Rust: Add data flow tests

Author: paldepind

rust/ql/test/library-tests/dataflow/local/CONSISTENCY/DataFlowConsistency.expected

@@ -1,2 +1,2 @@
 identityLocalStep
-| main.rs:404:7:404:18 | phi(default_name) | Node steps to itself |
+| main.rs:394:7:394:18 | phi(default_name) | Node steps to itself |

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -225,6 +225,14 @@ fn option_unwrap() {
     sink(s1.unwrap()); // $ hasValueFlow=19
 }
 
+fn option_unwrap_or() {
+    let s1 = Some(source(46));
+    sink(s1.unwrap_or(0)); // $ MISSING: hasValueFlow=46
+
+    let s2 = Some(0);
+    sink(s2.unwrap_or(source(47))); // $ MISSING: hasValueFlow=47
+}
+
 fn option_questionmark() -> Option<i64> {
     let s1 = Some(source(20));
     let s2 = Some(2);
@@ -379,24 +387,6 @@ fn array_assignment() {
     sink(mut_arr[0]); // $ SPURIOUS: hasValueFlow=55
 }
 
-// -----------------------------------------------------------------------------
-// Data flow through mutable borrows
-
-fn read_through_borrow() {
-    let a = source(21);
-    let b = &a;
-    let c = *b;
-    sink(c); // $ MISSING: hasValueFlow=21
-}
-
-fn write_through_borrow() {
-    let mut a = 1;
-    sink(a);
-    let b = &mut a;
-    *b = source(39);
-    sink(a); // $ MISSING: hasValueFlow=39
-}
-
 // Test data flow inconsistency occuring with captured variables and `continue`
 // in a loop.
 pub fn captured_variable_and_continue(names: Vec<(bool, Option<String>)>) {
@@ -430,6 +420,7 @@ fn main() {
     option_pattern_match_qualified();
     option_pattern_match_unqualified();
     option_unwrap();
+    option_unwrap_or();
     option_questionmark();
     let _ = result_questionmark();
     custom_tuple_enum_pattern_match_qualified();
@@ -443,7 +434,5 @@ fn main() {
     array_for_loop();
     array_slice_pattern();
     array_assignment();
-    read_through_borrow();
-    write_through_borrow();
     captured_variable_and_continue(vec![]);
 }

rust/ql/test/library-tests/dataflow/local/inline-flow.expected

@@ -0,0 +1,23 @@
+models
+edges
+| main.rs:40:18:40:21 | SelfParam [MyNumber] | main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | provenance |  |
+| main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | main.rs:42:32:42:37 | number | provenance |  |
+| main.rs:42:32:42:37 | number | main.rs:40:31:46:5 | { ... } | provenance |  |
+| main.rs:58:21:58:50 | ...::MyNumber(...) [MyNumber] | main.rs:59:10:59:18 | my_number [MyNumber] | provenance |  |
+| main.rs:58:40:58:49 | source(...) | main.rs:58:21:58:50 | ...::MyNumber(...) [MyNumber] | provenance |  |
+| main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:40:18:40:21 | SelfParam [MyNumber] | provenance |  |
+| main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:59:10:59:30 | my_number.to_number(...) | provenance |  |
+nodes
+| main.rs:40:18:40:21 | SelfParam [MyNumber] | semmle.label | SelfParam [MyNumber] |
+| main.rs:40:31:46:5 | { ... } | semmle.label | { ... } |
+| main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] |
+| main.rs:42:32:42:37 | number | semmle.label | number |
+| main.rs:58:21:58:50 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] |
+| main.rs:58:40:58:49 | source(...) | semmle.label | source(...) |
+| main.rs:59:10:59:18 | my_number [MyNumber] | semmle.label | my_number [MyNumber] |
+| main.rs:59:10:59:30 | my_number.to_number(...) | semmle.label | my_number.to_number(...) |
+subpaths
+| main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:40:18:40:21 | SelfParam [MyNumber] | main.rs:40:31:46:5 | { ... } | main.rs:59:10:59:30 | my_number.to_number(...) |
+testFailures
+#select
+| main.rs:59:10:59:30 | my_number.to_number(...) | main.rs:58:40:58:49 | source(...) | main.rs:59:10:59:30 | my_number.to_number(...) | $@ | main.rs:58:40:58:49 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/local/main.rs

@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import rust
+import utils.InlineFlowTest
+import DefaultFlowTest
+import ValueFlow::PathGraph
+
+from ValueFlow::PathNode source, ValueFlow::PathNode sink
+where ValueFlow::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected

