From 489fff9572f480fc43ab5cbbf2130a301e4e62fd Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 19 Nov 2025 11:55:22 +0100 Subject: [PATCH 1/4] Rust: Base `DataFlow::Node` on AST instead of CFG --- .../snippets/simple_constant_password.ql | 4 +- .../examples/snippets/simple_sql_injection.ql | 2 +- rust/ql/lib/codeql/rust/Concepts.qll | 13 +- rust/ql/lib/codeql/rust/dataflow/DataFlow.qll | 4 +- rust/ql/lib/codeql/rust/dataflow/Ssa.qll | 35 ++- .../codeql/rust/dataflow/internal/Content.qll | 9 +- .../dataflow/internal/DataFlowConsistency.qll | 11 - .../rust/dataflow/internal/DataFlowImpl.qll | 241 +++++++++--------- .../dataflow/internal/FlowSummaryImpl.qll | 18 +- .../codeql/rust/dataflow/internal/Node.qll | 154 +++++------ .../codeql/rust/dataflow/internal/SsaImpl.qll | 43 ++-- .../dataflow/internal/TaintTrackingImpl.qll | 23 +- .../rust/elements/AssignmentOperation.qll | 5 + .../rust/elements/internal/AstNodeImpl.qll | 3 + .../rust/elements/internal/BlockExprImpl.qll | 8 +- .../rust/elements/internal/ParenExprImpl.qll | 7 +- rust/ql/lib/codeql/rust/frameworks/Poem.qll | 2 +- .../rust/frameworks/rustcrypto/RustCrypto.qll | 2 +- .../codeql/rust/frameworks/stdlib/Stdlib.qll | 10 +- .../AccessAfterLifetimeExtensions.qll | 16 +- .../AccessInvalidPointerExtensions.qll | 2 +- rust/ql/lib/codeql/rust/security/Barriers.qll | 4 +- .../HardcodedCryptographicValueExtensions.qll | 8 +- .../security/InsecureCookieExtensions.qll | 6 +- .../codeql/rust/security/SensitiveData.qll | 5 +- .../rust/security/TaintedPathExtensions.qll | 20 +- .../UncontrolledAllocationSizeExtensions.qll | 37 ++- .../rust/security/UseOfHttpExtensions.qll | 2 +- .../WeakSensitiveDataHashingExtensions.qll | 2 +- .../regex/RegexInjectionExtensions.qll | 6 +- rust/ql/lib/utils/test/InlineFlowTest.qll | 8 +- .../security/CWE-312/CleartextLogging.ql | 2 +- .../CWE-312/CleartextStorageDatabase.ql | 2 +- .../security/CWE-825/AccessAfterLifetime.ql | 14 +- .../src/queries/unusedentities/UnusedValue.ql | 2 +- .../modelgenerator/internal/CaptureModels.qll | 2 +- .../dataflow/barrier/inline-flow.expected | 4 +- .../dataflow/local/DataFlowStep.expected | 5 + .../dataflow/local/inline-flow.expected | 16 +- .../dataflow/sources/env/InlineFlow.ql | 2 +- .../sensitivedata/SensitiveData.ql | 2 +- rust/ql/test/library-tests/variables/Ssa.ql | 8 +- 42 files changed, 403 insertions(+), 366 deletions(-) diff --git a/rust/ql/examples/snippets/simple_constant_password.ql b/rust/ql/examples/snippets/simple_constant_password.ql index 1f0e0a8e101d..b0902235a96d 100644 --- a/rust/ql/examples/snippets/simple_constant_password.ql +++ b/rust/ql/examples/snippets/simple_constant_password.ql @@ -25,7 +25,7 @@ import codeql.rust.dataflow.TaintTracking module ConstantPasswordConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { // `node` is a string literal - node.asExpr().getExpr() instanceof StringLiteralExpr + node.asExpr() instanceof StringLiteralExpr } predicate isSink(DataFlow::Node node) { @@ -34,7 +34,7 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig { call.getStaticTarget() = target and v.getParameter() = target.getParam(argIndex) and v.getText().matches("pass%") and - call.getArg(argIndex) = node.asExpr().getExpr() + call.getArg(argIndex) = node.asExpr() ) } } diff --git a/rust/ql/examples/snippets/simple_sql_injection.ql b/rust/ql/examples/snippets/simple_sql_injection.ql index 0a991118a506..653c761d7ebb 100644 --- a/rust/ql/examples/snippets/simple_sql_injection.ql +++ b/rust/ql/examples/snippets/simple_sql_injection.ql @@ -25,7 +25,7 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { // `node` is the first argument of a call to `sqlx_core::query::query` exists(CallExpr call | call.getStaticTarget().getCanonicalPath() = "sqlx_core::query::query" and - call.getArg(0) = node.asExpr().getExpr() + call.getArg(0) = node.asExpr() ) } } diff --git a/rust/ql/lib/codeql/rust/Concepts.qll b/rust/ql/lib/codeql/rust/Concepts.qll