Rust: cookie and biscotti crypto query sinks #20426
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds cryptographic key modeling for the cookie and biscotti crates to detect when hard-coded cryptographic values are passed as keys. The changes include models for key creation functions and test updates to verify the new detection capabilities.
- Added sink models for
cookie::Key::fromandbiscotti::Key::fromto detect hard-coded cryptographic keys - Consolidated the scattered manual models for
<core::convert::From>::frominto a single generic model - Added a model for
alloc::vec::from_elemto track element propagation
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| rust/ql/test/query-tests/security/CWE-798/test_cookie.rs | New test file demonstrating hard-coded cryptographic key usage in cookie and biscotti libraries |
| rust/ql/test/query-tests/security/CWE-798/options.yml | Added cookie and biscotti crate dependencies for testing |
| rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected | Updated test expectations with new detections for cookie/biscotti hard-coded keys |
| rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected | Updated expectations reflecting the consolidated From model changes |
| rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected | Updated expectations with new generic From model |
| rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml | Added generic <_ as core::convert::From>::from model |
| rust/ql/lib/codeql/rust/frameworks/stdlib/lang-alloc.model.yml | Added alloc::vec::from_elem model and removed specific String From model |
| rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml | Removed PathBuf From model in favor of generic one |
| rust/ql/lib/codeql/rust/frameworks/cookie.model.yml | New model file defining cookie key sink |
| rust/ql/lib/codeql/rust/frameworks/biscotti.model.yml | New model file defining biscotti key sink |
| rust/ql/lib/change-notes/2025-09-12-cookie.md | Added change note for the new cryptography models |
Contributor
Author
|
DCA LGTM (small slowdown, believed to be wobble). |
paldepind
approved these changes
Sep 15, 2025
Contributor
paldepind
left a comment
paldepind
left a comment
There was a problem hiding this comment.
LGTM! Great to have one single from model :)
Contributor
Author
|
Thanks for reviewing. |
hvitved
reviewed
Sep 25, 2025
| - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"] | ||
| - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"] | ||
| # From | ||
| - ["<_ as core::convert::From>::from", "Argument[0]", "ReturnValue", "value", "manual"] |
Contributor
There was a problem hiding this comment.
I would have expected that this should be a taint model and not a value model?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While writing the insecure cookie query (WIP), I've been using the
cookieandbiscotticrates. I noticed they both have the capability to take encryption keys and this can be modelled.In addition to modelling those I've added a model for
alloc::vec::from_elemand cleaned up the scattered manual models for<core::convert::From>::from.