Implement Rust non-HTTPS URL query (CWE-319)

Copilot · geoffw0 · Copilot · commit e630bf86bdd0 · 2025-09-15T11:44:05.000Z
Co-authored-by: geoffw0 &lt;40627776+geoffw0@users.noreply.github.com&gt;
diff --git a/rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected b/rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected
@@ -14,6 +14,7 @@ ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
diff --git a/rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected b/rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected
@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql
diff --git a/rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected b/rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected
@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql
+ql/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
@@ -0,0 +1,60 @@
+/**
+ * Provides classes and predicates for reasoning about the use of
+ * non-HTTPS URLs in Rust code.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.elements.LiteralExprExt
+private import codeql.rust.Concepts
+
+/**
+ * Provides default sources, sinks and barriers for detecting use of
+ * non-HTTPS URLs, as well as extension points for adding your own.
+ */
+module UseOfHttp {
+  /**
+   * A data flow source for use of non-HTTPS URLs.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for use of non-HTTPS URLs.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "UseOfHttp" }
+  }
+
+  /**
+   * A barrier for use of non-HTTPS URLs.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A string containing an HTTP URL.
+   */
+  class HttpStringLiteral extends StringLiteralExpr {
+    HttpStringLiteral() {
+      exists(string s | this.getTextValue() = s |
+        // Match HTTP URLs that are not private/local
+        s.regexpMatch("\"http://.*\"") and
+        not s.regexpMatch("\"http://(localhost|127\\.0\\.0\\.1|192\\.168\\.[0-9]+\\.[0-9]+|10\\.[0-9]+\\.[0-9]+\\.[0-9]+|172\\.16\\.[0-9]+\\.[0-9]+|\\[::1\\]|\\[0:0:0:0:0:0:0:1\\]).*\"")
+      )
+    }
+  }
+
+  /**
+   * An HTTP string literal as a source.
+   */
+  private class HttpStringLiteralAsSource extends Source {
+    HttpStringLiteralAsSource() { this.asExpr().getExpr() instanceof HttpStringLiteral }
+  }
+
+  /**
+   * A sink for use of HTTP URLs from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "request-url") }
+  }
+}
diff --git a/rust/ql/src/change-notes/2025-09-15-non-https-url.md b/rust/ql/src/change-notes/2025-09-15-non-https-url.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/non-https-url`, for detecting the use of non-HTTPS URLs that can be intercepted by third parties.
diff --git a/rust/ql/src/queries/security/CWE-319/UseOfHttp.qhelp b/rust/ql/src/queries/security/CWE-319/UseOfHttp.qhelp
@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Constructing URLs with the HTTP protocol can lead to unsecured connections.</p>
+
+<p>Furthermore, constructing URLs with the HTTP protocol can create problems if other parts of the 
+code expect HTTPS URLs. A typical pattern is to use libraries that expect secure connections, 
+which may fail or fall back to insecure behavior when provided with HTTP URLs instead of HTTPS URLs.</p>
+
+</overview>
+<recommendation>
+
+<p>When you construct a URL for network requests, ensure that you use an HTTPS URL rather than an HTTP URL. 
+Then, any connections that are made using that URL are secure SSL/TLS connections.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows two ways of making a network request using a URL. When the request is 
+made using an HTTP URL rather than an HTTPS URL, the connection is unsecured and can be intercepted 
+by attackers. When the request is made using an HTTPS URL, the connection is a secure SSL/TLS connection.</p>
+
+<sample src="UseOfHttpBad.rs" />
+
+<p>A better approach is to use HTTPS:</p>
+
+<sample src="UseOfHttpGood.rs" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html">Transport Layer Protection Cheat Sheet</a>.
+</li>
+<li>
+OWASP Top 10:
+<a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">A08:2021 - Software and Data Integrity Failures</a>.
+</li>
+<li>Rust reqwest documentation: 
+<a href="https://docs.rs/reqwest/">reqwest crate</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql b/rust/ql/src/queries/security/CWE-319/UseOfHttp.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Failure to use HTTPS URLs
+ * @description Non-HTTPS connections can be intercepted by third parties.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @precision high
+ * @id rust/non-https-url
+ * @tags security
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-345
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.UseOfHttpExtensions
+
+/**
+ * A taint configuration for HTTP URL strings that flow to URL-using sinks.
+ */
+module UseOfHttpConfig implements DataFlow::ConfigSig {
+  import UseOfHttp
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module UseOfHttpFlow = TaintTracking::Global<UseOfHttpConfig>;
+
+import UseOfHttpFlow::PathGraph
+
+from UseOfHttpFlow::PathNode sourceNode, UseOfHttpFlow::PathNode sinkNode
+where UseOfHttpFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode,
+  "This URL may be constructed with the HTTP protocol, from $@.", sourceNode.getNode(),
+  "this HTTP URL"
diff --git a/rust/ql/src/queries/security/CWE-319/UseOfHttpBad.rs b/rust/ql/src/queries/security/CWE-319/UseOfHttpBad.rs
@@ -0,0 +1,10 @@
+// BAD: Using HTTP URL which can be intercepted
+use reqwest;
+
+fn main() {
+    let url = "http://example.com/sensitive-data";
+    
+    // This makes an insecure HTTP request that can be intercepted
+    let response = reqwest::blocking::get(url).unwrap();
+    println!("Response: {}", response.text().unwrap());
+}
diff --git a/rust/ql/src/queries/security/CWE-319/UseOfHttpGood.rs b/rust/ql/src/queries/security/CWE-319/UseOfHttpGood.rs
@@ -0,0 +1,10 @@
+// GOOD: Using HTTPS URL which provides encryption
+use reqwest;
+
+fn main() {
+    let url = "https://example.com/sensitive-data";
+    
+    // This makes a secure HTTPS request that is encrypted
+    let response = reqwest::blocking::get(url).unwrap();
+    println!("Response: {}", response.text().unwrap());
+}
diff --git a/rust/ql/src/queries/summary/Stats.qll b/rust/ql/src/queries/summary/Stats.qll
@@ -27,6 +27,7 @@ private import codeql.rust.security.LogInjectionExtensions
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.TaintedPathExtensions
 private import codeql.rust.security.UncontrolledAllocationSizeExtensions
+private import codeql.rust.security.UseOfHttpExtensions
 private import codeql.rust.security.WeakSensitiveDataHashingExtensions
 private import codeql.rust.security.HardcodedCryptographicValueExtensions
 
diff --git a/rust/ql/test/query-tests/security/CWE-319/Cargo.lock b/rust/ql/test/query-tests/security/CWE-319/Cargo.lock
diff --git a/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected b/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.expected
diff --git a/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.qlref b/rust/ql/test/query-tests/security/CWE-319/UseOfHttp.qlref
diff --git a/rust/ql/test/query-tests/security/CWE-319/main.rs b/rust/ql/test/query-tests/security/CWE-319/main.rs
diff --git a/rust/ql/test/query-tests/security/CWE-319/options.yml b/rust/ql/test/query-tests/security/CWE-319/options.yml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: newQuery
 +---
 +* Added a new query, `rust/non-https-url`, for detecting the use of non-HTTPS URLs that can be intercepted by third parties.