Skip to content

Rust: Add barriers for rust/sql-injection #20724

New issue
New issue
Closed
Closed
Rust: Add barriers for rust/sql-injection#20724
Assignees
copilot-swe-agent
Labels
RustPull requests that update Rust code
@geoffw0

Description

@geoffw0
geoffw0
opened on Oct 30, 2025

Add taint flow barriers to the rust/sql-injection CodeQL query. This query detects SQL injection vulnerabilities, by means of taint flow from a source where the program reads untrusted data, to a sink where that data is used to construct an SQL query (untrusted prepared query parameters are of course fine).

We would like to add barriers to block taint flow when one of the following types of sanitization are present:

  • when the untrusted data is restricted to a numeric type.
  • when the untrusted data is compared with a single constant value to confirm it is safe.
  • when the untrusted data is compared with multiple constant values to confirm it is safe (for example if (remote_string == "person") or (remote_string == "vehicle")).
  • when the untrusted data is compared against a collection of constant values to confirm it is safe.

There's already an example of the first case in the tests (safe_query_3 defined in terms of remote_number in the sqlx.rs test source). The first and most important part of this task will be to add test cases covering the other three cases above, plus a couple of "negative" examples where sanitization is performed incorrectly.

Some useful locations for you:

  • the query can be found at rust/ql/src/queries/security/CWE-089/SqlInjection.ql.
  • its tests are in rust/ql/test/query-tests/security/CWE-089/*.rs.
  • the query extensions are in rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll.

The second part of the task is to add barriers to the query, or more precisely to the "Extensions" file for the query. You may want to base your solution on:

  • SimpleTypeSanitizer in go/ql/lib/semmle/go/security/Sanitizers.qll.
  • StringConstCompareBarrier in ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll.
  • StringConstArrayInclusionCallBarrier in ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll.
  • UpperBoundCheckBarrier in rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll (this one seems slightly less relevant, but the target language is Rust so some of the syntax may be closer to what you actually need).

If you struggle to get these working, do the best you can and I'll help fix it up after. As long as we have good test cases we should be in a good position to do this.

I prefer the phrase "Barrier" over "Sanitizer" in new code.

When the work is done, I request that you complete a few final cleanup / admin tasks:

  • run the CodeQL CLI autoformatter on all .ql and .qll files you have created or edited. With the CodeQL CLI installed: codeql query format [file] --in-place.
  • add a brief change note file in rust/ql/src/change-notes. See https://github.com/github/codeql/blob/main/docs/change-notes.md for more information about change notes.

Metadata

Metadata

Assignees

Labels

RustPull requests that update Rust code

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions