From efbc0934c41ca99effa60b0168810e9df26840cf Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Fri, 28 Nov 2025 11:27:30 +0100 Subject: [PATCH] Rust: Do not use types to limit lifting of reads to taint steps --- .../rust/dataflow/internal/TaintTrackingImpl.qll | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index d4965db92e8..33d44501cfc 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -18,6 +18,10 @@ private import codeql.rust.frameworks.stdlib.Builtins as Builtins */ extensible predicate excludeFieldTaintStep(string field); +/** + * Holds if the content `c` corresponds to a field that has explicitly been + * excluded as a taint step. + */ private predicate excludedTaintStepContent(Content c) { exists(string arg | excludeFieldTaintStep(arg) | FlowSummaryImpl::encodeContentStructField(c, arg) or @@ -47,19 +51,9 @@ module RustTaintTracking implements InputSig { or // Read steps give rise to taint steps. This has the effect that if `foo` // is tainted and an operation reads from `foo` (e.g., `foo.bar`) then - // taint is propagated. We limit this to not apply if the type of the - // operation is a small primitive type as these are often uninteresting - // (for instance in the case of an injection query). + // taint is propagated. exists(Content c | RustDataFlow::readContentStep(pred, c, succ) and - forex(Type::Type t | t = TypeInference::inferType(succ.asExpr()) | - not exists(Struct s | s = t.(Type::StructType).getStruct() | - s instanceof Builtins::NumericType or - s instanceof Builtins::Bool or - s instanceof Builtins::Char - ) and - not t.(Type::EnumType).getEnum().isFieldless() - ) and not excludedTaintStepContent(c) ) or