index 20247e088752..2e2220430e1d 100644 --- a/rust/ql/lib/codeql/rust/Concepts.qll +++ b/rust/ql/lib/codeql/rust/Concepts.qll @@ -4,14 +4,13 @@ * provide concrete subclasses. */ +private import rust private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.internal.DataFlowImpl private import codeql.Locations private import codeql.threatmodels.ThreatModels private import codeql.rust.Frameworks private import codeql.rust.dataflow.FlowSource -private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes private import codeql.concepts.ConceptsShared private module ConceptsShared = ConceptsMake; @@ -345,16 +344,16 @@ module Path { SafeAccessCheck() { this = DataFlow::BarrierGuard::getABarrierNode() } } - private predicate safeAccessCheck(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) { - g.(SafeAccessCheck::Range).checks(node, branch) + private predicate safeAccessCheck(AstNode g, Expr e, boolean branch) { + g.(SafeAccessCheck::Range).checks(e, branch) } /** Provides a class for modeling new path safety checks. */ module SafeAccessCheck { /** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */ - abstract class Range extends CfgNodes::AstCfgNode { - /** Holds if this guard validates `node` upon evaluating to `branch`. */ - abstract predicate checks(Cfg::CfgNode node, boolean branch); + abstract class Range extends AstNode { + /** Holds if this guard validates `e` upon evaluating to `branch`. */ + abstract predicate checks(Expr e, boolean branch); } } } diff --git a/rust/ql/lib/codeql/rust/dataflow/DataFlow.qll b/rust/ql/lib/codeql/rust/dataflow/DataFlow.qll index cfcea9eaa2da..c299671ec6d5 100644 --- a/rust/ql/lib/codeql/rust/dataflow/DataFlow.qll +++ b/rust/ql/lib/codeql/rust/dataflow/DataFlow.qll @@ -8,8 +8,6 @@ private import codeql.dataflow.DataFlow private import internal.DataFlowImpl as DataFlowImpl private import internal.Node as Node private import internal.Content as Content -private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes /** * Provides classes for performing local (intra-procedural) and global @@ -68,7 +66,7 @@ module DataFlow { * For example, the guard `g` might be a call `isSafe(x)` and the expression `e` * the argument `x`. */ - signature predicate guardChecksSig(CfgNodes::AstCfgNode g, Cfg::CfgNode e, boolean branch); + signature predicate guardChecksSig(AstNode g, Expr e, boolean branch); /** * Provides a set of barrier nodes for a guard that validates an expression. diff --git a/rust/ql/lib/codeql/rust/dataflow/Ssa.qll b/rust/ql/lib/codeql/rust/dataflow/Ssa.qll index badbef9e4207..52e7d35e3b48 100644 --- a/rust/ql/lib/codeql/rust/dataflow/Ssa.qll +++ b/rust/ql/lib/codeql/rust/dataflow/Ssa.qll @@ -9,7 +9,6 @@ module Ssa { private import rust private import codeql.rust.controlflow.BasicBlocks private import codeql.rust.controlflow.ControlFlowGraph - private import codeql.rust.controlflow.CfgNodes private import codeql.rust.controlflow.internal.ControlFlowGraphImpl as CfgImpl private import internal.SsaImpl as SsaImpl @@ -51,7 +50,7 @@ module Ssa { * } * ``` */ - final CfgNode getARead() { result = SsaImpl::getARead(this) } + final Expr getARead() { result = SsaImpl::getARead(this) } /** * Gets a first control flow node that reads the value of this SSA definition. @@ -80,7 +79,7 @@ module Ssa { * } * ``` */ - final CfgNode getAFirstRead() { SsaImpl::firstRead(this, result) } + final Expr getAFirstRead() { SsaImpl::firstRead(this, result) } /** * Holds if `read1` and `read2` are adjacent reads of this SSA definition. @@ -108,7 +107,7 @@ module Ssa { * } * ``` */ - final predicate hasAdjacentReads(CfgNode read1, CfgNode read2) { + final predicate hasAdjacentReads(Expr read1, Expr read2) { SsaImpl::adjacentReadPair(this, read1, read2) } @@ -168,28 +167,28 @@ module Ssa { * ``` */ class WriteDefinition extends Definition, SsaImpl::WriteDefinition { - private CfgNode write; + private AstNode write; WriteDefinition() { - exists(BasicBlock bb, int i, Variable v, CfgNode n | + exists(BasicBlock bb, int i, Variable v, AstNode n | this.definesAt(v, bb, i) and - SsaImpl::variableWriteActual(bb, i, v, n) + SsaImpl::variableWriteActual(bb, i, v, n.getACfgNode()) | - write.