hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Add reverse post-update flow steps

Browse Source
This commit is contained in:
Tom Hvitved
2025-03-25 08:56:52 +01:00
parent fcb1d9433a
commit 72028c034e
9 changed files with 58 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll
View File

@@ -18,6 +18,8 @@ private module Input implements InputSig<Location, RustDataFlow> {
// We allow flow into post-update node for receiver expressions (from the
// synthetic post receiever node).
n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ReceiverNode r).getReceiver()
or
n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = getPostUpdateReverseStep(_, _)
}
predicate missingLocationExclude(RustDataFlow::Node n) { not exists(n.asExpr().getLocation()) }

11
rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
View File

@@ -213,6 +213,14 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
result.(BreakExprCfgNode).getTarget() = e
}
ExprCfgNode getPostUpdateReverseStep(ExprCfgNode e, boolean preservesValue) {
result = getALastEvalNode(e) and
preservesValue = true
or
result = e.(CastExprCfgNode).getExpr() and
preservesValue = false
}
module LocalFlow {
predicate flowSummaryLocalStep(Node nodeFrom, Node nodeTo, string model) {
exists(FlowSummaryImpl::Public::SummarizedCallable c |
@@ -274,6 +282,9 @@ module LocalFlow {
// The dual step of the above, for the post-update nodes.
nodeFrom.(PostUpdateNode).getPreUpdateNode().(ReceiverNode).getReceiver() =
nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr()
or
nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr(), true)
}
}

5
rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
View File

@@ -472,6 +472,11 @@ newtype TNode =
any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(),
any(AwaitExprCfgNode a).getExpr(), any(MethodCallExprCfgNode mc).getReceiver()
]
or
exists(ExprCfgNode pred |
exists(TExprPostUpdateNode(pred)) and
e = getPostUpdateReverseStep(pred, _)
)
} or
TReceiverNode(MethodCallExprCfgNode mc, Boolean isPost) or
TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or

20
rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll
View File

@@ -332,6 +332,8 @@ import Cached
private import codeql.rust.dataflow.Ssa
private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
private import codeql.rust.dataflow.internal.DataFlowImpl as DataFlowImpl
class Expr extends CfgNodes::AstCfgNode {
predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { this = bb.getNode(i) }
}
@@ -343,14 +345,22 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
none() // handled in `DataFlowImpl.qll` instead
}
private predicate isArg(CfgNodes::CallExprBaseCfgNode call, CfgNodes::ExprCfgNode e) {
call.getArgument(_) = e
or
call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = e
or
exists(CfgNodes::ExprCfgNode mid |
isArg(call, mid) and
e = DataFlowImpl::getPostUpdateReverseStep(mid, _)
)
}
predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
exists(CfgNodes::CallExprBaseCfgNode call, Variable v, BasicBlock bb, int i |
def.definesAt(v, bb, i) and
mutablyBorrows(bb.getNode(i).getAstNode(), v)
|
call.getArgument(_) = bb.getNode(i)
or
call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = bb.getNode(i)
mutablyBorrows(bb.getNode(i).getAstNode(), v) and
isArg(call, bb.getNode(i))
)
}

3
rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
View File

@@ -53,6 +53,9 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
)
or
succ.(Node::PostUpdateNode).getPreUpdateNode().asExpr() =
getPostUpdateReverseStep(pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), false)
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),

