Rust: Include taint steps when generating flow models

2026-04-25 00:35:20 +02:00 · 2026-03-25 12:52:08 +01:00
parent 70d8c1c76e
commit fba4a83dc8
1 changed files with 4 additions and 1 deletions
--- a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -138,7 +138,10 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS

  Parameter asParameter(NodeExtended node) { result = node.asParameter() }

-  predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+  predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    RustTaintTracking::defaultAdditionalTaintStep(nodeFrom, nodeTo, _) and
+    not RustDataFlow::readStep(nodeFrom, _, nodeTo)
+  }

  predicate isField(DataFlow::ContentSet c) {
    c.(SingletonContentSet).getContent() instanceof FieldContent