(VariableAccessCfgNode).getAccess().getVariable() = v and + write.(VariableAccess).getVariable() = v and ( - write = n.(AssignmentExprCfgNode).getAWriteAccess() + write = n.(AssignmentExpr).getAWriteAccess() or - write = n.(CompoundAssignmentExprCfgNode).getLhs() + write = n.(CompoundAssignmentExpr).getLhs() ) or - not n instanceof AssignmentExprCfgNode and - not n instanceof CompoundAssignmentExprCfgNode and + not n instanceof AssignmentExpr and + not n instanceof CompoundAssignmentExpr and write = n ) } /** Gets the underlying write access. */ - final CfgNode getWriteAccess() { result = write } + final AstNode getWriteAccess() { result = write } /** * Holds if this SSA definition assigns `value` to the underlying @@ -199,19 +198,19 @@ module Ssa { * `let` statement, `let x = value`. Note that patterns on the lhs. are * currently not supported. */ - predicate assigns(ExprCfgNode value) { - exists(AssignmentExprCfgNode ae | + predicate assigns(Expr value) { + exists(AssignmentExpr ae | ae.getLhs() = write and ae.getRhs() = value ) or - exists(IdentPatCfgNode pat | pat.getName() = write | - exists(LetStmtCfgNode ls | + exists(IdentPat pat | pat.getName() = write | + exists(LetStmt ls | pat = ls.getPat() and ls.getInitializer() = value ) or - exists(LetExprCfgNode le | + exists(LetExpr le | pat = le.getPat() and le.getScrutinee() = value ) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/Content.qll b/rust/ql/lib/codeql/rust/dataflow/internal/Content.qll index 67fed2d2defd..12e4b6820915 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/Content.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/Content.qll @@ -3,7 +3,6 @@ */ private import rust -private import codeql.rust.controlflow.CfgNodes private import codeql.rust.frameworks.stdlib.Builtins private import DataFlowImpl @@ -22,7 +21,7 @@ abstract class Content extends TContent { abstract class FieldContent extends Content { /** Gets an access to this field. */ pragma[nomagic] - abstract FieldExprCfgNode getAnAccess(); + abstract FieldExpr getAnAccess(); } /** A tuple field belonging to either a variant or a struct. */ @@ -41,7 +40,7 @@ class TupleFieldContent extends FieldContent, TTupleFieldContent { /** Holds if this field belongs to a struct. */ predicate isStructField(Struct s, int pos) { field.isStructField(s, pos) } - override FieldExprCfgNode getAnAccess() { field = result.getFieldExpr().getTupleField() } + override FieldExpr getAnAccess() { field = result.getTupleField() } final override string toString() { exists(Variant v, int pos, string vname | @@ -74,7 +73,7 @@ class StructFieldContent extends FieldContent, TStructFieldContent { /** Holds if this field belongs to a struct. */ predicate isStructField(Struct s, string name) { field.isStructField(s, name) } - override FieldExprCfgNode getAnAccess() { field = result.getFieldExpr().getStructField() } + override FieldExpr getAnAccess() { field = result.getStructField() } final override string toString() { exists(Variant v, string name, string vname | @@ -153,7 +152,7 @@ final class TuplePositionContent extends FieldContent, TTuplePositionContent { /** Gets the index of this tuple position. */ int getPosition() { result = pos } - override FieldExprCfgNode getAnAccess() { + override FieldExpr getAnAccess() { // TODO: limit to tuple types result.getIdentifier().getText().toInt() = pos } diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll index d544ff888d56..731996661cb2 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll @@ -29,17 +29,6 @@ private module Input implements InputSig { } predicate missingLocationExclude(RustDataFlow::Node n) { not exists(n.asExpr().getLocation()) } - - predicate multipleArgumentCallExclude(Node::ArgumentNode arg, DataFlowCall call) { - // An argument such as `x` in `if !x { ... }` has two successors (and hence - // two calls); one for each Boolean outcome of `x`. - exists(CfgNodes::ExprCfgNode n | - arg.isArgumentOf(call, _) and - n = call.asCallCfgNode() and - arg.asExpr().getASuccessor(any(ConditionalSuccessor c)).getASuccessor*() = n and - n.getASplit() instanceof ConditionalCompletionSplitting::ConditionalCompletionSplit - ) - } } import MakeConsistency diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 9fa0f0a5a834..fd6bab4d23e1 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -14,7 +14,6 @@ private import codeql.rust.controlflow.internal.Scope as Scope private import codeql.rust.internal.PathResolution private import codeql.rust.internal.TypeInference as TypeInference private import codeql.rust.controlflow.ControlFlowGraph -private import codeql.rust.controlflow.CfgNodes private import codeql.rust.dataflow.Ssa private import codeql.rust.dataflow.FlowSummary private import Node @@ -60,7 +59,7 @@ final class DataFlowCallable extends TDataFlowCallable { final class DataFlowCall extends TDataFlowCall { /** Gets the underlying call in the CFG, if any. */ - CallCfgNode asCallCfgNode() { this = TCall(result) } + Call asCall() { this = TCall(result) } predicate isSummaryCall( FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver @@ -69,13 +68,13 @@ final class DataFlowCall extends TDataFlowCall { } DataFlowCallable getEnclosingCallable() { - result.asCfgScope() = this.asCallCfgNode().getExpr().getEnclosingCfgScope() + result.asCfgScope() = this.asCall().getEnclosingCfgScope() or this.isSummaryCall(result.asSummarizedCallable(), _) } string toString() { - result = this.asCallCfgNode().toString() + result = this.asCall().toString() or exists( FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver @@ -85,7 +84,7 @@ final class DataFlowCall extends TDataFlowCall { ) } - Location getLocation() { result = this.asCallCfgNode().getLocation() } + Location getLocation() { result = this.asCall().getLocation() } } /** @@ -146,13 +145,13 @@ final class ArgumentPosition extends ParameterPosition { * Note that this does not hold for the receiever expression of a method call * as the synthetic `ReceiverNode` is the argument for the `self` parameter. */ -predicate isArgumentForCall(ExprCfgNode arg, CallCfgNode call, ParameterPosition pos) { +predicate isArgumentForCall(Expr arg, Call call, ParameterPosition pos) { // TODO: Handle index expressions as calls in data flow. - not call.getCall() instanceof IndexExpr and + not call instanceof IndexExpr and ( call.getPositionalArgument(pos.getPosition()) = arg or - call.getReceiver() = arg and pos.isSelf() and not call.getCall().receiverImplicitlyBorrowed() + call.getReceiver() = arg and pos.isSelf() and not call.receiverImplicitlyBorrowed() ) } @@ -181,19 +180,24 @@ module SsaFlow { } /** - * Gets a node that may execute last in `n`, and which, when it executes last, - * will be the value of `n`. + * Gets a node that may execute last in `e`, and which, when it executes last, + * will be the value of `e`. */ -private ExprCfgNode getALastEvalNode(ExprCfgNode e) { - e = any(IfExprCfgNode n | result = [n.getThen(), n.getElse()]) or - result = e.(LoopExprCfgNode).getLoopBody() or - result = e.(ReturnExprCfgNode).getExpr() or - result = e.(BreakExprCfgNode).getExpr() or - result = e.(BlockExprCfgNode).getTailExpr() or - result = e.(MacroBlockExprCfgNode).getTailExpr() or - result = e.(MatchExprCfgNode).getArmExpr(_) or - result = e.(MacroExprCfgNode).getMacroCall().(MacroCallCfgNode).getExpandedNode() or - result.(BreakExprCfgNode).getTarget() = e +private Expr getALastEvalNode(Expr e) { + e = any(IfExpr n | result = [n.getThen(), n.getElse()]) or + result = e.(LoopExpr).getLoopBody() or + result = e.(ReturnExpr).getExpr() or + result = e.(BreakExpr).getExpr() or + e = + any(BlockExpr be | + not be.isAsync() and + result = be.getTailExpr() + ) or + result = e.