Skip to content

Rust: Add new query for XSS vulnerabilities #20902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paldepind merged 11 commits into from
Nov 28, 2025
Merged

Rust: Add new query for XSS vulnerabilities #20902

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
0f4561e
Rust: Add XSS examples
paldepind Nov 24, 2025
ae9c753
Rust: Add XSS query
paldepind Nov 24, 2025
9e2bf76
Rust: Add XSS sinks for Actix and Warp
paldepind Nov 24, 2025
9c2858d
Rust: Add qhelp for XSS query
paldepind Nov 24, 2025
597c81d
Rust: Add change note for XSS query
paldepind Nov 24, 2025
ce25def
Rust: Update integration test expected files
paldepind Nov 24, 2025
411d1fa
Rust: Fix grammar and typos
paldepind Nov 25, 2025
9ae4c14
Rust: Address PR feedback
paldepind Nov 25, 2025
7c76636
Rust: Fix typo in change note for XSS query
paldepind Nov 25, 2025
7278bc7
Rust: Remove unused function in XSS tests
paldepind Nov 25, 2025
97dad2d
Rust: Apply suggestions from docs review
paldepind Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions rust/ql/lib/codeql/rust/security/XssExtensions.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
/**
* Provides classes and predicates for reasoning about cross-site scripting (XSS)
* vulnerabilities.
*/

import rust
private import codeql.rust.dataflow.DataFlow
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.util.Unit
private import codeql.rust.security.Barriers as Barriers

/**
* Provides default sources, sinks and barriers for detecting XSS
* vulnerabilities, as well as extension points for adding your own.
*/
module Xss {
/**
* A data flow source for XSS vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }

/**
* A data flow sink for XSS vulnerabilities.
*/
abstract class Sink extends QuerySink::Range {
override string getSinkType() { result = "Xss" }
}
Comment thread
geoffw0 marked this conversation as resolved.

/**
* A barrier for XSS vulnerabilities.
*/
abstract class Barrier extends DataFlow::Node { }

/**
* An active threat-model source, considered as a flow source.
*/
private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }

/**
* A sink for XSS from model data.
*/
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "html-injection") }
}

/**
* A barrier for XSS vulnerabilities for nodes whose type is a
* numeric or boolean type, which is unlikely to expose any vulnerability.
*/
private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }

/** A call to a function with "escape" or "encode" in its name. */
private class HeuristicHtmlEncodingBarrier extends Barrier {
HeuristicHtmlEncodingBarrier() {
exists(Call fc |
fc.getStaticTarget().(Function).getName().getText().regexpMatch(".*(escape|encode).*") and
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
fc.getArgument(_) = this.asExpr()
)
}
}
}
42 changes: 42 additions & 0 deletions rust/ql/src/queries/security/CWE-079/XSS.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/**
* @name Cross-site scripting
* @description Writing user input directly to a web page
Comment thread
paldepind marked this conversation as resolved.
Outdated
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 6.1
* @precision high
* @id rust/xss
* @tags security
* external/cwe/cwe-079
* external/cwe/cwe-116
*/

import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
import codeql.rust.security.XssExtensions

/**
* A taint configuration for tainted data that reaches an XSS sink.
*/
module XssConfig implements DataFlow::ConfigSig {
import Xss

predicate isSource(DataFlow::Node node) { node instanceof Source }

predicate isSink(DataFlow::Node node) { node instanceof Sink }

predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }

predicate observeDiffInformedIncrementalMode() { any() }
}

module XssFlow = TaintTracking::Global<XssConfig>;

import XssFlow::PathGraph

from XssFlow::PathNode sourceNode, XssFlow::PathNode sinkNode
where XssFlow::flowPath(sourceNode, sinkNode)
select sinkNode.getNode(), sourceNode, sinkNode, "Cross-site scripting vulnerability due to a $@.",
sourceNode.getNode(), "user-provided value"
Comment thread
geoffw0 marked this conversation as resolved.
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/actix/XSS.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#select
edges
nodes
subpaths
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/actix/XSS.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
query: queries/security/CWE-079/XSS.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/axum/XSS.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#select
edges
nodes
subpaths
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/axum/XSS.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
query: queries/security/CWE-079/XSS.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/warp/XSS.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#select
edges
nodes
subpaths
4 changes: 4 additions & 0 deletions rust/ql/test/query-tests/security/CWE-079/warp/XSS.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
query: queries/security/CWE-079/XSS.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql