From de7e729e1166cfb77cb090e92956a4299008f1f5 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:51:03 +0000 Subject: [PATCH 1/2] Rust: Re-categorize tokio-postgres sources as remote. --- rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml b/rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml index 77c13f705dc3..37ef96f5bfa7 100644 --- a/rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml +++ b/rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml @@ -20,5 +20,5 @@ extensions: pack: codeql/rust-all extensible: sourceModel data: - - ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "::get", "ReturnValue", "database", "manual"] - - ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "::try_get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"] + - ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "::get", "ReturnValue", "remote", "manual"] + - ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "::try_get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "remote", "manual"] From f9283354372691f4ff681f4c50b611af1c766a5a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 12 Feb 2025 14:16:29 +0000 Subject: [PATCH 2/2] Rust: Adjust the test. --- .../library-tests/frameworks/postgres/Postgres.ql | 6 +++--- .../test/library-tests/frameworks/postgres/main.rs | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rust/ql/test/library-tests/frameworks/postgres/Postgres.ql b/rust/ql/test/library-tests/frameworks/postgres/Postgres.ql index 482305e46cb3..e28107e51833 100644 --- a/rust/ql/test/library-tests/frameworks/postgres/Postgres.ql +++ b/rust/ql/test/library-tests/frameworks/postgres/Postgres.ql @@ -4,7 +4,7 @@ import codeql.rust.security.SqlInjectionExtensions import utils.test.InlineExpectationsTest module PostgresTest implements TestSig { - string getARelevantTag() { result = ["sql-sink", "database-read"] } + string getARelevantTag() { result = ["sql-sink", "source"] } predicate hasActualResult(Location location, string element, string tag, string value) { exists(SqlInjection::Sink sink | @@ -15,11 +15,11 @@ module PostgresTest implements TestSig { value = "" ) or - exists(ModeledDatabaseSource source | + exists(ThreatModelSource source | location = source.getLocation() and location.getFile().getBaseName() != "" and element = source.toString() and - tag = "database-read" and + tag = "source" and value = "" ) } diff --git a/rust/ql/test/library-tests/frameworks/postgres/main.rs b/rust/ql/test/library-tests/frameworks/postgres/main.rs index 8a04f8d00e83..0071fdc95e4c 100644 --- a/rust/ql/test/library-tests/frameworks/postgres/main.rs +++ b/rust/ql/test/library-tests/frameworks/postgres/main.rs @@ -2,7 +2,7 @@ fn main() -> Result<(), Box> { // Get input from CLI - let args: Vec = std::env::args().collect(); + let args: Vec = std::env::args().collect(); // $ source let name = &args[1]; let age = &args[2]; @@ -16,7 +16,7 @@ fn main() -> Result<(), Box> { )", &[], )?; - + let query = format!("INSERT INTO person (name, age) VALUES ('{}', '{}')", name, age); conn.execute(query.as_str(), &[])?; // $ sql-sink @@ -33,11 +33,11 @@ fn main() -> Result<(), Box> { // conn.query_typed_raw(query.as_str(), &[])?; for row in &conn.query("SELECT id, name, age FROM person", &[])? { // $ sql-sink - let id: i32 = row.get("id"); // $ database-read - let name: &str = row.try_get("name")?; // $ database-read - let age: i32 = row.try_get("age").unwrap(); // $ database-read + let id: i32 = row.get("id"); // $ source + let name: &str = row.try_get("name")?; // $ source + let age: i32 = row.try_get("age").unwrap(); // $ source println!("found person: {} {} {}", id, name, age); } Ok(()) -} \ No newline at end of file +}