(MacroBlockExpr).getTailExpr() or + result = e.(MatchExpr).getAnArm().getExpr() or + result = e.(MacroExpr).getMacroCall().getMacroCallExpansion() or + result.(BreakExpr).getTarget() = e or + result = e.(ParenExpr).getExpr() } /** @@ -211,11 +215,11 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) { * we add a reverse flow step from `[post] { foo(); &mut a}` to `[post] &mut a`, * in order for the side-effect of `set_data` to reach `&mut a`. */ -ExprCfgNode getPostUpdateReverseStep(ExprCfgNode e, boolean preservesValue) { +Expr getPostUpdateReverseStep(Expr e, boolean preservesValue) { result = getALastEvalNode(e) and preservesValue = true or - result = e.(CastExprCfgNode).getExpr() and + result = e.(CastExpr).getExpr() and preservesValue = false } @@ -236,48 +240,48 @@ module LocalFlow { pragma[nomagic] predicate localFlowStepCommon(Node nodeFrom, Node nodeTo) { - nodeFrom.getCfgNode() = getALastEvalNode(nodeTo.getCfgNode()) + nodeFrom.asExpr() = getALastEvalNode(nodeTo.asExpr()) or // An edge from the right-hand side of a let statement to the left-hand side. - exists(LetStmtCfgNode s | - nodeFrom.getCfgNode() = s.getInitializer() and - nodeTo.getCfgNode() = s.getPat() + exists(LetStmt s | + nodeFrom.asExpr() = s.getInitializer() and + nodeTo.asPat() = s.getPat() ) or // An edge from the right-hand side of a let expression to the left-hand side. - exists(LetExprCfgNode e | - nodeFrom.getCfgNode() = e.getScrutinee() and - nodeTo.getCfgNode() = e.getPat() + exists(LetExpr e | + nodeFrom.asExpr() = e.getScrutinee() and + nodeTo.asPat() = e.getPat() ) or - exists(IdentPatCfgNode p | + exists(IdentPat p | not p.isRef() and - nodeFrom.getCfgNode() = p and - nodeTo.getCfgNode() = p.getName() + nodeFrom.asPat() = p and + nodeTo.(NameNode).getName() = p.getName() ) or - exists(SelfParamCfgNode self | - nodeFrom.getCfgNode() = self and - nodeTo.getCfgNode() = self.getName() + exists(SelfParam self | + nodeFrom.asParameter() = self and + nodeTo.(NameNode).getName() = self.getName() ) or // An edge from a pattern/expression to its corresponding SSA definition. - nodeFrom.(AstCfgFlowNode).getCfgNode() = + nodeFrom.(AstNodeNode).getAstNode() = nodeTo.(SsaNode).asDefinition().(Ssa::WriteDefinition).getWriteAccess() or - nodeFrom.(SourceParameterNode).getParameter().(ParamCfgNode).getPat() = nodeTo.asPat() + nodeFrom.(SourceParameterNode).getParameter().(Param).getPat() = nodeTo.asPat() or - exists(AssignmentExprCfgNode a | - a.getRhs() = nodeFrom.getCfgNode() and - a.getLhs() = nodeTo.getCfgNode() + exists(AssignmentExpr a | + a.getRhs() = nodeFrom.asExpr() and + a.getLhs() = nodeTo.asExpr() ) or - exists(MatchExprCfgNode match | + exists(MatchExpr match | nodeFrom.asExpr() = match.getScrutinee() and - nodeTo.asPat() = match.getArmPat(_) + nodeTo.asPat() = match.getAnArm().getPat() ) or - nodeFrom.asPat().(OrPatCfgNode).getAPat() = nodeTo.asPat() + nodeFrom.asPat().(OrPat).getAPat() = nodeTo.asPat() or // Simple value step from receiver expression to receiver node, in case // there is no implicit deref or borrow operation. @@ -305,12 +309,10 @@ predicate lambdaCreationExpr(Expr creation) { * Holds if `call` is a lambda call of kind `kind` where `receiver` is the * invoked expression. */ -predicate lambdaCallExpr(CallExprCfgNode call, LambdaCallKind kind, ExprCfgNode receiver) { +predicate lambdaCallExpr(CallExpr call, LambdaCallKind kind, Expr receiver) { receiver = call.getFunction() and // All calls to complex expressions and local variable accesses are lambda call. - exists(Expr f | f = receiver.getExpr() | - f instanceof PathExpr implies f = any(Variable v).getAnAccess() - ) and + (receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()) and exists(kind) } @@ -379,19 +381,27 @@ module RustDataFlow implements InputSig { node instanceof CaptureNode or node instanceof ClosureParameterNode or node instanceof ReceiverNode or - node instanceof ReceiverPostUpdateNode + node.asExpr() instanceof ParenExpr or + nodeIsHidden(node.