14
rust/ql/test/library-tests/dataflow/global/inline-flow.expected
View File

@@ -18,6 +18,12 @@ edges
| main.rs:38:23:38:31 | source(...) | main.rs:38:6:38:11 | [post] &mut a [&ref, MyStruct] | provenance | |
| main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance | |
| main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data(...) | provenance | |
| main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | main.rs:44:17:44:17 | [post] a [MyStruct] | provenance | |
| main.rs:44:17:44:17 | [post] a [MyStruct] | main.rs:45:10:45:10 | a [MyStruct] | provenance | |
| main.rs:44:30:44:38 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance | |
| main.rs:44:30:44:38 | source(...) | main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | provenance | |
| main.rs:45:10:45:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance | |
| main.rs:45:10:45:10 | a [MyStruct] | main.rs:45:10:45:21 | a.get_data(...) | provenance | |
| main.rs:48:12:48:17 | ...: i64 | main.rs:49:10:49:10 | n | provenance | |
| main.rs:53:9:53:9 | a | main.rs:54:13:54:13 | a | provenance | |
| main.rs:53:13:53:21 | source(...) | main.rs:53:9:53:9 | a | provenance | |
@@ -110,6 +116,11 @@ nodes
| main.rs:38:23:38:31 | source(...) | semmle.label | source(...) |
| main.rs:39:10:39:10 | a [MyStruct] | semmle.label | a [MyStruct] |
| main.rs:39:10:39:21 | a.get_data(...) | semmle.label | a.get_data(...) |
| main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | semmle.label | [post] &mut a [&ref, MyStruct] |
| main.rs:44:17:44:17 | [post] a [MyStruct] | semmle.label | [post] a [MyStruct] |
| main.rs:44:30:44:38 | source(...) | semmle.label | source(...) |
| main.rs:45:10:45:10 | a [MyStruct] | semmle.label | a [MyStruct] |
| main.rs:45:10:45:21 | a.get_data(...) | semmle.label | a.get_data(...) |
| main.rs:48:12:48:17 | ...: i64 | semmle.label | ...: i64 |
| main.rs:49:10:49:10 | n | semmle.label | n |
| main.rs:53:9:53:9 | a | semmle.label | a |
@@ -194,6 +205,8 @@ nodes
subpaths
| main.rs:38:23:38:31 | source(...) | main.rs:26:28:26:33 | ...: i64 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | main.rs:38:6:38:11 | [post] &mut a [&ref, MyStruct] |
| main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:30:31:32:5 | { ... } | main.rs:39:10:39:21 | a.get_data(...) |
| main.rs:44:30:44:38 | source(...) | main.rs:26:28:26:33 | ...: i64 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] |
| main.rs:45:10:45:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:30:31:32:5 | { ... } | main.rs:45:10:45:21 | a.get_data(...) |
| main.rs:63:26:63:26 | a | main.rs:57:17:57:22 | ...: i64 | main.rs:57:32:59:1 | { ... } | main.rs:63:13:63:27 | pass_through(...) |
| main.rs:68:26:71:5 | { ... } | main.rs:57:17:57:22 | ...: i64 | main.rs:57:32:59:1 | { ... } | main.rs:68:13:71:6 | pass_through(...) |
| main.rs:82:26:82:26 | a | main.rs:78:21:78:26 | ...: i64 | main.rs:78:36:80:5 | { ... } | main.rs:82:13:82:27 | pass_through(...) |
@@ -205,6 +218,7 @@ testFailures
#select
| main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
| main.rs:39:10:39:21 | a.get_data(...) | main.rs:38:23:38:31 | source(...) | main.rs:39:10:39:21 | a.get_data(...) | $@ | main.rs:38:23:38:31 | source(...) | source(...) |
| main.rs:45:10:45:21 | a.get_data(...) | main.rs:44:30:44:38 | source(...) | main.rs:45:10:45:21 | a.get_data(...) | $@ | main.rs:44:30:44:38 | source(...) | source(...) |
| main.rs:49:10:49:10 | n | main.rs:53:13:53:21 | source(...) | main.rs:49:10:49:10 | n | $@ | main.rs:53:13:53:21 | source(...) | source(...) |
| main.rs:64:10:64:10 | b | main.rs:62:13:62:21 | source(...) | main.rs:64:10:64:10 | b | $@ | main.rs:62:13:62:21 | source(...) | source(...) |
| main.rs:72:10:72:10 | a | main.rs:70:9:70:18 | source(...) | main.rs:72:10:72:10 | a | $@ | main.rs:70:9:70:18 | source(...) | source(...) |

2
rust/ql/test/library-tests/dataflow/global/main.rs
View File

@@ -42,7 +42,7 @@ fn data_out_of_call_side_effect1() {
fn data_out_of_call_side_effect2() {
let mut a = MyStruct { data: 0 };
({ 42; &mut a}).set_data(source(9));
sink(a.get_data()); // $ MISSING: hasValueFlow=9
sink(a.get_data()); // $ hasValueFlow=9
}
fn data_in(n: i64) {

