Rust: Split boolean from number barriers

2026-04-27 01:35:13 +02:00 · 2025-11-26 14:45:31 +01:00
parent 1c8cc39a6a
commit 6050a0e1a8
4 changed files with 23 additions and 27 deletions
--- a/rust/ql/lib/codeql/rust/security/Barriers.qll
+++ b/rust/ql/lib/codeql/rust/security/Barriers.qll
@@ -1,5 +1,5 @@
 /**
- * Classes to represent barriers commonly used in dataflow and taint tracking
+ * Classes to represent barriers commonly used in data flow and taint tracking
 * configurations.
 */

@@ -11,35 +11,26 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg
 private import codeql.rust.controlflow.CfgNodes as CfgNodes
 private import codeql.rust.frameworks.stdlib.Builtins as Builtins

-/**
- * A node whose type is a numeric or boolean type, which may be an appropriate
- * taint flow barrier for some queries.
- */
+/** A node whose type is a numeric. */
 class NumericTypeBarrier extends DataFlow::Node {
  NumericTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::NumericType or
-      s instanceof Builtins::Bool
-    )
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::NumericType
  }
 }

-/**
- * A node whose type is an integral (integer) or boolean type, which may be an
- * appropriate taint flow barrier for some queries.
- */
-class IntegralOrBooleanTypeBarrier extends DataFlow::Node {
-  IntegralOrBooleanTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::IntegralType or
-      s instanceof Builtins::Bool
-    )
+/** A node whose type is `bool`. */
+class BooleanTypeBarrier extends DataFlow::Node {
+  BooleanTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof Builtins::Bool
+  }
+}
+
+/** A node whose type is an integral (integer). */
+class IntegralTypeBarrier extends DataFlow::Node {
+  IntegralTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::IntegralType
  }
 }

--- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
@@ -49,4 +49,6 @@ module LogInjection {
   * numeric or boolean type, which is unlikely to expose any vulnerability.
   */
  private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }
--- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
@@ -64,4 +64,6 @@ module SqlInjection {
   * boolean type, which is unlikely to expose any vulnerability.
   */
  private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }
--- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -94,6 +94,7 @@ module RegexInjection {
   * We don't include floating point types in this barrier, as `.` is a special character
   * in regular expressions.
   */
-  private class IntegralOrBooleanTypeBarrier extends Barrier instanceof Barriers::IntegralOrBooleanTypeBarrier
-  { }
+  private class IntegralTypeBarrier extends Barrier instanceof Barriers::IntegralTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }