Rust: Add tests for a few more edge cases.

geoffw0 · geoffw0 · commit 9c7fc583373c · 2025-09-16T12:41:00.000+01:00
diff --git a/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected b/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected
@@ -1,68 +1,76 @@
 #select
 | main.rs:12:22:12:43 | ...::get | main.rs:12:45:12:68 | "http://example.com/api" | main.rs:12:22:12:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:12:45:12:68 | "http://example.com/api" | this HTTP URL |
-| main.rs:13:22:13:43 | ...::get | main.rs:13:45:13:73 | "http://api.example.com/data" | main.rs:13:22:13:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:13:45:13:73 | "http://api.example.com/data" | this HTTP URL |
-| main.rs:25:21:25:42 | ...::get | main.rs:22:20:22:39 | "http://example.com" | main.rs:25:21:25:42 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:22:20:22:39 | "http://example.com" | this HTTP URL |
-| main.rs:36:30:36:51 | ...::get | main.rs:33:20:33:28 | "http://" | main.rs:36:30:36:51 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:33:20:33:28 | "http://" | this HTTP URL |
-| main.rs:63:24:63:45 | ...::get | main.rs:60:19:60:53 | "http://example.com/sensitive-... | main.rs:63:24:63:45 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:60:19:60:53 | "http://example.com/sensitive-... | this HTTP URL |
+| main.rs:14:22:14:43 | ...::get | main.rs:14:45:14:73 | "http://api.example.com/data" | main.rs:14:22:14:43 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:14:45:14:73 | "http://api.example.com/data" | this HTTP URL |
+| main.rs:26:21:26:42 | ...::get | main.rs:23:20:23:39 | "http://example.com" | main.rs:26:21:26:42 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:23:20:23:39 | "http://example.com" | this HTTP URL |
+| main.rs:37:30:37:51 | ...::get | main.rs:34:20:34:28 | "http://" | main.rs:37:30:37:51 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:34:20:34:28 | "http://" | this HTTP URL |
+| main.rs:53:19:53:40 | ...::get | main.rs:53:42:53:68 | "http://172.31.255.255/bar" | main.rs:53:19:53:40 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:53:42:53:68 | "http://172.31.255.255/bar" | this HTTP URL |
+| main.rs:60:20:60:41 | ...::get | main.rs:60:43:60:65 | "http://172.32.0.0/baz" | main.rs:60:20:60:41 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:60:43:60:65 | "http://172.32.0.0/baz" | this HTTP URL |
+| main.rs:71:24:71:45 | ...::get | main.rs:68:19:68:53 | "http://example.com/sensitive-... | main.rs:71:24:71:45 | ...::get | This URL may be constructed with the HTTP protocol, from $@. | main.rs:68:19:68:53 | "http://example.com/sensitive-... | this HTTP URL |
 edges
 | main.rs:12:45:12:68 | "http://example.com/api" | main.rs:12:22:12:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
-| main.rs:13:45:13:73 | "http://api.example.com/data" | main.rs:13:22:13:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
-| main.rs:22:9:22:16 | base_url | main.rs:24:28:24:53 | MacroExpr | provenance |  |
-| main.rs:22:20:22:39 | "http://example.com" | main.rs:22:9:22:16 | base_url | provenance |  |
-| main.rs:24:9:24:16 | full_url | main.rs:25:45:25:52 | full_url | provenance |  |
-| main.rs:24:20:24:26 | res | main.rs:24:28:24:53 | { ... } | provenance |  |
-| main.rs:24:28:24:53 | ...::format(...) | main.rs:24:20:24:26 | res | provenance |  |
-| main.rs:24:28:24:53 | ...::must_use(...) | main.rs:24:9:24:16 | full_url | provenance |  |
-| main.rs:24:28:24:53 | MacroExpr | main.rs:24:28:24:53 | ...::format(...) | provenance | MaD:2 |
-| main.rs:24:28:24:53 | { ... } | main.rs:24:28:24:53 | ...::must_use(...) | provenance | MaD:3 |
-| main.rs:25:44:25:52 | &full_url [&ref] | main.rs:25:21:25:42 | ...::get | provenance | MaD:1 Sink:MaD:1 |
-| main.rs:25:45:25:52 | full_url | main.rs:25:44:25:52 | &full_url [&ref] | provenance |  |
-| main.rs:33:9:33:16 | protocol | main.rs:35:32:35:53 | MacroExpr | provenance |  |
-| main.rs:33:20:33:28 | "http://" | main.rs:33:9:33:16 | protocol | provenance |  |
-| main.rs:35:9:35:20 | insecure_url | main.rs:36:54:36:65 | insecure_url | provenance |  |
-| main.rs:35:24:35:30 | res | main.rs:35:32:35:53 | { ... } | provenance |  |
-| main.rs:35:32:35:53 | ...::format(...) | main.rs:35:24:35:30 | res | provenance |  |
-| main.rs:35:32:35:53 | ...::must_use(...) | main.rs:35:9:35:20 | insecure_url | provenance |  |
-| main.rs:35:32:35:53 | MacroExpr | main.rs:35:32:35:53 | ...::format(...) | provenance | MaD:2 |
-| main.rs:35:32:35:53 | { ... } | main.rs:35:32:35:53 | ...::must_use(...) | provenance | MaD:3 |
-| main.rs:36:53:36:65 | &insecure_url [&ref] | main.rs:36:30:36:51 | ...::get | provenance | MaD:1 Sink:MaD:1 |
-| main.rs:36:54:36:65 | insecure_url | main.rs:36:53:36:65 | &insecure_url [&ref] | provenance |  |
-| main.rs:60:13:60:15 | url | main.rs:63:47:63:49 | url | provenance |  |
-| main.rs:60:19:60:53 | "http://example.com/sensitive-... | main.rs:60:13:60:15 | url | provenance |  |
-| main.rs:63:47:63:49 | url | main.rs:63:24:63:45 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:14:45:14:73 | "http://api.example.com/data" | main.rs:14:22:14:43 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:23:9:23:16 | base_url | main.rs:25:28:25:53 | MacroExpr | provenance |  |
+| main.rs:23:20:23:39 | "http://example.com" | main.rs:23:9:23:16 | base_url | provenance |  |
+| main.rs:25:9:25:16 | full_url | main.rs:26:45:26:52 | full_url | provenance |  |
+| main.rs:25:20:25:26 | res | main.rs:25:28:25:53 | { ... } | provenance |  |
+| main.rs:25:28:25:53 | ...::format(...) | main.rs:25:20:25:26 | res | provenance |  |
+| main.rs:25:28:25:53 | ...::must_use(...) | main.rs:25:9:25:16 | full_url | provenance |  |
+| main.rs:25:28:25:53 | MacroExpr | main.rs:25:28:25:53 | ...::format(...) | provenance | MaD:2 |
+| main.rs:25:28:25:53 | { ... } | main.rs:25:28:25:53 | ...::must_use(...) | provenance | MaD:3 |
+| main.rs:26:44:26:52 | &full_url [&ref] | main.rs:26:21:26:42 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:26:45:26:52 | full_url | main.rs:26:44:26:52 | &full_url [&ref] | provenance |  |
+| main.rs:34:9:34:16 | protocol | main.rs:36:32:36:53 | MacroExpr | provenance |  |
+| main.rs:34:20:34:28 | "http://" | main.rs:34:9:34:16 | protocol | provenance |  |
+| main.rs:36:9:36:20 | insecure_url | main.rs:37:54:37:65 | insecure_url | provenance |  |
+| main.rs:36:24:36:30 | res | main.rs:36:32:36:53 | { ... } | provenance |  |
+| main.rs:36:32:36:53 | ...::format(...) | main.rs:36:24:36:30 | res | provenance |  |
+| main.rs:36:32:36:53 | ...::must_use(...) | main.rs:36:9:36:20 | insecure_url | provenance |  |
+| main.rs:36:32:36:53 | MacroExpr | main.rs:36:32:36:53 | ...::format(...) | provenance | MaD:2 |
+| main.rs:36:32:36:53 | { ... } | main.rs:36:32:36:53 | ...::must_use(...) | provenance | MaD:3 |
+| main.rs:37:53:37:65 | &insecure_url [&ref] | main.rs:37:30:37:51 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:37:54:37:65 | insecure_url | main.rs:37:53:37:65 | &insecure_url [&ref] | provenance |  |
+| main.rs:53:42:53:68 | "http://172.31.255.255/bar" | main.rs:53:19:53:40 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:60:43:60:65 | "http://172.32.0.0/baz" | main.rs:60:20:60:41 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| main.rs:68:13:68:15 | url | main.rs:71:47:71:49 | url | provenance |  |
