Skip to content

Add Actix framework modeling and import to Frameworks.qll #19461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Actix framework modeling and import to Frameworks.qll #19461

wants to merge 1 commit into from

Conversation

coadaflorin
Copy link
Contributor

Pull Request checklist

All query authors

Internal query authors only

  • Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
  • Changes are validated at scale (internal access required).
  • Adding a new query? Consider also adding the query to autofix.

@Copilot Copilot AI review requested due to automatic review settings May 5, 2025 14:16
@coadaflorin coadaflorin requested a review from a team as a code owner May 5, 2025 14:16
@github-actions github-actions bot added the Rust Pull requests that update Rust code label May 5, 2025
Copilot
Copilot AI reviewed May 5, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds modeling support for the Actix framework by introducing a new CodeQL library file and ensuring it is imported in the main frameworks file.

  • Introduces Actix.qll with a class to identify Actix handler parameters
  • Imports the new Actix model in Frameworks.qll

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
rust/ql/lib/codeql/rust/frameworks/Actix.qll Adds Actix handler parameter modeling class
rust/ql/lib/codeql/rust/Frameworks.qll Imports the new Actix framework model
Comments suppressed due to low confidence (2)

rust/ql/lib/codeql/rust/frameworks/Actix.qll:1

  • No QL tests were added to validate the new Actix modeling. Consider adding .ql test cases to cover the ActixHandlerParam logic.
/**

rust/ql/lib/codeql/rust/frameworks/Actix.qll:12

  • The RemoteSource module is not imported or fully qualified. It should extend DataFlow::RemoteSource::Range to reference the correct class from the DataFlow module.
private class ActixHandlerParam extends RemoteSource::Range {

github-advanced-security[bot]
github-advanced-security bot found potential problems May 5, 2025
View reviewed changes
rust/ql/lib/codeql/rust/frameworks/Actix.qll
private class ActixHandlerParam extends RemoteSource::Range {
ActixHandlerParam() {
exists(TupleStructPat param |
param.getResolvedPath() = ["crate::types::query::Query"]

Check warning

Code scanning / CodeQL

Singleton set literal Warning

Singleton set literal can be replaced by its member.
@geoffw0 geoffw0 mentioned this pull request May 7, 2025
Merged
@geoffw0
Copy link
Contributor

geoffw0 commented May 7, 2025

I think this is a very narrow model, but it's a decent starting point, and any models of remote taint sources are high value.

I'm aware that you have a specific database this change is targeted at, I assume you've tested it works there, but we really should have at least one test case in the repo as well. I've created #19466 to address this shortfall and also track how we're doing on other web frameworks.

@geoffw0
Copy link
Contributor

geoffw0 commented May 13, 2025

#19466 has been merged into main, so if you merge latest main into this branch we'll be able to see how your model does on the test.

Also, CI says that Actix.qll needs autoformatting.

Feel free to DM me if you need any help.

@coadaflorin
Copy link
Contributor Author

I'll need to put this on hold while I catch-up on some other stuff. I'll reach out probably next week to see how the test works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coadaflorin @geoffw0