(PostUpdateNode).getPreUpdateNode()) + } + + private Expr stripParens(Expr e) { + not e instanceof ParenExpr and + result = e + or + result = stripParens(e.(ParenExpr).getExpr()) } predicate neverSkipInPathGraph(Node node) { - node.(Node::Node).getCfgNode() = any(LetStmtCfgNode s).getPat() + node.(Node::Node).asPat() = any(LetStmt s).getPat() or - node.(Node::Node).getCfgNode() = any(LetExprCfgNode e).getPat() + node.(Node::Node).asPat() = any(LetExpr e).getPat() or - node.(Node::Node).getCfgNode() = any(AssignmentExprCfgNode a).getLhs() + node.(Node::Node).asExpr() = stripParens(any(AssignmentExpr a).getLhs()) or - exists(MatchExprCfgNode match | - node.asExpr() = match.getScrutinee() or - node.asExpr() = match.getArmPat(_) + exists(MatchExpr match | + node.asExpr() = stripParens(match.getScrutinee()) or + node.asPat() = match.getAnArm().getPat() ) or FlowSummaryImpl::Private::Steps::sourceLocalStep(_, node, _) @@ -399,7 +409,7 @@ module RustDataFlow implements InputSig { FlowSummaryImpl::Private::Steps::sinkLocalStep(node, _, _) } - class DataFlowExpr = ExprCfgNode; + class DataFlowExpr = Expr; /** Gets the node corresponding to `e`. */ Node exprNode(DataFlowExpr e) { result.asExpr() = e } @@ -412,7 +422,7 @@ module RustDataFlow implements InputSig { /** Gets a viable implementation of the target of the given `Call`. */ DataFlowCallable viableCallable(DataFlowCall call) { - exists(Call c | c = call.asCallCfgNode().getCall() | + exists(Call c | c = call.asCall() | result.asCfgScope() = c.getARuntimeTarget() or exists(SummarizedCallable sc, Function staticTarget | @@ -511,79 +521,79 @@ module RustDataFlow implements InputSig { pragma[nomagic] private predicate implicitDerefToReceiver(Node node1, ReceiverNode node2, ReferenceContent c) { - TypeInference::receiverHasImplicitDeref(node1.asExpr().getExpr()) and + TypeInference::receiverHasImplicitDeref(node1.asExpr()) and node1.asExpr() = node2.getReceiver() and exists(c) } pragma[nomagic] private predicate implicitBorrowToReceiver(Node node1, ReceiverNode node2, ReferenceContent c) { - TypeInference::receiverHasImplicitBorrow(node1.asExpr().getExpr()) and + TypeInference::receiverHasImplicitBorrow(node1.asExpr()) and node1.asExpr() = node2.getReceiver() and exists(c) } pragma[nomagic] private predicate referenceExprToExpr(Node node1, Node node2, ReferenceContent c) { - node1.asExpr() = node2.asExpr().(RefExprCfgNode).getExpr() and + node1.asExpr() = node2.asExpr().(RefExpr).getExpr() and exists(c) } pragma[nomagic] additional predicate readContentStep(Node node1, Content c, Node node2) { - exists(TupleStructPatCfgNode pat, int pos | + exists(TupleStructPat pat, int pos | pat = node1.asPat() and node2.asPat() = pat.getField(pos) and - c = TTupleFieldContent(pat.getTupleStructPat().getTupleField(pos)) + c = TTupleFieldContent(pat.getTupleField(pos)) ) or - exists(TuplePatCfgNode pat, int pos | + exists(TuplePat pat, int pos | pos = c.(TuplePositionContent).getPosition() and node1.asPat() = pat and node2.asPat() = pat.getField(pos) ) or - exists(StructPatCfgNode pat, string field | + exists(StructPat pat, string field | pat = node1.asPat() and - c = TStructFieldContent(pat.getStructPat().getStructField(field)) and - node2.asPat() = pat.getFieldPat(field) + c = TStructFieldContent(pat.getStructField(field)) and + node2.asPat() = pat.getPatField(field).getPat() ) or c instanceof ReferenceContent and - node1.asPat().(RefPatCfgNode).getPat() = node2.asPat() + node1.asPat().(RefPat).getPat() = node2.asPat() or - exists(FieldExprCfgNode access | + exists(FieldExpr access | node1.asExpr() = access.getContainer() and node2.asExpr() = access and access = c.