Rust: add more path-injection sinks

aibaars · aibaars · commit e3761c8a6789 · 2025-03-20T13:40:34.000+01:00
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -7,7 +7,33 @@ extensions:
       pack: codeql/rust-all
       extensible: sinkModel
     data:
+      - ["lang:std", "crate::fs::copy", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::copy", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::create_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::create_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::hard_link", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::hard_link", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::metadata", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::read_link", "Argument[0]", "path-injection", "manual"]
       - ["lang:std", "crate::fs::read_to_string", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_dir", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_dir_all", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::remove_file", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::rename", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::rename", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::set_permisssions", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::soft_link", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::soft_link", "Argument[1]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::symlink_metadata", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "crate::fs::write", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::DirBuilder>::create", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create_buffered", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::create_new", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::open", "Argument[0]", "path-injection", "manual"]
+      - ["lang:std", "<crate::fs::File>::open_buffered", "Argument[0]", "path-injection", "manual"]
 
   - addsTo:
       pack: codeql/rust-all
