Rust: Update inline test annotations accordingly.

geoffw0 · geoffw0 · commit 49265b6e7ec7 · 2025-08-14T13:49:41.000+01:00
diff --git a/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected b/rust/ql/test/query-tests/security/CWE-117/LogInjection.expected
@@ -109,35 +109,3 @@ nodes
 | main.rs:123:9:123:50 | ...::_eprint | semmle.label | ...::_eprint |
 | main.rs:123:19:123:49 | MacroExpr | semmle.label | MacroExpr |
 subpaths
-testFailures
-| main.rs:9:75:9:97 | //... | Missing result: Source=commandargs |
-| main.rs:11:23:11:44 | ...::get | Unexpected result: Source |
-| main.rs:12:64:12:81 | //... | Missing result: Source=remote |
-| main.rs:15:40:15:69 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:16:5:16:45 | ...::log | Unexpected result: Alert=environment |
-| main.rs:16:48:16:77 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:18:41:18:70 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:19:5:19:40 | ...::log | Unexpected result: Alert=environment |
-| main.rs:19:43:19:72 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:23:33:23:62 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:27:30:27:59 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:55:31:55:60 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:62:45:62:74 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:70:39:70:68 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:85:46:85:75 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:90:41:90:70 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:96:49:96:78 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:108:9:108:36 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:108:39:108:68 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:109:9:109:39 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:109:42:109:71 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:110:9:110:38 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:110:41:110:70 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:111:9:111:38 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:111:41:111:70 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:112:9:112:38 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:112:41:112:70 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:115:9:115:76 | ...::log | Unexpected result: Alert=commandargs |
-| main.rs:115:79:115:108 | //... | Missing result: Alert[rust/log-injection] |
-| main.rs:122:9:122:39 | ...::_print | Unexpected result: Alert=environment |
-| main.rs:123:9:123:50 | ...::_eprint | Unexpected result: Alert=environment |
diff --git a/rust/ql/test/query-tests/security/CWE-117/main.rs b/rust/ql/test/query-tests/security/CWE-117/main.rs
@@ -3,47 +3,47 @@ use log::{info, warn, error, debug, trace};
 
 fn main() {
     env_logger::init();
-    
+
     // Sources of user input
     let args: Vec<String> = env::args().collect();
-    let username = args.get(1).unwrap_or(&String::from("Guest")).clone(); // $ Source=commandargs
+    let username = args.get(1).unwrap_or(&String::from("Guest")).clone(); // $ MISSING: Source=commandargs
     let user_input = std::env::var("USER_INPUT").unwrap_or("default".to_string()); // $ Source=environment
-    let remote_data = reqwest::blocking::get("http://example.com/user")
-        .unwrap().text().unwrap_or("remote_user".to_string()); // $ Source=remote
-    
+    let remote_data = reqwest::blocking::get("http://example.com/user") // $ Source=remote
+        .unwrap().text().unwrap_or("remote_user".to_string());
+
     // BAD: Direct logging of user input
-    info!("User login: {}", username); // $ Alert[rust/log-injection]
-    warn!("Warning for user: {}", user_input); // $ Alert[rust/log-injection]
-    error!("Error processing: {}", remote_data); // $ Alert[rust/log-injection]
-    debug!("Debug info: {}", username); // $ Alert[rust/log-injection]
-    trace!("Trace data: {}", user_input); // $ Alert[rust/log-injection]
-    
+    info!("User login: {}", username); // $ MISSING: Alert[rust/log-injection]
+    warn!("Warning for user: {}", user_input); // $ Alert[rust/log-injection]=environment
+    error!("Error processing: {}", remote_data); // $ Alert[rust/log-injection]=remote
+    debug!("Debug info: {}", username); // $ MISSING: Alert[rust/log-injection]
+    trace!("Trace data: {}", user_input); // $ Alert[rust/log-injection]=environment
+
     // BAD: Formatted strings with user input
     let formatted_msg = format!("Processing user: {}", username);
-    info!("{}", formatted_msg); // $ Alert[rust/log-injection]
-    
+    info!("{}", formatted_msg); // $ MISSING: Alert[rust/log-injection]
+
     // BAD: String concatenation with user input
     let concat_msg = "User activity: ".to_string() + &username;
-    info!("{}", concat_msg); // $ Alert[rust/log-injection]
-    
+    info!("{}", concat_msg); // $ MISSING: Alert[rust/log-injection]
+
     // BAD: Complex formatting
-    info!("User {} accessed resource at {}", username, remote_data); // $ Alert[rust/log-injection]
-    
+    info!("User {} accessed resource at {}", username, remote_data); // $ Alert[rust/log-injection]=remote
+
     // GOOD: Sanitized input
     let sanitized_username = username.replace('\n', "").replace('\r', "");
     info!("Sanitized user login: {}", sanitized_username);
-    
+
     // GOOD: Constant strings
     info!("System startup complete");
-    
+
     // GOOD: Non-user-controlled data
     let system_time = std::time::SystemTime::now();
     info!("Current time: {:?}", system_time);
-    
+
     // GOOD: Numeric data derived from user input (not directly logged)
     let user_id = username.len();
     info!("User ID length: {}", user_id);
-    
+
     // More complex test cases
     test_complex_scenarios(&username, &user_input);
     test_indirect_flows(&remote_data);
@@ -52,22 +52,22 @@ fn main() {
 fn test_complex_scenarios(username: &str, user_input: &str) {
     // BAD: Indirect logging through variables
     let log_message = format!("Activity for {}", username);
-    info!("{}", log_message); // $ Alert[rust/log-injection]
-    
+    info!("{}", log_message); // $ MISSING: Alert[rust/log-injection]
+
     // BAD: Through function parameters
     log_user_activity(username); // Function call - should be tracked
-    
+
     // BAD: Through struct fields
     let user_info = UserInfo { name: username.to_string() };
-    info!("User info: {}", user_info.name); // $ Alert[rust/log-injection]
-    
+    info!("User info: {}", user_info.name); // $ MISSING: Alert[rust/log-injection]
+
     // GOOD: After sanitization
     let clean_input = sanitize_input(user_input);
     info!("Clean input: {}", clean_input);
 }
 
 fn log_user_activity(user: &str) {
-    info!("User activity: {}", user); // $ Alert[rust/log-injection]
+    info!("User activity: {}", user); // $ MISSING: Alert[rust/log-injection]
 }
 
 fn sanitize_input(input: &str) -> String {
@@ -82,44 +82,44 @@ fn test_indirect_flows(data: &str) {
     // BAD: Flow through intermediate variables
     let temp_var = data;
     let another_var = temp_var;
-    info!("Indirect flow: {}", another_var); // $ Alert[rust/log-injection]
-    
+    info!("Indirect flow: {}", another_var); // $ MISSING: Alert[rust/log-injection]
+
     // BAD: Flow through collections
     let data_vec = vec![data];
     if let Some(item) = data_vec.first() {
-        info!("Vector item: {}", item); // $ Alert[rust/log-injection]
+        info!("Vector item: {}", item); // $ MISSING: Alert[rust/log-injection]
     }
-    
+
     // BAD: Flow through Option/Result
     let optional_data = Some(data);
     if let Some(unwrapped) = optional_data {
-        info!("Unwrapped data: {}", unwrapped); // $ Alert[rust/log-injection]
+        info!("Unwrapped data: {}", unwrapped); // $ MISSING: Alert[rust/log-injection]
     }
 }
 
 // Additional test patterns for different logging scenarios
 mod additional_tests {
     use log::*;
-    
+
     pub fn test_macro_variations() {
         let user_data = std::env::args().nth(1).unwrap_or_default(); // $ Source=commandargs
-        
+
         // BAD: Different log macro variations
-        info!("Info: {}", user_data); // $ Alert[rust/log-injection]
-        warn!("Warning: {}", user_data); // $ Alert[rust/log-injection]
-        error!("Error: {}", user_data); // $ Alert[rust/log-injection]
-        debug!("Debug: {}", user_data); // $ Alert[rust/log-injection]
-        trace!("Trace: {}", user_data); // $ Alert[rust/log-injection]
-        
+        info!("Info: {}", user_data); // $ Alert[rust/log-injection]=commandargs
+        warn!("Warning: {}", user_data); // $ Alert[rust/log-injection]=commandargs
+        error!("Error: {}", user_data); // $ Alert[rust/log-injection]=commandargs
+        debug!("Debug: {}", user_data); // $ Alert[rust/log-injection]=commandargs
+        trace!("Trace: {}", user_data); // $ Alert[rust/log-injection]=commandargs
+
         // BAD: Complex format strings
-        info!("User {} did action {} at time {}", user_data, "login", "now"); // $ Alert[rust/log-injection]
+        info!("User {} did action {} at time {}", user_data, "login", "now"); // $ Alert[rust/log-injection]=commandargs
     }
-    
+
     pub fn test_println_patterns() {
         let user_data = std::env::var("USER").unwrap_or_default(); // $ Source=environment
-        
+
         // These might not be caught depending on model coverage, but are potential logging sinks
-        println!("User: {}", user_data);
-        eprintln!("Error for user: {}", user_data);
+        println!("User: {}", user_data); // $ Alert[rust/log-injection]=environment
+        eprintln!("Error for user: {}", user_data); // $ Alert[rust/log-injection]=environment
     }
-}
+}