+| main.rs:68:19:68:53 | "http://example.com/sensitive-... | main.rs:68:13:68:15 | url | provenance |  |
+| main.rs:71:47:71:49 | url | main.rs:71:24:71:45 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 models
 | 1 | Sink: reqwest::blocking::get; Argument[0]; request-url |
 | 2 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
 | 3 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
 | main.rs:12:22:12:43 | ...::get | semmle.label | ...::get |
 | main.rs:12:45:12:68 | "http://example.com/api" | semmle.label | "http://example.com/api" |
-| main.rs:13:22:13:43 | ...::get | semmle.label | ...::get |
-| main.rs:13:45:13:73 | "http://api.example.com/data" | semmle.label | "http://api.example.com/data" |
-| main.rs:22:9:22:16 | base_url | semmle.label | base_url |
-| main.rs:22:20:22:39 | "http://example.com" | semmle.label | "http://example.com" |
-| main.rs:24:9:24:16 | full_url | semmle.label | full_url |
-| main.rs:24:20:24:26 | res | semmle.label | res |
-| main.rs:24:28:24:53 | ...::format(...) | semmle.label | ...::format(...) |
-| main.rs:24:28:24:53 | ...::must_use(...) | semmle.label | ...::must_use(...) |
-| main.rs:24:28:24:53 | MacroExpr | semmle.label | MacroExpr |
-| main.rs:24:28:24:53 | { ... } | semmle.label | { ... } |
-| main.rs:25:21:25:42 | ...::get | semmle.label | ...::get |
-| main.rs:25:44:25:52 | &full_url [&ref] | semmle.label | &full_url [&ref] |
-| main.rs:25:45:25:52 | full_url | semmle.label | full_url |
-| main.rs:33:9:33:16 | protocol | semmle.label | protocol |
-| main.rs:33:20:33:28 | "http://" | semmle.label | "http://" |
-| main.rs:35:9:35:20 | insecure_url | semmle.label | insecure_url |
-| main.rs:35:24:35:30 | res | semmle.label | res |
-| main.rs:35:32:35:53 | ...::format(...) | semmle.label | ...::format(...) |
-| main.rs:35:32:35:53 | ...::must_use(...) | semmle.label | ...::must_use(...) |
-| main.rs:35:32:35:53 | MacroExpr | semmle.label | MacroExpr |
-| main.rs:35:32:35:53 | { ... } | semmle.label | { ... } |
-| main.rs:36:30:36:51 | ...::get | semmle.label | ...::get |
-| main.rs:36:53:36:65 | &insecure_url [&ref] | semmle.label | &insecure_url [&ref] |
-| main.rs:36:54:36:65 | insecure_url | semmle.label | insecure_url |
-| main.rs:60:13:60:15 | url | semmle.label | url |
-| main.rs:60:19:60:53 | "http://example.com/sensitive-... | semmle.label | "http://example.com/sensitive-... |
-| main.rs:63:24:63:45 | ...::get | semmle.label | ...::get |
-| main.rs:63:47:63:49 | url | semmle.label | url |
+| main.rs:14:22:14:43 | ...::get | semmle.label | ...::get |
+| main.rs:14:45:14:73 | "http://api.example.com/data" | semmle.label | "http://api.example.com/data" |
+| main.rs:23:9:23:16 | base_url | semmle.label | base_url |
+| main.rs:23:20:23:39 | "http://example.com" | semmle.label | "http://example.com" |
+| main.rs:25:9:25:16 | full_url | semmle.label | full_url |
+| main.rs:25:20:25:26 | res | semmle.label | res |
+| main.rs:25:28:25:53 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:25:28:25:53 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:25:28:25:53 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:25:28:25:53 | { ... } | semmle.label | { ... } |
+| main.rs:26:21:26:42 | ...::get | semmle.label | ...::get |
+| main.rs:26:44:26:52 | &full_url [&ref] | semmle.label | &full_url [&ref] |
+| main.rs:26:45:26:52 | full_url | semmle.label | full_url |
+| main.rs:34:9:34:16 | protocol | semmle.label | protocol |
+| main.rs:34:20:34:28 | "http://" | semmle.label | "http://" |
+| main.rs:36:9:36:20 | insecure_url | semmle.label | insecure_url |
