-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rust: Add some flow source models #18069
base: main
Are you sure you want to change the base?
Conversation
*/ | ||
private class StdEnvArgs extends CommandLineArgsSource::Range { | ||
StdEnvArgs() { | ||
this.asExpr().getExpr().(CallExpr).getExpr().(PathExpr).getPath().getResolvedPath() = ["crate::env::args", "crate::env::args_os"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@redsun82 these paths don't look right - I assume the correct path would be something like std::env::args
or crate::std::env::args
? They do match both what we get in the tests and what we see in real databases at the moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(fixing this will probably be follow-up work, what we have works well enough right now and is needed to get queries working)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, this might have to do with the prelude, I'll have a look
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, no, currently that is expected.
The thing is that a path only makes sense in the context of a crate (there is no such thing as a global concept of path across crates). So that path is the correct one relative to the std crate.
The other piece of information is the (highly non-standard and prone to be changed) getCrateOrigin
, which gives lang:std
for the std lib.
we could theoretically combine the two, it's just that while I'm quite confident of the correctness of the resolved path (up to the fact that it may not cover all entities yet), I'm still unsure about the effectiveness of getCrateOrigin
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. It sounds like we could check getCrateOrigin
for models where we're worried about ambiguity ("crate::get"
makes me nervous), but perhaps not check it for cases where we aren't (e.g. "crate::env::vars"
) since that will be more robust if getCrateOrigin
is potentially prone to change. Alternatively we could fall back on other details such as types to ensure our models are matching the right things - to the extent that we extract enough information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've push a commit adding the restriction I described above.
I've also added an agenda item next week to discuss crate origins, how we can get reliable information and how they will interact with models-as-data.
// --- stubs for the "reqwest" library --- | ||
|
||
/* | ||
--- we don't seem to have a way to use this, hence we currently test against the real reqwest library |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@redsun82 I tried to stub reqwest
, it has a much simpler interface than sqlx
. But I ran into a problem that it's not possible (I think) to emulate the correct paths for the library and import it into a test.rs
at the moment. When we can, we can switch to a stubbing approach for reqwest
at least.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(fixing this will probably be follow-up work, what we have works well enough right now)
I believe this is just waiting for approval. update: new conflicts... |
Add some flow source models:
reqwest
libraryThese were chosen to support writing simple test cases such as those we have for the SQL Injection query. We will need more and different sources to find much of real world security interest.
I've also added a bit more wiring in
Concepts.qll
, and created a new query and test to expose the sources directly.