Rust: Add new query for XSS vulnerabilities

[paldepind]

No description provided.

[github-actions]

QHelp previews:

rust/ql/src/queries/security/CWE-079/XSS.qhelp

Cross-site scripting

Directly writing user input (for example, an HTTP request parameter) to a web page, without properly sanitizing the input first, allows for a cross-site scripting vulnerability.

Recommendation

To guard against cross-site scripting, consider encoding/escaping the untrusted input before including it in the HTML.

Example

The following example shows a simple web handler that writes a URL path parameter directly to an HTML response, leaving the website vulnerable to cross-site scripting:

use actix_web::{web, HttpResponse, Result};

// BAD: User input is directly included in HTML response without sanitization
async fn vulnerable_handler(path: web::Path<String>) -> impl Responder {
    let user_input = path.into_inner();

    let html = format!(
        r#"
        <!DOCTYPE html>
        <html>
        <head><title>Welcome</title></head>
        <body>
            <h1>Hello, {}!</h1>
        </body>
        </html>
        "#,
        user_input
    );

    Html::new(html) // Unsafe: User input included directly in the response
}

To fix this vulnerability, the user input should be HTML-encoded before being included in the response. In the following example encode_text from the html_escape crate is used:

use actix_web::{web, HttpResponse, Result};

// GOOD: Manual HTML encoding using an `html_escape::encode_text` function
async fn safe_handler_with_encoding(path: web::Path<String>) -> impl Responder {
    let user_input = path.into_inner();
    let escaped_input = html_escape::encode_text(&user_input);
    let html = format!(
        r#"
        <!DOCTYPE html>
        <html>
        <head><title>Welcome</title></head>
        <body>
            <h1>Hello, {}!</h1>
        </body>
        </html>
        "#,
        escaped_input
    );

    Html::new(html) // Safe: user input is HTML-encoded
}

References

• OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet.
• Wikipedia: Cross-site scripting.
• OWASP: Cross-site Scripting (XSS).
• Common Weakness Enumeration: CWE-79.
• Common Weakness Enumeration: CWE-116.

[Copilot]

Pull request overview

This PR adds a new security query rust/xss to detect cross-site scripting (XSS) vulnerabilities in Rust web applications. The implementation includes comprehensive test coverage across multiple Rust web frameworks (actix-web, warp, and axum) and follows the established patterns for security queries in the codebase.

• New XSS detection query with taint tracking configuration
• Framework support for actix-web and warp with sink models for HTML injection
• Test cases demonstrating vulnerable and safe patterns across multiple frameworks

Reviewed changes

Copilot reviewed 23 out of 27 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
rust/ql/src/queries/security/CWE-079/XSS.ql	Main query implementation using taint tracking to detect XSS vulnerabilities
rust/ql/src/queries/security/CWE-079/XSS.qhelp	Documentation explaining the vulnerability, recommendations, and examples
rust/ql/src/queries/security/CWE-079/XSSBad.rs	Example demonstrating vulnerable code pattern
rust/ql/src/queries/security/CWE-079/XSSGood.rs	Example demonstrating safe code pattern with HTML escaping
rust/ql/src/change-notes/2025-11-24-xss-query.md	Release notes for the new query
rust/ql/lib/codeql/rust/security/XssExtensions.qll	Core library defining sources, sinks, and barriers for XSS detection
rust/ql/lib/codeql/rust/frameworks/warp.model.yml	Added HTML injection sink model for warp::reply::html
rust/ql/lib/codeql/rust/frameworks/actix-web.model.yml	Added HTML injection sink model for actix_web::types::html::Html::new
rust/ql/test/query-tests/security/CWE-079/warp/*	Test cases for warp framework including main.rs, expected results, and dependencies
rust/ql/test/query-tests/security/CWE-079/axum/*	Test cases for axum framework with MISSING annotation for expected alert
rust/ql/test/query-tests/security/CWE-079/actix/*	Test cases for actix-web framework with both vulnerable and safe handlers
rust/ql/test/query-tests/security/CWE-079/Cargo.lock	Auto-generated consolidated dependency lock file for all test cases
rust/ql/integration-tests/query-suite/*.qls.expected	Updated query suite expectations to include new XSS query

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hvitved]

Consider tagging the source as well.

[hvitved]

Consider tagging the source as well.

[geoffw0]

I've made a good number of comments, but make no mistake - this is great work on a query we really want. Will also need a DCA run + docs review at some stage before merging.

[geoffw0]

Is the plan to add sink models for this one as part of the axum modelling task?

Also we model poem for some similar queries, should we model (and optionally test) that here as well? (or just create an issue to add this extension)

[paldepind]

Exactly. From the stats on crates.rs it's the most popular web framework and it's also the one used in the example that motivated the XSS query. So the goal is that these tests should work once we model Axum.

Poem isn't really on my mind so I didn't add tests for it. We could create an issue. But if we don't plan to actually work on it then maybe it's not worth it?

[geoffw0]

I've created an improvements issue for this query containing this idea - but I've not prioritized it for now. We can do that later if the query performs well enough we want to expand it.

[paldepind]

Thanks for the reviews! I should have addressed the comments now :)

[geoffw0]

I've created an improvements issue for this query containing this idea - but I've not prioritized it for now. We can do that later if the query performs well enough we want to expand it.

[geoffw0]

I've added the ready-for-doc-review tag so that the docs team will take a look.

[isaacmbrown]

I've added this to the Docs review board, our normal turnaround time is around two days