6
rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -9,11 +9,13 @@ localStep
| main.rs:6:9:6:9 | s | main.rs:6:9:6:9 | s |
| main.rs:6:9:6:14 | ...: i64 | main.rs:6:9:6:9 | s |
| main.rs:7:14:7:20 | FormatArgsExpr | main.rs:7:14:7:20 | MacroExpr |
| main.rs:7:14:7:20 | [post] MacroExpr | main.rs:7:14:7:20 | [post] FormatArgsExpr |
| main.rs:10:13:10:14 | [SSA] sr | main.rs:11:20:11:21 | sr |
| main.rs:10:13:10:14 | sr | main.rs:10:13:10:14 | [SSA] sr |
| main.rs:10:13:10:14 | sr | main.rs:10:13:10:14 | sr |
| main.rs:10:13:10:20 | ...: ... | main.rs:10:13:10:14 | sr |
| main.rs:11:14:11:21 | FormatArgsExpr | main.rs:11:14:11:21 | MacroExpr |
| main.rs:11:14:11:21 | [post] MacroExpr | main.rs:11:14:11:21 | [post] FormatArgsExpr |
| main.rs:22:9:22:9 | [SSA] s | main.rs:23:10:23:10 | s |
| main.rs:22:9:22:9 | s | main.rs:22:9:22:9 | [SSA] s |
| main.rs:22:9:22:9 | s | main.rs:22:9:22:9 | s |
@@ -690,6 +692,7 @@ localStep
| main.rs:462:16:462:16 | s | main.rs:462:16:462:16 | s |
| main.rs:462:16:462:24 | ...: String | main.rs:462:16:462:16 | s |
| main.rs:463:14:463:20 | FormatArgsExpr | main.rs:463:14:463:20 | MacroExpr |
| main.rs:463:14:463:20 | [post] MacroExpr | main.rs:463:14:463:20 | [post] FormatArgsExpr |
| main.rs:467:9:467:9 | [SSA] a | main.rs:468:13:468:13 | a |
| main.rs:467:9:467:9 | a | main.rs:467:9:467:9 | [SSA] a |
| main.rs:467:9:467:9 | a | main.rs:467:9:467:9 | a |
@@ -850,6 +853,7 @@ localStep
| main.rs:528:9:528:9 | a | main.rs:528:9:528:9 | [SSA] a |
| main.rs:528:9:528:9 | a | main.rs:528:9:528:9 | a |
| main.rs:528:18:528:27 | source(...) | main.rs:528:9:528:9 | a |
| main.rs:530:10:530:10 | [post] a | main.rs:531:10:531:10 | a |
| main.rs:530:10:530:10 | a | main.rs:531:10:531:10 | a |
| main.rs:531:10:531:10 | [post] a | main.rs:532:20:532:20 | a |
| main.rs:531:10:531:10 | [post] receiver for a | main.rs:531:10:531:10 | [post] a |
@@ -859,6 +863,7 @@ localStep
| main.rs:534:9:534:9 | b | main.rs:534:9:534:9 | [SSA] b |
| main.rs:534:9:534:9 | b | main.rs:534:9:534:9 | b |
| main.rs:534:18:534:34 | ... as i32 | main.rs:534:9:534:9 | b |
| main.rs:536:10:536:10 | [post] b | main.rs:537:10:537:10 | b |
| main.rs:536:10:536:10 | b | main.rs:537:10:537:10 | b |
| main.rs:537:10:537:10 | [post] b | main.rs:538:20:538:20 | b |
| main.rs:537:10:537:10 | [post] receiver for b | main.rs:537:10:537:10 | [post] b |
@@ -866,6 +871,7 @@ localStep
| main.rs:537:10:537:10 | b | main.rs:538:20:538:20 | b |
| main.rs:565:13:565:33 | result_questionmark(...) | main.rs:565:9:565:9 | _ |
| main.rs:577:36:577:41 | ...::new(...) | main.rs:577:36:577:41 | MacroExpr |
| main.rs:577:36:577:41 | [post] MacroExpr | main.rs:577:36:577:41 | [post] ...::new(...) |
models
| 1 | Sink: lang:std; crate::io::stdio::_print; log-injection; Argument[0] |
| 2 | Summary: lang:alloc; <&&str as crate::string::SpecToString>::spec_to_string; Argument[self].Reference.Reference; ReturnValue; value |

1
rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
View File

@@ -6,6 +6,7 @@
| main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... |
| main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |
| main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |
| main.rs:24:10:24:17 | [post] b as i64 | main.rs:24:10:24:10 | [post] b |
| main.rs:29:23:29:23 | i | main.rs:29:17:29:23 | FormatArgsExpr |
| main.rs:33:24:33:24 | s | main.rs:33:18:33:24 | FormatArgsExpr |
| main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |