Rust: Model std::net and tokio fs, io, net

[geoffw0]

Model std::net and tokio fs, io, net. This includes a good number of high value taint sources. There are lots of test cases, particularly since at present it's tricky to get the repo / path correct in the model without a test to examine first.

I've also moved some stuff around in the dataflow/sources tests as it was getting large and disorganized. And I've improved modelling of reqwest.

A DCA run will reveal how well this all works...

[Copilot]

Pull Request Overview

This PR extends the CodeQL Rust taint models to cover std::net and Tokio’s fs, io, and net APIs, reorganizes some existing test inputs, and refines the reqwest model for async responses.

• Add bytes crate dependency to test options
• Update expected DataFlow outputs for new sources (stdin, file, network)
• Introduce YAML model files for Tokio and standard library networking, FS, IO, plus enhanced reqwest async return modeling

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
rust/ql/test/library-tests/dataflow/sources/options.yml	Added bytes crate to test dependencies
rust/ql/test/library-tests/dataflow/sources/TaintSources.expected	Updated expected taint sources ordering and entries
rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected	Extended local dataflow summary with new TcpStream, Tokio async read, split, lines, reqwest futures, etc.
rust/ql/lib/codeql/rust/frameworks/tokio/net.model.yml	New source and summary model for Tokio TCP connect and read variants
rust/ql/lib/codeql/rust/frameworks/tokio/io.model.yml	New source and summary model for Tokio async IO primitives
rust/ql/lib/codeql/rust/frameworks/tokio/fs.model.yml	New source model for Tokio async file read APIs
rust/ql/lib/codeql/rust/frameworks/stdlib/net.model.yml	New source and summary model for std::net::TcpStream connect and IO
rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml	Added summary model for std::io::Split iterator next
rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml	Adjusted crate::get to return a future; added async and blocking response methods

Comments suppressed due to low confidence (2)

rust/ql/lib/codeql/rust/frameworks/tokio/net.model.yml:6

• Consider adding a source model for <crate::net::tcp::stream::TcpStream>::connect_timeout similar to connect to cover timed-out connection flows.

      - ["repo:https://github.com/tokio-rs/tokio:tokio", "<crate::net::tcp::stream::TcpStream>::connect", "ReturnValue.Future.Field[crate::result::Result::Ok(0)]", "remote", "manual"]

rust/ql/lib/codeql/rust/frameworks/reqwest.model.yml:27

• Add a mapping for <crate::async_impl::response::Response>::text_with_charset in the async model to ensure coverage of all async response body methods.

      - ["repo:https://github.com/seanmonstar/reqwest:reqwest", "<crate::async_impl::response::Response>::chunk", "Argument[self]", "ReturnValue.Future.Field[crate::result::Result::Ok(0)].Field[crate::option::Option::Some(0)]", "taint", "manual"]

[geoffw0]

DCA shows a 4.3x increase in taint sources, 4.5x increase in taint reach 🎉