Rust: Fix an issue with the local flow.

Author: geoffw0

rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll

@@ -69,11 +69,13 @@ module InsecureCookie {
       // check if the argument is always `true`
       (
         if
-          forex(DataFlow::Node argSourceNode | DataFlow::localFlow(argSourceNode, argNode) |
-            argSourceNode.asExpr().getExpr().(BooleanLiteralExpr).getTextValue() = "true"
+          forex(DataFlow::Node argSourceNode, BooleanLiteralExpr argSourceValue |
+            DataFlow::localFlow(argSourceNode, argNode) and
+            argSourceValue = argSourceNode.asExpr().getExpr() |
+            argSourceValue.getTextValue() = "true"
           )
-        then value = true // `true` flow to here
-        else value = false // `false` or unknown
+        then value = true // `true` flows to here
+        else value = false // `false`, unknown, or multiple values
       ) and
       // and find the node where this happens
       (

rust/ql/test/query-tests/security/CWE-614/CookieSet.expected

@@ -2,7 +2,7 @@
 | main.rs:12:19:12:50 | ...::build(...) | secure | true |
 | main.rs:20:5:20:36 | ...::build(...) | secure | false |
 | main.rs:21:5:21:36 | ...::build(...) | secure | false |
-| main.rs:24:5:24:36 | ...::build(...) | secure | false |
+| main.rs:24:5:24:36 | ...::build(...) | secure | true |
 | main.rs:25:5:25:36 | ...::build(...) | secure | false |
 | main.rs:26:5:26:36 | ...::build(...) | secure | false |
 | main.rs:27:5:27:36 | ...::build(...) | secure | false |

rust/ql/test/query-tests/security/CWE-614/InsecureCookie.expected

@@ -6,8 +6,6 @@
 | main.rs:20:56:20:60 | build | main.rs:20:5:20:36 | ...::build(...) | main.rs:20:56:20:60 | build | Cookie attribute 'Secure' is not set to true. |
 | main.rs:21:57:21:61 | build | main.rs:21:5:21:17 | ...::build | main.rs:21:57:21:61 | build | Cookie attribute 'Secure' is not set to true. |
 | main.rs:21:57:21:61 | build | main.rs:21:5:21:36 | ...::build(...) | main.rs:21:57:21:61 | build | Cookie attribute 'Secure' is not set to true. |
-| main.rs:24:53:24:57 | build | main.rs:24:5:24:17 | ...::build | main.rs:24:53:24:57 | build | Cookie attribute 'Secure' is not set to true. |
-| main.rs:24:53:24:57 | build | main.rs:24:5:24:36 | ...::build(...) | main.rs:24:53:24:57 | build | Cookie attribute 'Secure' is not set to true. |
 | main.rs:25:54:25:58 | build | main.rs:25:5:25:17 | ...::build | main.rs:25:54:25:58 | build | Cookie attribute 'Secure' is not set to true. |
 | main.rs:25:54:25:58 | build | main.rs:25:5:25:36 | ...::build(...) | main.rs:25:54:25:58 | build | Cookie attribute 'Secure' is not set to true. |
 | main.rs:26:52:26:56 | build | main.rs:26:5:26:17 | ...::build | main.rs:26:52:26:56 | build | Cookie attribute 'Secure' is not set to true. |
@@ -91,9 +89,6 @@ edges
 | main.rs:21:5:21:17 | ...::build | main.rs:21:5:21:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
 | main.rs:21:5:21:36 | ...::build(...) | main.rs:21:5:21:55 | ... .secure(...) | provenance | MaD:41 |
 | main.rs:21:5:21:55 | ... .secure(...) | main.rs:21:57:21:61 | build | provenance | MaD:2 Sink:MaD:2 |
-| main.rs:24:5:24:17 | ...::build | main.rs:24:5:24:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
-| main.rs:24:5:24:36 | ...::build(...) | main.rs:24:5:24:51 | ... .secure(...) | provenance | MaD:41 |
-| main.rs:24:5:24:51 | ... .secure(...) | main.rs:24:53:24:57 | build | provenance | MaD:2 Sink:MaD:2 |
 | main.rs:25:5:25:17 | ...::build | main.rs:25:5:25:36 | ...::build(...) | provenance | Src:MaD:13 MaD:13 |
 | main.rs:25:5:25:36 | ...::build(...) | main.rs:25:5:25:52 | ... .secure(...) | provenance | MaD:41 |
 | main.rs:25:5:25:52 | ... .secure(...) | main.rs:25:54:25:58 | build | provenance | MaD:2 Sink:MaD:2 |
@@ -374,10 +369,6 @@ nodes
 | main.rs:21:5:21:36 | ...::build(...) | semmle.label | ...::build(...) |
 | main.rs:21:5:21:55 | ... .secure(...) | semmle.label | ... .secure(...) |
 | main.rs:21:57:21:61 | build | semmle.label | build |
-| main.rs:24:5:24:17 | ...::build | semmle.label | ...::build |
-| main.rs:24:5:24:36 | ...::build(...) | semmle.label | ...::build(...) |
-| main.rs:24:5:24:51 | ... .secure(...) | semmle.label | ... .secure(...) |
-| main.rs:24:53:24:57 | build | semmle.label | build |
 | main.rs:25:5:25:17 | ...::build | semmle.label | ...::build |
 | main.rs:25:5:25:36 | ...::build(...) | semmle.label | ...::build(...) |
 | main.rs:25:5:25:52 | ... .secure(...) | semmle.label | ... .secure(...) |

rust/ql/test/query-tests/security/CWE-614/main.rs

@@ -21,7 +21,7 @@ fn test_cookie(sometimes: bool) {
     Cookie::build(("name", "value")).secure(!sometimes).build(); // $ Alert[rust/insecure-cookie]
 
     // with data flow on the "secure" value
-    Cookie::build(("name", "value")).secure(always).build(); // $ SPURIOUS: Alert[rust/insecure-cookie]
+    Cookie::build(("name", "value")).secure(always).build(); // good
     Cookie::build(("name", "value")).secure(!always).build(); // $ Alert[rust/insecure-cookie]
     Cookie::build(("name", "value")).secure(never).build(); // $ Alert[rust/insecure-cookie]
     Cookie::build(("name", "value")).secure(!never).build(); // $ SPURIOUS: Alert[rust/insecure-cookie]