-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathmain.rs
More file actions
125 lines (98 loc) · 4.68 KB
/
main.rs
File metadata and controls
125 lines (98 loc) · 4.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
use std::env;
use log::{info, warn, error, debug, trace};
fn main() {
env_logger::init();
// Sources of user input
let args: Vec<String> = env::args().collect();
let username = args.get(1).unwrap_or(&String::from("Guest")).clone(); // $ Source=commandargs
let user_input = std::env::var("USER_INPUT").unwrap_or("default".to_string()); // $ Source=environment
let remote_data = reqwest::blocking::get("http://example.com/user")
.unwrap().text().unwrap_or("remote_user".to_string()); // $ Source=remote
// BAD: Direct logging of user input
info!("User login: {}", username); // $ Alert[rust/log-injection]
warn!("Warning for user: {}", user_input); // $ Alert[rust/log-injection]
error!("Error processing: {}", remote_data); // $ Alert[rust/log-injection]
debug!("Debug info: {}", username); // $ Alert[rust/log-injection]
trace!("Trace data: {}", user_input); // $ Alert[rust/log-injection]
// BAD: Formatted strings with user input
let formatted_msg = format!("Processing user: {}", username);
info!("{}", formatted_msg); // $ Alert[rust/log-injection]
// BAD: String concatenation with user input
let concat_msg = "User activity: ".to_string() + &username;
info!("{}", concat_msg); // $ Alert[rust/log-injection]
// BAD: Complex formatting
info!("User {} accessed resource at {}", username, remote_data); // $ Alert[rust/log-injection]
// GOOD: Sanitized input
let sanitized_username = username.replace('\n', "").replace('\r', "");
info!("Sanitized user login: {}", sanitized_username);
// GOOD: Constant strings
info!("System startup complete");
// GOOD: Non-user-controlled data
let system_time = std::time::SystemTime::now();
info!("Current time: {:?}", system_time);
// GOOD: Numeric data derived from user input (not directly logged)
let user_id = username.len();
info!("User ID length: {}", user_id);
// More complex test cases
test_complex_scenarios(&username, &user_input);
test_indirect_flows(&remote_data);
}
fn test_complex_scenarios(username: &str, user_input: &str) {
// BAD: Indirect logging through variables
let log_message = format!("Activity for {}", username);
info!("{}", log_message); // $ Alert[rust/log-injection]
// BAD: Through function parameters
log_user_activity(username); // Function call - should be tracked
// BAD: Through struct fields
let user_info = UserInfo { name: username.to_string() };
info!("User info: {}", user_info.name); // $ Alert[rust/log-injection]
// GOOD: After sanitization
let clean_input = sanitize_input(user_input);
info!("Clean input: {}", clean_input);
}
fn log_user_activity(user: &str) {
info!("User activity: {}", user); // $ Alert[rust/log-injection]
}
fn sanitize_input(input: &str) -> String {
input.replace('\n', "").replace('\r', "").replace('\t', " ")
}
struct UserInfo {
name: String,
}
fn test_indirect_flows(data: &str) {
// BAD: Flow through intermediate variables
let temp_var = data;
let another_var = temp_var;
info!("Indirect flow: {}", another_var); // $ Alert[rust/log-injection]
// BAD: Flow through collections
let data_vec = vec![data];
if let Some(item) = data_vec.first() {
info!("Vector item: {}", item); // $ Alert[rust/log-injection]
}
// BAD: Flow through Option/Result
let optional_data = Some(data);
if let Some(unwrapped) = optional_data {
info!("Unwrapped data: {}", unwrapped); // $ Alert[rust/log-injection]
}
}
// Additional test patterns for different logging scenarios
mod additional_tests {
use log::*;
pub fn test_macro_variations() {
let user_data = std::env::args().nth(1).unwrap_or_default(); // $ Source=commandargs
// BAD: Different log macro variations
info!("Info: {}", user_data); // $ Alert[rust/log-injection]
warn!("Warning: {}", user_data); // $ Alert[rust/log-injection]
error!("Error: {}", user_data); // $ Alert[rust/log-injection]
debug!("Debug: {}", user_data); // $ Alert[rust/log-injection]
trace!("Trace: {}", user_data); // $ Alert[rust/log-injection]
// BAD: Complex format strings
info!("User {} did action {} at time {}", user_data, "login", "now"); // $ Alert[rust/log-injection]
}
pub fn test_println_patterns() {
let user_data = std::env::var("USER").unwrap_or_default(); // $ Source=environment
// These might not be caught depending on model coverage, but are potential logging sinks
println!("User: {}", user_data);
eprintln!("Error for user: {}", user_data);
}
}