From d1ef2b50fbedf90d1c3a1c8c0a157f0eb97fe002 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 Feb 2025 15:46:16 +0000
Subject: [PATCH 1/2] Rust: Model futures::executor::block_on.

---
 rust/ql/lib/codeql/rust/frameworks/futures.model.yml |  6 ++++++
 .../dataflow/global/inline-flow.expected             | 12 ++++++++++++
 rust/ql/test/library-tests/dataflow/global/main.rs   |  2 +-
 .../dataflow/global/viableCallable.expected          |  2 ++
 .../dataflow/local/DataFlowStep.expected             |  1 +
 .../security/CWE-020/RegexInjection.expected         |  8 ++++----
 6 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 rust/ql/lib/codeql/rust/frameworks/futures.model.yml

diff --git a/rust/ql/lib/codeql/rust/frameworks/futures.model.yml b/rust/ql/lib/codeql/rust/frameworks/futures.model.yml
new file mode 100644
index 000000000000..1361ff9aeb2e
--- /dev/null
+++ b/rust/ql/lib/codeql/rust/frameworks/futures.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["repo:https://github.com/rust-lang/futures-rs:futures-executor", "crate::local_pool::block_on", "Argument[0]", "ReturnValue", "value", "manual"]
diff --git a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
index 54b70e0ac128..4a095c7142f5 100644
--- a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
@@ -1,4 +1,5 @@
 models
+| 1 | Summary: repo:https://github.com/rust-lang/futures-rs:futures-executor; crate::local_pool::block_on; Argument[0]; ReturnValue; value |
 edges
 | main.rs:12:28:14:1 | { ... } | main.rs:17:13:17:23 | get_data(...) | provenance |  |
 | main.rs:13:5:13:13 | source(...) | main.rs:12:28:14:1 | { ... } | provenance |  |
@@ -71,10 +72,15 @@ edges
 | main.rs:161:9:161:9 | d [MyInt] | main.rs:162:10:162:10 | d [MyInt] | provenance |  |
 | main.rs:161:13:161:20 | a.add(...) [MyInt] | main.rs:161:9:161:9 | d [MyInt] | provenance |  |
 | main.rs:162:10:162:10 | d [MyInt] | main.rs:162:10:162:16 | d.value | provenance |  |
+| main.rs:200:32:204:1 | { ... } | main.rs:219:41:219:54 | async_source(...) | provenance |  |
+| main.rs:201:9:201:9 | a | main.rs:200:32:204:1 | { ... } | provenance |  |
 | main.rs:201:9:201:9 | a | main.rs:202:10:202:10 | a | provenance |  |
 | main.rs:201:13:201:21 | source(...) | main.rs:201:9:201:9 | a | provenance |  |
 | main.rs:211:13:211:13 | c | main.rs:212:14:212:14 | c | provenance |  |
 | main.rs:211:17:211:25 | source(...) | main.rs:211:13:211:13 | c | provenance |  |
+| main.rs:219:9:219:9 | a | main.rs:220:10:220:10 | a | provenance |  |
+| main.rs:219:13:219:55 | ...::block_on(...) | main.rs:219:9:219:9 | a | provenance |  |
+| main.rs:219:41:219:54 | async_source(...) | main.rs:219:13:219:55 | ...::block_on(...) | provenance | MaD:1 |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -156,12 +162,17 @@ nodes
 | main.rs:161:13:161:20 | a.add(...) [MyInt] | semmle.label | a.add(...) [MyInt] |
 | main.rs:162:10:162:10 | d [MyInt] | semmle.label | d [MyInt] |
 | main.rs:162:10:162:16 | d.value | semmle.label | d.value |
+| main.rs:200:32:204:1 | { ... } | semmle.label | { ... } |
 | main.rs:201:9:201:9 | a | semmle.label | a |
 | main.rs:201:13:201:21 | source(...) | semmle.label | source(...) |
 | main.rs:202:10:202:10 | a | semmle.label | a |
 | main.rs:211:13:211:13 | c | semmle.label | c |
 | main.rs:211:17:211:25 | source(...) | semmle.label | source(...) |
 | main.rs:212:14:212:14 | c | semmle.label | c |
+| main.rs:219:9:219:9 | a | semmle.label | a |
+| main.rs:219:13:219:55 | ...::block_on(...) | semmle.label | ...::block_on(...) |
+| main.rs:219:41:219:54 | async_source(...) | semmle.label | async_source(...) |
+| main.rs:220:10:220:10 | a | semmle.label | a |
 subpaths
 | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
@@ -186,3 +197,4 @@ testFailures
 | main.rs:162:10:162:16 | d.value | main.rs:159:28:159:36 | source(...) | main.rs:162:10:162:16 | d.value | $@ | main.rs:159:28:159:36 | source(...) | source(...) |
 | main.rs:202:10:202:10 | a | main.rs:201:13:201:21 | source(...) | main.rs:202:10:202:10 | a | $@ | main.rs:201:13:201:21 | source(...) | source(...) |
 | main.rs:212:14:212:14 | c | main.rs:211:17:211:25 | source(...) | main.rs:212:14:212:14 | c | $@ | main.rs:211:17:211:25 | source(...) | source(...) |
+| main.rs:220:10:220:10 | a | main.rs:201:13:201:21 | source(...) | main.rs:220:10:220:10 | a | $@ | main.rs:201:13:201:21 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/global/main.rs b/rust/ql/test/library-tests/dataflow/global/main.rs
index c1e3ee4e8387..15a48ba9b78e 100644
--- a/rust/ql/test/library-tests/dataflow/global/main.rs
+++ b/rust/ql/test/library-tests/dataflow/global/main.rs
@@ -217,7 +217,7 @@ async fn test_async_await_async_part() {
 
 fn test_async_await() {
     let a = futures::executor::block_on(async_source());
-    sink(a); // $ MISSING: hasValueFlow=1
+    sink(a); // $ hasValueFlow=1
 
     futures::executor::block_on(test_async_await_async_part());
 }
diff --git a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected
index 2bbff8e33c3f..aa3ae0af0219 100644
--- a/rust/ql/test/library-tests/dataflow/global/viableCallable.expected
+++ b/rust/ql/test/library-tests/dataflow/global/viableCallable.expected
@@ -50,8 +50,10 @@
 | main.rs:211:17:211:25 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:212:9:212:15 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:215:5:215:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:219:13:219:55 | ...::block_on(...) | file://:0:0:0:0 | repo:https://github.com/rust-lang/futures-rs:futures-executor::_::crate::local_pool::block_on |
 | main.rs:219:41:219:54 | async_source(...) | main.rs:200:1:204:1 | fn async_source |
 | main.rs:220:5:220:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:222:5:222:62 | ...::block_on(...) | file://:0:0:0:0 | repo:https://github.com/rust-lang/futures-rs:futures-executor::_::crate::local_pool::block_on |
 | main.rs:222:33:222:61 | test_async_await_async_part(...) | main.rs:206:1:216:1 | fn test_async_await_async_part |
 | main.rs:226:5:226:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
 | main.rs:227:5:227:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call |
diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
index 23270af042a6..9c7be9664332 100644
--- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -1909,6 +1909,7 @@ models
 | 1058 | Summary: lang:std; crate::thread::current::set_current; Argument[0]; ReturnValue.Field[crate::result::Result::Err(0)]; value |
 | 1059 | Summary: lang:std; crate::thread::current::try_with_current; Argument[0].ReturnValue; ReturnValue; value |
 | 1060 | Summary: lang:std; crate::thread::with_current_name; Argument[0].ReturnValue; ReturnValue; value |
+| 1061 | Summary: repo:https://github.com/rust-lang/futures-rs:futures-executor; crate::local_pool::block_on; Argument[0]; ReturnValue; value |
 storeStep
 | file://:0:0:0:0 | [summary] to write: Argument[0].Field[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::zip_with | Some | file://:0:0:0:0 | [post] [summary param] 0 in lang:core::_::<crate::option::Option>::zip_with |
 | file://:0:0:0:0 | [summary] to write: Argument[0].Parameter[0].Reference in lang:alloc::_::<crate::collections::vec_deque::VecDeque>::retain | &ref | file://:0:0:0:0 | [summary] to write: Argument[0].Parameter[0] in lang:alloc::_::<crate::collections::vec_deque::VecDeque>::retain |
diff --git a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
index e204b5a39264..5fc4c55e0032 100644
--- a/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
+++ b/rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected
@@ -2,15 +2,15 @@
 | main.rs:6:25:6:30 | &regex | main.rs:4:20:4:32 | ...::var | main.rs:6:25:6:30 | &regex | This regular expression is constructed from a $@. | main.rs:4:20:4:32 | ...::var | user-provided value |
 edges
 | main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance |  |
-| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62  |
-| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1593 |
+| main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:63  |
+| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1594 |
 | main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance |  |
 | main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance |  |
 | main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance |  |
 | main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance |  |
 | main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance |  |
-| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:66 |
-| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3016 |
+| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:67 |
+| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3017 |
 | main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | &regex | provenance |  |
 nodes
 | main.rs:4:9:4:16 | username | semmle.label | username |

From d7c14ec0656f44cb7063ef934b97b6ce93633e2c Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 4 Apr 2025 20:47:16 +0100
Subject: [PATCH 2/2] Rust: Revert change to Cargo.lock.

---
 Cargo.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index db07984a44b7..7719e26ffd24 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -325,9 +325,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.35"
+version = "4.5.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8aa86934b44c19c50f87cc2790e19f54f7a67aedb64101c2e1a2e5ecfb73944"
+checksum = "6088f3ae8c3608d19260cd7445411865a485688711b78b5be70d78cd96136f83"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -335,9 +335,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.35"
+version = "4.5.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2414dbb2dd0695280da6ea9261e327479e9d37b0630f6b53ba2a11c60c679fd9"
+checksum = "22a7ef7f676155edfb82daa97f99441f3ebf4a58d5e32f295a56259f1b6facc8"
 dependencies = [
  "anstream",
  "anstyle",