(FieldContent).getAnAccess() ) or - exists(IndexExprCfgNode arr | + exists(IndexExpr arr | c instanceof ElementContent and node1.asExpr() = arr.getBase() and node2.asExpr() = arr ) or - exists(ForExprCfgNode for | + exists(ForExpr for | c instanceof ElementContent and node1.asExpr() = for.getIterable() and node2.asPat() = for.getPat() ) or - exists(SlicePatCfgNode pat | + exists(SlicePat pat | c instanceof ElementContent and node1.asPat() = pat and node2.asPat() = pat.getAPat() ) or - exists(TryExprCfgNode try | + exists(TryExpr try | node1.asExpr() = try.getExpr() and node2.asExpr() = try and c.(TupleFieldContent) .isVariantField([any(OptionEnum o).getSome(), any(ResultEnum r).getOk()], 0) ) or - exists(PrefixExprCfgNode deref | + exists(PrefixExpr deref | c instanceof ReferenceContent and deref.getOperatorName() = "*" and node1.asExpr() = deref.getExpr() and @@ -597,7 +607,7 @@ module RustDataFlow implements InputSig { c instanceof FunctionCallReturnContent ) or - exists(AwaitExprCfgNode await | + exists(AwaitExpr await | c instanceof FutureContent and node1.asExpr() = await.getExpr() and node2.asExpr() = await @@ -644,7 +654,7 @@ module RustDataFlow implements InputSig { pragma[nomagic] private predicate fieldAssignment(Node node1, Node node2, FieldContent c) { - exists(AssignmentExprCfgNode assignment, FieldExprCfgNode access | + exists(AssignmentExpr assignment, FieldExpr access | assignment.getLhs() = access and node1.asExpr() = assignment.getRhs() and node2.asExpr() = access.getContainer() and @@ -654,7 +664,7 @@ module RustDataFlow implements InputSig { pragma[nomagic] private predicate referenceAssignment(Node node1, Node node2, ReferenceContent c) { - exists(AssignmentExprCfgNode assignment, PrefixExprCfgNode deref | + exists(AssignmentExpr assignment, PrefixExpr deref | assignment.getLhs() = deref and deref.getOperatorName() = "*" and node1.asExpr() = assignment.getRhs() and @@ -665,19 +675,19 @@ module RustDataFlow implements InputSig { pragma[nomagic] additional predicate storeContentStep(Node node1, Content c, Node node2) { - exists(CallExprCfgNode call, int pos | - node1.asExpr() = call.getArgument(pragma[only_bind_into](pos)) and + exists(CallExpr call, int pos | + node1.asExpr() = call.getArg(pragma[only_bind_into](pos)) and node2.asExpr() = call and - c = TTupleFieldContent(call.getCallExpr().getTupleField(pragma[only_bind_into](pos))) + c = TTupleFieldContent(call.getTupleField(pragma[only_bind_into](pos))) ) or - exists(StructExprCfgNode re, string field | - c = TStructFieldContent(re.getStructExpr().getStructField(field)) and - node1.asExpr() = re.getFieldExpr(field) and + exists(StructExpr re, string field | + c = TStructFieldContent(re.getStructField(field)) and + node1.asExpr() = re.getFieldExpr(field).getExpr() and node2.asExpr() = re ) or - exists(TupleExprCfgNode tuple | + exists(TupleExpr tuple | node1.asExpr() = tuple.getField(c.(TuplePositionContent).getPosition()) and node2.asExpr() = tuple ) @@ -685,23 +695,23 @@ module RustDataFlow implements InputSig { c instanceof ElementContent and node1.asExpr() = [ - node2.asExpr().(ArrayRepeatExprCfgNode).getRepeatOperand(), - node2.asExpr().(ArrayListExprCfgNode).getAnExpr() + node2.asExpr().(ArrayRepeatExpr).getRepeatOperand(), + node2.asExpr().(ArrayListExpr).getAnExpr() ] or // Store from a `ref` identifier pattern into the contained name. - exists(IdentPatCfgNode p | + exists(IdentPat p | c instanceof ReferenceContent and p.isRef() and node1.asPat() = p and - node2.(NameNode).asName() = p.getName() + node2.(NameNode).getName() = p.getName() ) or fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c) or referenceAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c) or - exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index | + exists(AssignmentExpr assignment, IndexExpr index | c instanceof ElementContent and assignment.getLhs() = index and node1.asExpr() = assignment.getRhs() and @@ -808,7 +818,7 @@ module RustDataFlow implements InputSig { /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { exists(kind) and - exists(Expr e | e = creation.asExpr().getExpr() | + exists(Expr e | e = creation.asExpr() | lambdaCreationExpr(e) and e = c.asCfgScope() or // A path expression, that resolves to a function, evaluates to a function @@ -825,9 +835,9 @@ module RustDataFlow implements InputSig { */ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { ( - receiver.asExpr() = call.asCallCfgNode().