Merge pull request #20902 from paldepind/rust/xss-query

Rust: Add new query for XSS vulnerabilities

Author: paldepind

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -10,6 +10,7 @@ ql/rust/ql/src/queries/diagnostics/UnextractedElements.ql
 ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
+ql/rust/ql/src/queries/security/CWE-079/XSS.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -10,6 +10,7 @@ ql/rust/ql/src/queries/diagnostics/UnextractedElements.ql
 ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
+ql/rust/ql/src/queries/security/CWE-079/XSS.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -10,6 +10,7 @@ ql/rust/ql/src/queries/diagnostics/UnextractedElements.ql
 ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
+ql/rust/ql/src/queries/security/CWE-079/XSS.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
 ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql

rust/ql/lib/codeql/rust/frameworks/actix-web.model.yml

@@ -6,6 +6,11 @@ extensions:
       - ["<actix_web::route::Route>::to", "Argument[0].Parameter[0..7]", "remote", "manual"]
       # Actix attributes such as `get` expand to this `to` call on the handler.
       - ["<actix_web::resource::Resource>::to", "Argument[0].Parameter[0..7]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModel
+    data:
+        - ["<actix_web::types::html::Html>::new", "Argument[0]", "html-injection", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: summaryModel

rust/ql/lib/codeql/rust/frameworks/warp.model.yml

@@ -5,4 +5,9 @@ extensions:
     data:
       - ["<_ as warp::filter::Filter>::then", "Argument[0].Parameter[0..7]", "remote", "manual"]
       - ["<_ as warp::filter::Filter>::map", "Argument[0].Parameter[0..7]", "remote", "manual"]
-      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[0..7]", "remote", "manual"]
+      - ["<_ as warp::filter::Filter>::and_then", "Argument[0].Parameter[0..7]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModel
+    data:
+        - ["warp::reply::html", "Argument[0]", "html-injection", "manual"]

rust/ql/lib/codeql/rust/security/XssExtensions.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides classes and predicates for reasoning about cross-site scripting (XSS)
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.util.Unit
+private import codeql.rust.security.Barriers as Barriers
+
+/**
+ * Provides default sources, sinks and barriers for detecting XSS
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module Xss {
+  /**
+   * A data flow source for XSS vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XSS vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "Xss" }
+  }
+
+  /**
+   * A barrier for XSS vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  /**
+   * A sink for XSS from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "html-injection") }
+  }
+
+  /**
+   * A barrier for XSS vulnerabilities for nodes whose type is a
+   * numeric or boolean type, which is unlikely to expose any vulnerability.
+   */
+  private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  /** A call to a function with "escape" or "encode" in its name. */
+  private class HeuristicHtmlEncodingBarrier extends Barrier {
+    HeuristicHtmlEncodingBarrier() {
+      exists(Call fc |
+        fc.getStaticTarget().getName().getText().regexpMatch(".*(escape|encode).*") and
+        fc.getArgument(_) = this.asExpr()
+      )
+    }
+  }
+}

rust/ql/src/change-notes/2025-11-24-xss-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `rust/xss`, to detect cross-site scripting security vulnerabilities.

rust/ql/src/queries/security/CWE-079/XSS.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Directly writing user input (for example, an HTTP request parameter) to a webpage,
+without properly sanitizing the input first, allows for a cross-site
+scripting vulnerability.</p>
+</overview>
+
+<recommendation>
+<p>To guard against cross-site scripting, consider encoding/escaping the untrusted
+input before including it in the HTML.</p>
+</recommendation>
+
+<example>
+
+<p>The following example shows a simple web handler that writes a URL path parameter
+directly to an HTML response, leaving the website vulnerable to cross-site
+scripting:</p>
+
+<sample src="XSSBad.rs" />
+
+<p>To fix this vulnerability, the user input should be HTML-encoded before being
+included in the response. In the following example, <code>encode_text</code> from
+the <a href="https://docs.rs/html-escape/latest/html_escape/index.html">html_escape</a>
+crate is used to achieve this:</p>
+
+<sample src="XSSGood.rs" />
+
+</example>
+
+<references>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">
+Cross Site Scripting Prevention Cheat Sheet</a>.
+</li>
+<li>
+  Wikipedia: <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+<li>
+  OWASP:
+  <a href="https://owasp.org/www-community/attacks/xss/">Cross Site Scripting (XSS)</a>.
+</li>
+</references>
+</qhelp>

rust/ql/src/queries/security/CWE-079/XSS.ql

@@ -0,0 +1,42 @@
+/**
+ * @name Cross-site scripting
+ * @description Writing user input directly to a webpage
+ *              allows for a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id rust/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.XssExtensions
+
+/**
+ * A taint configuration for tainted data that reaches an XSS sink.
+ */
+module XssConfig implements DataFlow::ConfigSig {
+  import Xss
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module XssFlow = TaintTracking::Global<XssConfig>;
+
+import XssFlow::PathGraph
+
+from XssFlow::PathNode sourceNode, XssFlow::PathNode sinkNode
+where XssFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to a $@.",
+  sourceNode.getNode(), "user-provided value"

rust/ql/src/queries/security/CWE-079/XSSBad.rs

@@ -0,0 +1,21 @@
+use actix_web::{web, HttpResponse, Result};
+
+// BAD: User input is directly included in HTML response without sanitization
+async fn vulnerable_handler(path: web::Path<String>) -> impl Responder {
+    let user_input = path.into_inner();
+
+    let html = format!(
+        r#"
+        <!DOCTYPE html>
+        <html>
+        <head><title>Welcome</title></head>
+        <body>
+            <h1>Hello, {}!</h1>
+        </body>
+        </html>
+        "#,
+        user_input
+    );
+
+    Html::new(html) // Unsafe: User input included directly in the response
+}