github · geoffw0 · Aug 22, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
@@ -11,6 +11,7 @@ ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
+ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

@@ -11,6 +11,7 @@ ql/rust/ql/src/queries/diagnostics/UnresolvedMacroCalls.ql
 ql/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
 ql/rust/ql/src/queries/security/CWE-022/TaintedPath.ql
 ql/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
+ql/rust/ql/src/queries/security/CWE-117/LogInjection.ql
 ql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

@@ -0,0 +1,45 @@
+/**
+ * Provides classes and predicates for reasoning about log injection
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.util.Unit
+
+/**
+ * Provides default sources, sinks and barriers for detecting log injection
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module LogInjection {
+  /**
+   * A data flow source for log injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for log injection vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "LogInjection" }
+  }
+
+  /**
+   * A barrier for log injection vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
+  /**
+   * A sink for log-injection from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "log-injection") }
+  }
+}
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/log-injection`, for detecting cases where log entries could be forged by a malicious user.
@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+
+<p>If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.</p>
+
+<p>Forgery can occur if a user provides some input with characters that are interpreted
+when the log output is displayed. If the log is displayed as a plain text file, then new
+line characters can be used by a malicious user. If the log is displayed as HTML, then
+arbitrary HTML may be included to spoof log entries.</p>
+</overview>
+
+<recommendation>
+<p>
+User input should be suitably sanitized before it is logged.
+</p>
+<p>
+If the log entries are in plain text, then line breaks should be removed from user input using
+<code>String::replace</code> or similar. Care should also be taken that user input is clearly marked
+in log entries.
+</p>
+<p>
+For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and
+other forms of HTML injection.
+</p>
+
+</recommendation>
+
+<example>
+<p>In the first example, a username, provided by the user via command line arguments, is logged using the <code>log</code> crate.
+If a malicious user provides <code>Guest\n[INFO] User: Admin\n</code> as a username parameter, 
+the log entry will be split into multiple lines, where the second line will appear as <code>[INFO] User: Admin</code>, 
+potentially forging a legitimate admin login entry.
+</p>
+<sample src="LogInjectionBad.rs" />
+
+<p>In the second example, <code>String::replace</code> is used to ensure no line endings are present in the user input before logging.</p>
+<sample src="LogInjectionGood.rs" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/Log_Injection">Log Injection</a>.</li>
+</references>
+</qhelp>
@@ -0,0 +1,41 @@
+/**
+ * @name Log injection
+ * @description Building log entries from user-controlled sources is vulnerable to
+ *              insertion of forged log entries by a malicious user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 2.6
- * @security-severity 2.6
+ * @security-severity 7.8
- * @security-severity 2.6
+ * @security-severity 7.8
+ * @precision medium
+ * @id rust/log-injection
+ * @tags security
+ *       external/cwe/cwe-117
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.LogInjectionExtensions
+
+/**
+ * A taint configuration for tainted data that reaches a log injection sink.
+ */
+module LogInjectionConfig implements DataFlow::ConfigSig {
+  import LogInjection
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
+
+import LogInjectionFlow::PathGraph
+
+from LogInjectionFlow::PathNode sourceNode, LogInjectionFlow::PathNode sinkNode
+where LogInjectionFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "Log entry depends on a $@.", sourceNode.getNode(),
+  "user-provided value"
@@ -0,0 +1,13 @@
+use std::env;
+use log::info;
+
+fn main() {
+    env_logger::init();
+
+    // Get username from command line arguments
+    let args: Vec<String> = env::args().collect();
+    let username = args.get(1).unwrap_or(&String::from("Guest")).clone();
+
+    // BAD: log message constructed with unsanitized user input
+    info!("User login attempt: {}", username);
+}
@@ -0,0 +1,19 @@
+use std::env;
+use log::info;
+
+fn sanitize_for_logging(input: &str) -> String {
+    // Remove newlines and carriage returns to prevent log injection
+    input.replace('\n', "").replace('\r', "")
+}
+
+fn main() {
+    env_logger::init();
+
+    // Get username from command line arguments
+    let args: Vec<String> = env::args().collect();
+    let username = args.get(1).unwrap_or(&String::from("Guest")).clone();
+
+    // GOOD: log message constructed with sanitized user input
+    let sanitized_username = sanitize_for_logging(username.as_str());
+    info!("User login attempt: {}", sanitized_username);
+}
@@ -22,6 +22,7 @@ private import codeql.rust.security.AccessInvalidPointerExtensions
 private import codeql.rust.security.CleartextLoggingExtensions
 private import codeql.rust.security.CleartextStorageDatabaseExtensions
 private import codeql.rust.security.CleartextTransmissionExtensions
+private import codeql.rust.security.LogInjectionExtensions
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.TaintedPathExtensions
 private import codeql.rust.security.UncontrolledAllocationSizeExtensions

@@ -0,0 +1,3 @@
+multipleCallTargets
+| main.rs:9:43:9:63 | ...::from(...) |
+| main.rs:44:19:44:32 | username.len() |