Rust: Add taint from children of format_args to format_args

rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll

@@ -173,6 +173,32 @@ final class MethodCallExprCfgNode extends CallExprBaseCfgNode, Nodes::MethodCall
  */
 final class CallExprCfgNode extends CallExprBaseCfgNode, Nodes::CallExprCfgNode { }
 
+/**
+ * A FormatArgsExpr. For example:
+ * ```rust
+ * format_args!("no args");
+ * format_args!("{} foo {:?}", 1, 2);
+ * format_args!("{b} foo {a:?}", a=1, b=2);
+ * let (x, y) = (1, 42);
+ * format_args!("{x}, {y}");
+ * ```
+ */
+final class FormatArgsExprCfgNode extends Nodes::FormatArgsExprCfgNode {
+  private FormatArgsExprChildMapping node;
+
+  ExprCfgNode getArgumentExpr(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArg(i).getExpr(), this, result)
+  }
+
+  FormatTemplateVariableAccessCfgNode getFormatTemplateVariableAccess(int i) {
+    exists(FormatTemplateVariableAccess v |
+      v.getArgument() = node.getFormat(i).getArgument() and
+      result.getFormatTemplateVariableAccess() = v and
+      any(ChildMapping mapping).hasCfgChild(node, v, this, result)
+    )
+  }
+}
+
 final class MacroCallCfgNode extends Nodes::MacroCallCfgNode {
   private MacroCallChildMapping node;
 

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -46,6 +46,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         RustDataFlow::readStep(pred, cs, succ) and
         cs.getContent() instanceof ArrayElementContent
       )
+      or
+      exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
+        pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
+      )
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),