+| main.rs:36:24:36:30 | res | semmle.label | res |
+| main.rs:36:32:36:53 | ...::format(...) | semmle.label | ...::format(...) |
+| main.rs:36:32:36:53 | ...::must_use(...) | semmle.label | ...::must_use(...) |
+| main.rs:36:32:36:53 | MacroExpr | semmle.label | MacroExpr |
+| main.rs:36:32:36:53 | { ... } | semmle.label | { ... } |
+| main.rs:37:30:37:51 | ...::get | semmle.label | ...::get |
+| main.rs:37:53:37:65 | &insecure_url [&ref] | semmle.label | &insecure_url [&ref] |
+| main.rs:37:54:37:65 | insecure_url | semmle.label | insecure_url |
+| main.rs:53:19:53:40 | ...::get | semmle.label | ...::get |
+| main.rs:53:42:53:68 | "http://172.31.255.255/bar" | semmle.label | "http://172.31.255.255/bar" |
+| main.rs:60:20:60:41 | ...::get | semmle.label | ...::get |
+| main.rs:60:43:60:65 | "http://172.32.0.0/baz" | semmle.label | "http://172.32.0.0/baz" |
+| main.rs:68:13:68:15 | url | semmle.label | url |
+| main.rs:68:19:68:53 | "http://example.com/sensitive-... | semmle.label | "http://example.com/sensitive-... |
+| main.rs:71:24:71:45 | ...::get | semmle.label | ...::get |
+| main.rs:71:47:71:49 | url | semmle.label | url |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-319/main.rs b/rust/ql/test/query-tests/security/CWE-319/main.rs
@@ -10,7 +10,8 @@ fn main() {
 fn test_direct_literals() {
     // BAD: Direct HTTP URLs that should be flagged
     let _response1 = reqwest::blocking::get("http://example.com/api").unwrap(); // $ Alert[rust/non-https-url]
-    let _response2 = reqwest::blocking::get("http://api.example.com/data").unwrap(); // $ Alert[rust/non-https-url]
+    let _response2 = reqwest::blocking::get("HTTP://EXAMPLE.COM/API").unwrap(); // $ MISSING: Alert[rust/non-https-url]
+    let _response3 = reqwest::blocking::get("http://api.example.com/data").unwrap(); // $ Alert[rust/non-https-url]
 
     // GOOD: HTTPS URLs that should not be flagged
     let _response3 = reqwest::blocking::get("https://example.com/api").unwrap();
@@ -44,13 +45,20 @@ fn test_dynamic_urls() {
 fn test_localhost_exemptions() {
     // GOOD: localhost URLs should not be flagged (local development)
     let _local1 = reqwest::blocking::get("http://localhost:8080/api").unwrap();
-    let _local2 = reqwest::blocking::get("http://127.0.0.1:3000/test").unwrap();
-    let _local3 = reqwest::blocking::get("http://192.168.1.100/internal").unwrap();
-    let _local4 = reqwest::blocking::get("http://10.0.0.1/admin").unwrap();
+    let _local2 = reqwest::blocking::get("HTTP://LOCALHOST:8080/api").unwrap();
+    let _local3 = reqwest::blocking::get("http://127.0.0.1:3000/test").unwrap();
+    let _local4 = reqwest::blocking::get("http://192.168.1.100/internal").unwrap();
+    let _local5 = reqwest::blocking::get("http://10.0.0.1/admin").unwrap();
+    let _local6 = reqwest::blocking::get("http://172.16.0.0/foo").unwrap();
+    let _local7 = reqwest::blocking::get("http://172.31.255.255/bar").unwrap(); // $ SPURIOUS: Alert[rust/non-https-url]
+
+    // GOOD: test IPv6 localhost variants
+    let _local8 = reqwest::blocking::get("http://[::1]:8080/api").unwrap();
+    let _local9 = reqwest::blocking::get("http://[0:0:0:0:0:0:0:1]/test").unwrap();
+
+    // BAD: non-private IP address
+    let _local10 = reqwest::blocking::get("http://172.32.0.0/baz").unwrap(); // $ Alert[rust/non-https-url]
 
-    // Test IPv6 localhost variants
-    let _local5 = reqwest::blocking::get("http://[::1]:8080/api").unwrap();
-    let _local6 = reqwest::blocking::get("http://[0:0:0:0:0:0:0:1]/test").unwrap();
 }
 
 // Additional test cases that mirror the Bad/Good examples
