Rust: Use extended canonical paths to resolve calls in data flow

2025-12-16 16:53:25 +01:00 · 2024-11-22 10:30:33 +01:00
parent faabc9982e
commit 143d7e2084
2 changed files with 49 additions and 6 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -399,13 +399,55 @@ module RustDataFlow implements InputSig<Location> {

  final class ReturnKind = ReturnKindAlias;

+  private import codeql.util.Option
+
+  private class CrateOrigin extends string {
+    CrateOrigin() {
+      this = [any(Item i).getCrateOrigin(), any(Resolvable r).getResolvedCrateOrigin()]
+    }
+  }
+
+  private class CrateOriginOption = Option<CrateOrigin>::Option;
+
+  pragma[nomagic]
+  private predicate hasExtendedCanonicalPath(
+    DataFlowCallable c, CrateOriginOption crate, string path
+  ) {
+    exists(Item i |
+      i = c.asCfgScope() and
+      path = i.getExtendedCanonicalPath()
+    |
+      crate.asSome() = i.getCrateOrigin()
+      or
+      crate.isNone() and
+      not i.hasCrateOrigin()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate resolvesExtendedCanonicalPath(
+    DataFlowCall c, CrateOriginOption crate, string path
+  ) {
+    exists(Resolvable r |
+      path = r.getResolvedPath() and
+      (
+        r = c.asMethodCallExprCfgNode().getExpr()
+        or
+        r = c.asCallExprCfgNode().getExpr().(PathExprCfgNode).getPath()
+      )
+    |
+      crate.asSome() = r.getResolvedCrateOrigin()
+      or
+      crate.isNone() and
+      not r.hasResolvedCrateOrigin()
+    )
+  }
+
  /** Gets a viable implementation of the target of the given `Call`. */
-  DataFlowCallable viableCallable(DataFlowCall c) {
-    exists(Function f, string name | result.asCfgScope() = f and name = f.getName().toString() |
-      if f.getParamList().hasSelfParam()
-      then name = c.asMethodCallExprCfgNode().getNameRef().getText()
-      else
-        name = c.asCallExprCfgNode().getExpr().getExpr().(PathExpr).getPath().getPart().toString()
+  DataFlowCallable viableCallable(DataFlowCall call) {
+    exists(string path, CrateOriginOption crate |
+      hasExtendedCanonicalPath(result, crate, path) and
+      resolvesExtendedCanonicalPath(call, crate, path)
    )
  }

--- a/shared/util/codeql/util/Option.qll
+++ b/shared/util/codeql/util/Option.qll
@@ -2,6 +2,7 @@

 /** A type with `toString`. */
 private signature class TypeWithToString {
+  bindingset[this]
  string toString();
 }