From 5762191832b974ccc3d887ffb613aca673963e02 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 23 Mar 2026 17:20:43 +0000 Subject: [PATCH 1/7] Enable MaD barriers for queries with MaD sinks --- .../security/AccessInvalidPointerExtensions.qll | 8 ++++++++ .../rust/security/CleartextLoggingExtensions.qll | 8 ++++++++ .../security/CleartextStorageDatabaseExtensions.qll | 7 +++++++ .../security/CleartextTransmissionExtensions.qll | 8 ++++++++ .../security/DisabledCertificateCheckExtensions.qll | 13 +++++++++++++ .../HardcodedCryptographicValueExtensions.qll | 10 ++++++++++ .../rust/security/InsecureCookieExtensions.qll | 8 ++++++++ .../codeql/rust/security/LogInjectionExtensions.qll | 8 ++++++++ .../rust/security/RequestForgeryExtensions.qll | 8 ++++++++ .../codeql/rust/security/SqlInjectionExtensions.qll | 10 +++++++++- .../codeql/rust/security/TaintedPathExtensions.qll | 5 +++++ .../UncontrolledAllocationSizeExtensions.qll | 8 ++++++++ .../codeql/rust/security/UseOfHttpExtensions.qll | 8 ++++++++ rust/ql/lib/codeql/rust/security/XssExtensions.qll | 8 ++++++++ .../security/regex/RegexInjectionExtensions.qll | 8 ++++++++ .../security/CWE-295/DisabledCertificateCheck.ql | 2 ++ 16 files changed, 126 insertions(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll index 117f67a7b4e..89a0a2c5c92 100644 --- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -69,6 +70,13 @@ module AccessInvalidPointer { ModelsAsDataSink() { sinkNode(this, "pointer-access") } } + /** + * A barrier for invalid pointer access from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "pointer-access") } + } + /** * A barrier for invalid pointer access vulnerabilities for values checked to * be non-`null`. diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll index f634992fb81..c728d29f015 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -44,6 +45,13 @@ module CleartextLogging { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for logging from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier diff --git a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll index f92b2df1dc0..afbf27e5bc9 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll @@ -45,4 +45,11 @@ module CleartextStorageDatabase { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) } } + + /** + * A barrier for cleartext storage vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll index 7d5a91a55f7..14ee95186c3 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -55,4 +56,11 @@ module CleartextTransmission { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) } } + + /** + * A barrier defined through MaD. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll index a86ee506dfa..a5933bc74b1 100644 --- a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.dataflow.internal.Node as Node @@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions { override string getSinkType() { result = "DisabledCertificateCheck" } } + /** + * A data flow barrier for disabled certificate check vulnerabilities. + */ + abstract class Barrier extends DataFlow::Node { } + /** * A sink for disabled certificate check vulnerabilities from model data. */ @@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions { ) } } + + /** + * A barrier for disabled certificate check vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") } + } } diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 9bdfc53971e..ffef3658d58 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -130,6 +131,15 @@ module HardcodedCryptographicValue { override CryptographicValueKind getKind() { result = kind } } + /** + * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. + */ + private class ModelsAsDataBarrier extends Barrier { + CryptographicValueKind kind; + + ModelsAsDataBarrier() { barrierNode(this, "credentials-" + kind) } + } + /** * A call to `getrandom` that is a barrier. */ diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll index 87d37d6b85b..bd74dcb8728 100644 --- a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -48,6 +49,13 @@ module InsecureCookie { ModelsAsDataSink() { sinkNode(this, "cookie-use") } } + /** + * A barrier for insecure cookie vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "cookie-use") } + } + /** * Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`, * with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example, diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index 31403b625f9..40d11362355 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module LogInjection { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for log-injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + /** * A barrier for log injection vulnerabilities for nodes whose type is a * numeric type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll index 1822baff644..d5b75258ad4 100644 --- a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.dataflow.FlowSource private import codeql.rust.Concepts @@ -46,4 +47,11 @@ module RequestForgery { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for request forgery from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index f36ab264987..de2622974f6 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -53,12 +54,19 @@ module SqlInjection { } /** - * A sink for sql-injection from model data. + * A sink for SQL injection from model data. */ private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "sql-injection") } } + /** + * A barrier for SQL injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "sql-injection") } + } + /** * A barrier for SQL injection vulnerabilities for nodes whose type is a numeric * type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll index ccf3736ceb4..2bd009909f6 100644 --- a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll @@ -47,6 +47,11 @@ module TaintedPath { private class ModelsAsDataSinks extends Sink { ModelsAsDataSinks() { sinkNode(this, "path-injection") } } + + /** A barrier for path-injection from model data. */ + private class ModelsAsDataBarriers extends Barrier { + ModelsAsDataBarriers() { barrierNode(this, "path-injection") } + } } private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) { diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll index c6251563ea6..f0c0bed0009 100644 --- a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink /** @@ -32,6 +33,13 @@ module UncontrolledAllocationSize { ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) } } + /** + * A barrier for uncontrolled allocation size from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) } + } + /** * A barrier for uncontrolled allocation size that is an upper bound check / guard. */ diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll index 076ed42edfb..f4dd5a1e1a8 100644 --- a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -59,4 +60,11 @@ module UseOfHttp { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for use of HTTP URLs from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll index 97318ff8173..74ed161acb0 100644 --- a/rust/ql/lib/codeql/rust/security/XssExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/XssExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module Xss { ModelsAsDataSink() { sinkNode(this, "html-injection") } } + /** + * A barrier for XSS from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "html-injection") } + } + /** * A barrier for XSS vulnerabilities for nodes whose type is a * numeric or boolean type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 7cb0dc47c9f..3f1dbbafb7d 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.security.Barriers as Barriers @@ -69,6 +70,13 @@ module RegexInjection { ModelsAsDataSink() { sinkNode(this, "regex-use") } } + /** + * A barrier for regular expression injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "regex-use") } + } + /** * An escape barrier for regular expression injection vulnerabilities. */ diff --git a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql index ae22a3c9d2c..3e978e2934b 100644 --- a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql +++ b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql @@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof Sink } + predicate isBarrier(DataFlow::Node node) { node instanceof Barrier } + predicate observeDiffInformedIncrementalMode() { any() } } From 93231794ee64b8c4788d6077490cb762a193cea5 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 24 Mar 2026 10:39:05 +0000 Subject: [PATCH 2/7] Document that MaD barriers for hardcoded credentials apply to all kinds --- .../rust/security/HardcodedCryptographicValueExtensions.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index ffef3658d58..70799e39d58 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -133,6 +133,9 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. + * + * Note that a sanitizer with kind `credentials-key` will sanitize flow to + * all sinks, not just sinks with the same kind. */ private class ModelsAsDataBarrier extends Barrier { CryptographicValueKind kind; From 7e6319d6484c107113b1ac1b7056c7ee25fb8e74 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 24 Mar 2026 10:39:32 +0000 Subject: [PATCH 3/7] Remove unused field --- .../rust/security/HardcodedCryptographicValueExtensions.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 70799e39d58..14482872443 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -138,9 +138,7 @@ module HardcodedCryptographicValue { * all sinks, not just sinks with the same kind. */ private class ModelsAsDataBarrier extends Barrier { - CryptographicValueKind kind; - - ModelsAsDataBarrier() { barrierNode(this, "credentials-" + kind) } + ModelsAsDataBarrier() { exists(string kind | barrierNode(this, "credentials-" + kind)) } } /** From 14b3f6211e8ed87750f99248db2d3033e01fe4ad Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 24 Mar 2026 14:15:19 +0100 Subject: [PATCH 4/7] C#: Opt out of dotnet CLI telemetry Add `DOTNET_CLI_TELEMETRY_OPTOUT=1` to the minimal environment used for all `dotnet` invocations. The telemetry is unnecessary and may even be causing segfaults in some cases. --- .../IDotNetCliInvoker.cs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs index 61d0ea4260d..ef5bcd4753b 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs @@ -12,16 +12,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching /// /// A minimal environment for running the .NET CLI. - /// + /// /// DOTNET_CLI_UI_LANGUAGE: The .NET CLI language is set to English to avoid localized output. /// MSBUILDDISABLENODEREUSE: To ensure clean environment for each build. /// DOTNET_SKIP_FIRST_TIME_EXPERIENCE: To skip first time experience messages. + /// DOTNET_CLI_TELEMETRY_OPTOUT: To skip any dotnet telemetry: it's unnecessary and can even cause issues. /// static ReadOnlyDictionary MinimalEnvironment { get; } = new(new Dictionary { {"DOTNET_CLI_UI_LANGUAGE", "en"}, {"MSBUILDDISABLENODEREUSE", "1"}, - {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"} + {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"}, + {"DOTNET_CLI_TELEMETRY_OPTOUT", "1"} }); /// From bedfe1e7556da2fda49aa10e6fe6d23598ca29d3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:06:53 +0000 Subject: [PATCH 5/7] Apply suggestions from code review Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../security/HardcodedCryptographicValueExtensions.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 14482872443..7ac59c92c18 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -134,11 +134,12 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. * - * Note that a sanitizer with kind `credentials-key` will sanitize flow to - * all sinks, not just sinks with the same kind. + * Note that a barrier will block flow to all hard-coded cryptographic value + * sinks, regardless of the `kind` that is specified. For example a barrier of + * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. */ private class ModelsAsDataBarrier extends Barrier { - ModelsAsDataBarrier() { exists(string kind | barrierNode(this, "credentials-" + kind)) } + ModelsAsDataBarrier() { exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) } } /** From f25d7456da8067141c271899bcb8ac9c0cb82030 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 25 Mar 2026 10:05:04 +0000 Subject: [PATCH 6/7] Fix QL formatting --- .../security/HardcodedCryptographicValueExtensions.qll | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 7ac59c92c18..09e2505eb5c 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -134,12 +134,14 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. * - * Note that a barrier will block flow to all hard-coded cryptographic value - * sinks, regardless of the `kind` that is specified. For example a barrier of - * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. + * Note that a barrier will block flow to all hard-coded cryptographic value + * sinks, regardless of the `kind` that is specified. For example a barrier of + * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. */ private class ModelsAsDataBarrier extends Barrier { - ModelsAsDataBarrier() { exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) } + ModelsAsDataBarrier() { + exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) + } } /** From fba4a83dc81e66e71dc3adc111ed3994500921c5 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 25 Mar 2026 12:52:08 +0100 Subject: [PATCH 7/7] Rust: Include taint steps when generating flow models --- rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll index fb71423503d..8ec2f3354db 100644 --- a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll +++ b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll @@ -138,7 +138,10 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS Parameter asParameter(NodeExtended node) { result = node.asParameter() } - predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() } + predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { + RustTaintTracking::defaultAdditionalTaintStep(nodeFrom, nodeTo, _) and + not RustDataFlow::readStep(nodeFrom, _, nodeTo) + } predicate isField(DataFlow::ContentSet c) { c.(SingletonContentSet).getContent() instanceof FieldContent