wip4

hvitved · hvitved · commit f0fa2b0835fa · 2025-11-24T11:01:50.000+01:00
diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql
@@ -30,7 +30,7 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // `node` is an argument whose corresponding parameter name matches the pattern "pass%"
-    exists(CallExpr call, Function target, int argIndex, Variable v |
+    exists(Call call, Function target, int argIndex, Variable v |
       call.getStaticTarget() = target and
       v.getParameter() = target.getParam(argIndex) and
       v.getText().matches("pass%") and
diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql
@@ -23,7 +23,7 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     // `node` is the first argument of a call to `sqlx_core::query::query`
-    exists(CallExpr call |
+    exists(Call call |
       call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and
       call.getArgument(0) = node.asExpr()
     )
diff --git a/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll
@@ -7,7 +7,12 @@ module Impl {
   /**
    * A call.
    *
-   * Either a `CallExpr`, a `MethodCallExpr`, an `Operation`, or an `IndexExpr`.
+   * Either
+   *
+   * - a `ParenArgsExpr` that targets a function,
+   * - a `MethodCallExpr`,
+   * - an `Operation` that targets an overloadable opeator, or
+   * - an `IndexExpr`.
    */
   abstract class Call extends ExprImpl::Expr {
     /** Gets the `i`th positional argument of this call, if any. */
diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll
@@ -100,9 +100,9 @@ module AccessAfterLifetime {
     a = b.getEnclosingBlock*()
     or
     // propagate through function calls
-    exists(CallExpr ce |
-      mayEncloseOnStack(a, ce.getEnclosingBlock()) and
-      ce.getStaticTarget() = b.getEnclosingCallable()
+    exists(Call call |
+      mayEncloseOnStack(a, call.getEnclosingBlock()) and
+      call.getStaticTarget() = b.getEnclosingCallable()
     )
   }
 
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -103,7 +103,7 @@ module HardcodedCryptographicValue {
    */
   private class GetRandomBarrier extends Barrier {
     GetRandomBarrier() {
-      exists(CallExpr call |
+      exists(Call call |
         call.getStaticTarget().getCanonicalPath() = ["getrandom::fill", "getrandom::getrandom"] and
         this.asExpr().getParentNode*() = call.getArgument(0)
       )
diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
@@ -80,7 +80,7 @@ module InsecureCookie {
    * as `false`.
    */
   predicate cookieSetNode(DataFlow::Node node, string attrib, boolean value) {
-    exists(FlowSummaryNode summaryNode, CallExpr call, int arg, DataFlow::Node argNode |
+    exists(FlowSummaryNode summaryNode, Call call, int arg, DataFlow::Node argNode |
       // decode the models-as-data `OptionalBarrier`
       cookieOptionalBarrier(summaryNode, attrib, arg) and
       // find a call and arg referenced by this optional barrier
diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -53,7 +53,7 @@ module RegexInjection {
    */
   private class NewSink extends Sink {
     NewSink() {
-      exists(CallExpr call, Function f |
+      exists(Call call, Function f |
         call.getStaticTarget() = f and
         f.getCanonicalPath() = "<regex::regex::string::Regex>::new" and
         this.asExpr() = call.getArgument(0) and
diff --git a/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql b/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql
@@ -30,7 +30,7 @@ class CtorAttr extends Attr {
 /**
  * A call into the Rust standard library, that is, a sink for this query.
  */
-class StdCall extends CallExpr {
+class StdCall extends Call {
   StdCall() { this.getStaticTarget().getCanonicalPath().matches(["std::%", "<std::%"]) }
 }
 
@@ -54,11 +54,11 @@ predicate edgesFwd(PathElement pred, PathElement succ) {
   or
   // [forwards reachable] callable -> enclosed call
   edgesFwd(_, pred) and
-  pred = succ.(CallExpr).getEnclosingCallable()
+  pred = succ.(Call).getEnclosingCallable()
   or
   // [forwards reachable] call -> target callable
   edgesFwd(_, pred) and
-  pred.(CallExpr).getStaticTarget() = succ
+  pred.(Call).getStaticTarget() = succ
 }
 
 /**
diff --git a/rust/ql/test/library-tests/type-inference/type-inference.ql b/rust/ql/test/library-tests/type-inference/type-inference.ql
@@ -32,7 +32,7 @@ module ResolveTest implements TestSig {
       source.fromSource() and
       not source.isFromMacroExpansion()
     |
-      target = source.(CallExpr).getStaticTarget() and
+      target = source.(Call).getStaticTarget() and
       functionHasValue(target, value) and
       // `isFromMacroExpansion` does not always work
       not target.(Function).getName().getText() = ["panic_fmt", "_print", "format", "must_use"] and

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`
`24`	`24`	`predicate isSink(DataFlow::Node node) {`
`25`	`25`	// `node` is the first argument of a call to `sqlx_core::query::query`
`26`		`- exists(CallExpr call \|`
	`26`	`+ exists(Call call \|`
`27`	`27`	`call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and`
`28`	`28`	`call.getArgument(0) = node.asExpr()`
`29`	`29`	`)`
Original file line number	Diff line number	Diff line change
`@@ -100,9 +100,9 @@ module AccessAfterLifetime {`
`100`	`100`	`a = b.getEnclosingBlock*()`
`101`	`101`	`or`
`102`	`102`	`// propagate through function calls`
`103`		`- exists(CallExpr ce \|`
`104`		`- mayEncloseOnStack(a, ce.getEnclosingBlock()) and`
`105`		`- ce.getStaticTarget() = b.getEnclosingCallable()`
	`103`	`+ exists(Call call \|`
	`104`	`+ mayEncloseOnStack(a, call.getEnclosingBlock()) and`
	`105`	`+ call.getStaticTarget() = b.getEnclosingCallable()`
`106`	`106`	`)`
`107`	`107`	`}`
`108`	`108`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ module HardcodedCryptographicValue {`
`103`	`103`	`*/`
`104`	`104`	`private class GetRandomBarrier extends Barrier {`
`105`	`105`	`GetRandomBarrier() {`
`106`		`- exists(CallExpr call \|`
	`106`	`+ exists(Call call \|`
`107`	`107`	`call.getStaticTarget().getCanonicalPath() = ["getrandom::fill", "getrandom::getrandom"] and`
`108`	`108`	`this.asExpr().getParentNode*() = call.getArgument(0)`
`109`	`109`	`)`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ module ResolveTest implements TestSig {`
`32`	`32`	`source.fromSource() and`
`33`	`33`	`not source.isFromMacroExpansion()`
`34`	`34`	`\|`
`35`		`- target = source.(CallExpr).getStaticTarget() and`
	`35`	`+ target = source.(Call).getStaticTarget() and`
`36`	`36`	`functionHasValue(target, value) and`
`37`	`37`	// `isFromMacroExpansion` does not always work
`38`	`38`	`not target.(Function).getName().getText() = ["panic_fmt", "_print", "format", "must_use"] and`