Rust: Ensure index expressions are not handled as calls yet in data flow

2026-04-27 01:35:13 +02:00 · 2025-06-21 13:16:40 +02:00
parent 846ef9ad5a
commit 326c7de521
2 changed files with 12 additions and 4 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -145,9 +145,13 @@ final class ArgumentPosition extends ParameterPosition {
 * as the synthetic `ReceiverNode` is the argument for the `self` parameter.
 */
 predicate isArgumentForCall(ExprCfgNode arg, CallCfgNode call, ParameterPosition pos) {
-  call.getPositionalArgument(pos.getPosition()) = arg
-  or
-  call.getReceiver() = arg and pos.isSelf() and not call.getCall().receiverImplicitlyBorrowed()
+  // TODO: Handle index expressions as calls in data flow.
+  not call.getCall() instanceof IndexExpr and
+  (
+    call.getPositionalArgument(pos.getPosition()) = arg
+    or
+    call.getReceiver() = arg and pos.isSelf() and not call.getCall().receiverImplicitlyBorrowed()
+  )
 }

 /** Provides logic related to SSA. */
--- a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
@@ -472,7 +472,11 @@ newtype TNode =
        getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _)
      ]
  } or
-  TReceiverNode(CallCfgNode mc, Boolean isPost) { mc.getCall().receiverImplicitlyBorrowed() } or
+  TReceiverNode(CallCfgNode mc, Boolean isPost) {
+    mc.getCall().receiverImplicitlyBorrowed() and
+    // TODO: Handle index expressions as calls in data flow.
+    not mc.getCall() instanceof IndexExpr
+  } or
  TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
  TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c, _) } or