIN_PATH }}" "$ARCHIVE_DIR"
+
+        # README, LICENSE and CHANGELOG files
+        cp "README.md" "LICENSE-MIT" "LICENSE-APACHE" "CHANGELOG.md" "$ARCHIVE_DIR"
+
+        # Man page
+        cp 'doc/${{ needs.crate_metadata.outputs.name }}.1' "$ARCHIVE_DIR"
+
+        # Autocompletion files
+        cp -r autocomplete "${ARCHIVE_DIR}"
+
+        # base compressed package
+        pushd "${PKG_STAGING}/" >/dev/null
+        case ${{ matrix.job.target }} in
+          *-pc-windows-*) 7z -y a "${PKG_NAME}" "${PKG_BASENAME}"/* | tail -2 ;;
+          *) tar czf "${PKG_NAME}" "${PKG_BASENAME}"/* ;;
+        esac;
+        popd >/dev/null
+
+        # Let subsequent steps know where to find the compressed package
+        echo "PKG_PATH=${PKG_STAGING}/${PKG_NAME}" >> $GITHUB_OUTPUT
+
+    - name: Create Debian package
+      id: debian-package
+      shell: bash
+      if: startsWith(matrix.job.os, 'ubuntu')
+      run: bash scripts/create-deb.sh
+      env:
+        TARGET: ${{ matrix.job.target }}
+        DPKG_VERSION: ${{ needs.crate_metadata.version }}
+        BIN_PATH: ${{ steps.bin.outputs.BIN_PATH }}
+
+    - name: "Artifact upload: tarball"
+      uses: actions/upload-artifact@master
+      with:
+        name: ${{ steps.package.outputs.PKG_NAME }}
+        path: ${{ steps.package.outputs.PKG_PATH }}
+
+    - name: "Artifact upload: Debian package"
+      uses: actions/upload-artifact@master
+      if: steps.debian-package.outputs.DPKG_NAME
+      with:
+        name: ${{ steps.debian-package.outputs.DPKG_NAME }}
+        path: ${{ steps.debian-package.outputs.DPKG_PATH }}
+
+    - name: Check for release
+      id: is-release
+      shell: bash
+      run: |
+        unset IS_RELEASE ; if [[ $GITHUB_REF =~ ^refs/tags/v[0-9].* ]]; then IS_RELEASE='true' ; fi
+        echo "IS_RELEASE=${IS_RELEASE}" >> $GITHUB_OUTPUT
+
+    - name: Publish archives and packages
+      uses: softprops/action-gh-release@v2
+      if: steps.is-release.outputs.IS_RELEASE
+      with:
+        files: |
+          ${{ steps.package.outputs.PKG_PATH }}
+          ${{ steps.debian-package.outputs.DPKG_PATH }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  winget:
+    name: Publish to Winget
+    runs-on: ubuntu-latest
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: sharkdp.fd
+          installers-regex: '-pc-windows-msvc\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}