@@ -0,0 +1,79 @@
+// -----------------------------------------------------------------------------
+// Data flow through pointers.
+
+fn source(i: i64) -> i64 {
+    1000 + i
+}
+
+fn sink(s: i64) {
+    println!("{}", s);
+}
+
+fn read_through_borrow() {
+    let a = source(21);
+    let b = &a;
+    let c = *b;
+    sink(c); // $ MISSING: hasValueFlow=21
+}
+
+fn write_through_borrow() {
+    let mut a = 1;
+    sink(a);
+    let b = &mut a;
+    *b = source(39);
+    sink(a); // $ MISSING: hasValueFlow=39
+}
+
+fn write_and_read_through_borrow() {
+    let mut a = 12;
+    let b = &mut a;
+    sink(*b);
+    *b = source(37);
+    sink(*b); // $ MISSING: hasValueFlow=37
+}
+
+enum MyNumber {
+    MyNumber(i64)
+}
+
+impl MyNumber {
+    fn to_number(self) -> i64 {
+        match self {
+            MyNumber::MyNumber(number) => {
+                number
+            }
+        }
+    }
+
+    fn get_number(&self) -> i64 {
+        match self {
+            MyNumber::MyNumber(number) => {
+                *number
+            }
+        }
+    }
+}
+
+fn through_self_in_method_no_borrow() {
+    let my_number = MyNumber::MyNumber(source(33));
+    sink(my_number.to_number()); // $ hasValueFlow=33
+}
+
+fn through_self_in_method_implicit_borrow() {
+    let my_number = MyNumber::MyNumber(source(85));
+    sink(my_number.get_number()); // $ MISSING: hasValueFlow=85
+}
+
+fn through_self_in_method_explicit_borrow() {
+    let my_number = &MyNumber::MyNumber(source(40));
+    sink(my_number.get_number()); // $ MISSING: hasValueFlow=40
+}
+
+fn main() {
+    read_through_borrow();
+    write_through_borrow();
+    write_and_read_through_borrow();
+    through_self_in_method_no_borrow();
+    through_self_in_method_implicit_borrow();
+    through_self_in_method_explicit_borrow();
+}

rust/ql/test/library-tests/dataflow/pointers/inline-flow.ql

@@ -0,0 +1,10 @@
+models
+edges
+| main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | provenance |  |
+nodes
+| main.rs:26:14:26:23 | source(...) | semmle.label | source(...) |
+| main.rs:32:10:32:11 | s4 | semmle.label | s4 |
+subpaths
+testFailures
+#select
+| main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/pointers/main.rs

@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import rust
+import utils.InlineFlowTest
+import DefaultFlowTest
+import TaintFlow::PathGraph
+
+from TaintFlow::PathNode source, TaintFlow::PathNode sink
+where TaintFlow::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected

@@ -0,0 +1,81 @@
+// Taint tests for strings
+
+fn source(i: i64) -> String {
+    format!("{}", i)
+}
+
+fn source_slice(_i: i64) -> &'static str {
+    "source"
+}
+
+fn sink_slice(s: &str) {
+    println!("{}", s);
+}
+
+fn sink(s: String) {
+    println!("{}", s);
+}
+
+fn string_slice() {
+    let s = source(35);
+    let sliced = &s[1..3];
+    sink_slice(sliced); // $ MISSING: hasTaintFlow=35
+}
+
+fn string_add() {
+    let s1 = source(83);
+    let s2 = "2".to_owned();
+    let s3 = "3";
+    let s4 = s1 + s3;
+    let s5 = s2 + s3;
+
+    sink(s4); // $ hasTaintFlow=83
+    sink(s5);
+}
+
+fn string_add_reference() {
+    let s1 = source(37);
+    let s2 = "1".to_string();
+
+    sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37
+    sink("Hello ".to_string() + &s2);
+}
+
+fn string_from() {
+    let s1 = source_slice(36);
+    let s2 = String::from(s1);
+    sink(s2); // $ MISSING: hasTaintFlow=36
+}
+
+fn string_to_string() {
+    let s1 = source_slice(22);
+    let s2 = s1.to_string();
+    sink(s2); // $ MISSING: hasTaintFlow=22
+}
+
+fn as_str() {
+    let s = source(67);
+    sink_slice(s.as_str()); // $ MISSING: hasTaintFlow=67
+}
+
+fn string_format() {
+    let s1 = source(34);
+    let s2 = "2";
+    let s3 = "3";
+
+    let s4 = format!("{s1} and {s3}");
+    let s5 = format!("{s2} and {s3}");
+
+    sink_slice(&s4); // $ MISSING: hasTaintFlow=34
+    sink_slice(&s5);
+}
+
+fn main() {
+    string_slice();
+    string_add();
+    string_add_reference();
+    string_from();
+    as_str();
+    string_to_string();
+    string_format();
+}