wip

hvitved · hvitved · commit b30a929dbb7f · 2025-12-01T11:33:08.000+01:00
diff --git a/rust/ql/lib/codeql/rust/elements/Call.qll b/rust/ql/lib/codeql/rust/elements/Call.qll
@@ -8,34 +8,7 @@ private import internal.CallExprImpl::Impl as CallExprImpl
 
 final class Call = Impl::Call;
 
-private predicate isGuaranteedMethodCall(ArgsExpr call) {
-  call instanceof MethodCallExpr
-  or
-  call.(Operation).isOverloaded(_, _, _)
-  or
-  call instanceof IndexExpr
-}
-
-/**
- * A call expression that targets a method.
- *
- * Either
- *
- * - a `CallExpr` where we can resolve the target as a method,
- * - a `MethodCallExpr`,
- * - an `Operation` that targets an overloadable operator, or
- * - an `IndexExpr`.
- */
-final class MethodCall extends Call {
-  MethodCall() {
-    this.getStaticTarget() instanceof Method
-    or
-    isGuaranteedMethodCall(this)
-  }
-
-  /** Gets the static target of this method call, if any. */
-  Method getStaticTarget() { result = super.getStaticTarget() }
-}
+final class MethodCall = Impl::MethodCall;
 
 /**
  * A call expression that targets a closure.
diff --git a/rust/ql/lib/codeql/rust/elements/internal/CallExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CallExprImpl.qll
@@ -72,15 +72,15 @@ module Impl {
       )
     }
 
-    private predicate isMethodCall() { this.getResolvedTarget() instanceof Method }
+    override Expr getPositionalArgument(int i) { result = super.getSyntacticArgument(i) }
+  }
 
-    override Expr getPositionalArgument(int i) {
-      if this.isMethodCall()
-      then result = this.getSyntacticArgument(i + 1)
-      else result = super.getSyntacticArgument(i)
-    }
+  class CallExprMethodCall extends CallExprCall, CallImpl::MethodCall {
+    CallExprMethodCall() { this.getResolvedTarget() instanceof Method }
+
+    override Expr getPositionalArgument(int i) { result = this.getSyntacticArgument(i + 1) }
 
-    override Expr getReceiver() { this.isMethodCall() and result = super.getSyntacticArgument(0) }
+    override Expr getReceiver() { result = super.getSyntacticArgument(0) }
   }
 
   /**
diff --git a/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll
@@ -69,4 +69,18 @@ module Impl {
       )
     }
   }
+
+  /**
+   * A call expression that targets a method.
+   *
+   * Either
+   *
+   * - a `CallExpr` where we can resolve the target as a method,
+   * - a `MethodCallExpr`,
+   * - an `Operation` that targets an overloadable operator, or
+   * - an `IndexExpr`.
+   */
+  abstract class MethodCall extends Call {
+    override Method getStaticTarget() { result = super.getStaticTarget() }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/elements/internal/IndexExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/IndexExprImpl.qll
@@ -22,7 +22,7 @@ module Impl {
    * list[42] = 1;
    * ```
    */
-  class IndexExpr extends Generated::IndexExpr, CallImpl::Call {
+  class IndexExpr extends Generated::IndexExpr, CallImpl::MethodCall {
     override string toStringImpl() {
       result =
         this.getBase().toAbbreviatedString() + "[" + this.getIndex().toAbbreviatedString() + "]"
diff --git a/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/MethodCallExprImpl.qll
@@ -27,7 +27,7 @@ module Impl {
    * x.foo::<u32, u64>(42);
    * ```
    */
-  class MethodCallExpr extends Generated::MethodCallExpr, CallImpl::Call {
+  class MethodCallExpr extends Generated::MethodCallExpr, CallImpl::MethodCall {
     private string toStringPart(int index) {
       index = 0 and
       result = this.getReceiver().toAbbreviatedString()
diff --git a/rust/ql/lib/codeql/rust/elements/internal/OperationImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/OperationImpl.qll
@@ -137,8 +137,8 @@ module Impl {
     }
   }
 
-  private class CallOperation extends CallImpl::Call instanceof Operation {
-    CallOperation() { super.isOverloaded(_, _, _) }
+  private class OperationMethodCall extends CallImpl::MethodCall instanceof Operation {
+    OperationMethodCall() { super.isOverloaded(_, _, _) }
 
     override Expr getPositionalArgument(int i) { result = super.getOperand(i + 1) and i >= 0 }
 
diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll
@@ -55,7 +55,7 @@ module Xss {
     HeuristicHtmlEncodingBarrier() {
       exists(Call fc |
         fc.getStaticTarget().getName().getText().regexpMatch(".*(escape|encode).*") and
-        fc.getArgument(_) = this.asExpr()
+        fc.getAPositionalArgument() = this.asExpr()
       )
     }
   }
diff --git a/rust/ql/test/query-tests/security/CWE-079/actix/XSS.expected b/rust/ql/test/query-tests/security/CWE-079/actix/XSS.expected
@@ -2,8 +2,9 @@
 | main.rs:25:5:25:13 | ...::new | main.rs:8:1:8:18 | to | main.rs:25:5:25:13 | ...::new | Cross-site scripting vulnerability due to a $@. | main.rs:8:1:8:18 | to | user-provided value |
 edges
 | main.rs:8:1:8:18 | to | main.rs:9:29:9:51 | ...: ...::Path::<...> | provenance | Src:MaD:2  |
-| main.rs:9:29:9:51 | ...: ...::Path::<...> | main.rs:10:22:10:38 | path.into_inner() | provenance | MaD:3 |
+| main.rs:9:29:9:51 | ...: ...::Path::<...> | main.rs:10:22:10:25 | path | provenance |  |
 | main.rs:10:9:10:18 | user_input | main.rs:13:9:22:18 | MacroExpr | provenance |  |
+| main.rs:10:22:10:25 | path | main.rs:10:22:10:38 | path.into_inner() | provenance | MaD:3 |
 | main.rs:10:22:10:38 | path.into_inner() | main.rs:10:9:10:18 | user_input | provenance |  |
 | main.rs:12:9:12:12 | html | main.rs:25:15:25:18 | html | provenance |  |
 | main.rs:13:9:22:18 | ...::format(...) | main.rs:13:9:22:18 | { ... } | provenance |  |
@@ -21,6 +22,7 @@ nodes
 | main.rs:8:1:8:18 | to | semmle.label | to |
 | main.rs:9:29:9:51 | ...: ...::Path::<...> | semmle.label | ...: ...::Path::<...> |
 | main.rs:10:9:10:18 | user_input | semmle.label | user_input |
+| main.rs:10:22:10:25 | path | semmle.label | path |
 | main.rs:10:22:10:38 | path.into_inner() | semmle.label | path.into_inner() |
 | main.rs:12:9:12:12 | html | semmle.label | html |
 | main.rs:13:9:22:18 | ...::format(...) | semmle.label | ...::format(...) |

Original file line number	Diff line number	Diff line change
`@@ -72,15 +72,15 @@ module Impl {`
`72`	`72`	`)`
`73`	`73`	`}`
`74`	`74`
`75`		`- private predicate isMethodCall() { this.getResolvedTarget() instanceof Method }`
	`75`	`+ override Expr getPositionalArgument(int i) { result = super.getSyntacticArgument(i) }`
	`76`	`+ }`
`76`	`77`
`77`		`- override Expr getPositionalArgument(int i) {`
`78`		`- if this.isMethodCall()`
`79`		`- then result = this.getSyntacticArgument(i + 1)`
`80`		`- else result = super.getSyntacticArgument(i)`
`81`		`- }`
	`78`	`+ class CallExprMethodCall extends CallExprCall, CallImpl::MethodCall {`
	`79`	`+ CallExprMethodCall() { this.getResolvedTarget() instanceof Method }`
	`80`	`+`
	`81`	`+ override Expr getPositionalArgument(int i) { result = this.getSyntacticArgument(i + 1) }`
`82`	`82`
`83`		`- override Expr getReceiver() { this.isMethodCall() and result = super.getSyntacticArgument(0) }`
	`83`	`+ override Expr getReceiver() { result = super.getSyntacticArgument(0) }`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -69,4 +69,18 @@ module Impl {`
`69`	`69`	`)`
`70`	`70`	`}`
`71`	`71`	`}`
	`72`	`+`
	`73`	`+ /**`
	`74`	`+ * A call expression that targets a method.`
	`75`	`+ *`
	`76`	`+ * Either`
	`77`	`+ *`
	`78`	+ * - a `CallExpr` where we can resolve the target as a method,
	`79`	+ * - a `MethodCallExpr`,
	`80`	+ * - an `Operation` that targets an overloadable operator, or
	`81`	+ * - an `IndexExpr`.
	`82`	`+ */`
	`83`	`+ abstract class MethodCall extends Call {`
	`84`	`+ override Method getStaticTarget() { result = super.getStaticTarget() }`
	`85`	`+ }`
`72`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -137,8 +137,8 @@ module Impl {`
`137`	`137`	`}`
`138`	`138`	`}`
`139`	`139`
`140`		`- private class CallOperation extends CallImpl::Call instanceof Operation {`
`141`		`- CallOperation() { super.isOverloaded(_, _, _) }`
	`140`	`+ private class OperationMethodCall extends CallImpl::MethodCall instanceof Operation {`
	`141`	`+ OperationMethodCall() { super.isOverloaded(_, _, _) }`
`142`	`142`
`143`	`143`	`override Expr getPositionalArgument(int i) { result = super.getOperand(i + 1) and i >= 0 }`
`144`	`144`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ module Xss {`
`55`	`55`	`HeuristicHtmlEncodingBarrier() {`
`56`	`56`	`exists(Call fc \|`
`57`	`57`	`fc.getStaticTarget().getName().getText().regexpMatch(".(escape\|encode).") and`
`58`		`- fc.getArgument(_) = this.asExpr()`
	`58`	`+ fc.getAPositionalArgument() = this.asExpr()`
`59`	`59`	`)`
`60`	`60`	`}`
`61`	`61`	`}`