Add Actix framework modeling and import to Frameworks.qll

[coadaflorin]

Pull Request checklist

All query authors

• A change note is added if necessary. See the documentation in this repository.
• All new queries have appropriate .qhelp. See the documentation in this repository.
• QL tests are added if necessary. See Testing custom queries in the GitHub documentation.
• New and changed queries have correct query metadata. See the documentation in this repository.

Internal query authors only

• Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
• Changes are validated at scale (internal access required).
• Adding a new query? Consider also adding the query to autofix.

[Copilot]

Pull Request Overview

This PR adds modeling support for the Actix framework by introducing a new CodeQL library file and ensuring it is imported in the main frameworks file.

• Introduces Actix.qll with a class to identify Actix handler parameters
• Imports the new Actix model in Frameworks.qll

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
rust/ql/lib/codeql/rust/frameworks/Actix.qll	Adds Actix handler parameter modeling class
rust/ql/lib/codeql/rust/Frameworks.qll	Imports the new Actix framework model

Comments suppressed due to low confidence (2)

rust/ql/lib/codeql/rust/frameworks/Actix.qll:1

• No QL tests were added to validate the new Actix modeling. Consider adding .ql test cases to cover the ActixHandlerParam logic.

/**

rust/ql/lib/codeql/rust/frameworks/Actix.qll:12

• The RemoteSource module is not imported or fully qualified. It should extend DataFlow::RemoteSource::Range to reference the correct class from the DataFlow module.

private class ActixHandlerParam extends RemoteSource::Range {

[geoffw0]

I think this is a very narrow model, but it's a decent starting point, and any models of remote taint sources are high value.

I'm aware that you have a specific database this change is targeted at, I assume you've tested it works there, but we really should have at least one test case in the repo as well. I've created #19466 to address this shortfall and also track how we're doing on other web frameworks.

[geoffw0]

#19466 has been merged into main, so if you merge latest main into this branch we'll be able to see how your model does on the test.

Also, CI says that Actix.qll needs autoformatting.

Feel free to DM me if you need any help.

[coadaflorin]

I'll need to put this on hold while I catch-up on some other stuff. I'll reach out probably next week to see how the test works.

[paldepind]

This might be addressed by #20543. Do you still have the code for which you implemented this @coadaflorin?

[coadaflorin]

https://github.com/coadaflorin/chop-shop is the app I was trying to build, but did not get a chance to complete the work.

[geoffw0]

I suggest we close this PR, we now have a test (added a while back) and MaD source models (added in the above PR).

[paldepind]

Yes, I agree.