(CallExprCfgNode).getFunction() and + receiver.asExpr() = call.asCall().(CallExpr).getFunction() and // All calls to complex expressions and local variable accesses are lambda call. - exists(Expr f | f = receiver.asExpr().getExpr() | + exists(Expr f | f = receiver.asExpr() | f instanceof PathExpr implies f = any(Variable v).getAnAccess() ) or @@ -854,7 +864,7 @@ module VariableCapture { private import codeql.dataflow.VariableCapture as SharedVariableCapture private import codeql.rust.controlflow.BasicBlocks as BasicBlocks - private predicate closureFlowStep(ExprCfgNode e1, ExprCfgNode e2) { + private predicate closureFlowStep(Expr e1, Expr e2) { Stages::DataFlowStage::ref() and e1 = getALastEvalNode(e2) or @@ -883,48 +893,48 @@ module VariableCapture { CapturedParameter() { p = this.getParameter() } - SourceParameterNode getParameterNode() { result.getParameter().getParamBase() = p } + SourceParameterNode getParameterNode() { result.getParameter() = p } } - class Expr extends CfgNode { - predicate hasCfgNode(BasicBlocks::BasicBlock bb, int i) { this = bb.getNode(i) } + class Expr extends AstNode { + predicate hasCfgNode(BasicBlocks::BasicBlock bb, int i) { this = bb.getNode(i).getAstNode() } } class VariableWrite extends Expr { - ExprCfgNode source; + Expr source; CapturedVariable v; VariableWrite() { - exists(AssignmentExprCfgNode assign, Variable::VariableWriteAccess write | + exists(AssignmentExpr assign, Variable::VariableWriteAccess write | this = assign and v = write.getVariable() and - assign.getLhs().getExpr() = write and + assign.getLhs() = write and assign.getRhs() = source ) or - exists(LetStmtCfgNode ls | - this = ls and - v.getPat() = ls.getPat().getPat() and - ls.getInitializer() = source - ) + this = + any(LetStmt ls | + v.getPat() = ls.getPat() and + ls.getInitializer() = source + ) or - exists(LetExprCfgNode le | - this = le and - v.getPat() = le.getPat().getPat() and - le.getScrutinee() = source - ) + this = + any(LetExpr le | + v.getPat() = le.getPat() and + le.getScrutinee() = source + ) } CapturedVariable getVariable() { result = v } - ExprCfgNode getSource() { result = source } + Expr getSource() { result = source } } - class VariableRead extends Expr instanceof ExprCfgNode { + class VariableRead extends Expr { CapturedVariable v; VariableRead() { - exists(VariableAccess read | this.getExpr() = read and v = read.getVariable() | + exists(VariableAccess read | this = read and v = read.getVariable() | read instanceof VariableReadAccess or read = any(RefExpr re).getExpr() @@ -934,10 +944,10 @@ module VariableCapture { CapturedVariable getVariable() { result = v } } - class ClosureExpr extends Expr instanceof ExprCfgNode { - ClosureExpr() { lambdaCreationExpr(super.getExpr()) } + class ClosureExpr extends Expr { + ClosureExpr() { lambdaCreationExpr(this) } - predicate hasBody(Callable body) { body = super.getExpr() } + predicate hasBody(Callable body) { body = this } predicate hasAliasedAccess(Expr f) { closureFlowStep+(this, f) and not closureFlowStep(f, _) } } @@ -991,10 +1001,11 @@ private module Cached { cached newtype TDataFlowCall = - TCall(CallCfgNode c) { + TCall(Call call) { Stages::DataFlowStage::ref() and + call.hasEnclosingCfgScope() and // TODO: Handle index expressions as calls in data flow. - not c.getCall() instanceof IndexExpr + not call instanceof IndexExpr } or TSummaryCall( FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll index 2763908ae02e..d9457d795109 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll @@ -9,7 +9,6 @@ private import codeql.rust.dataflow.internal.DataFlowImpl private import codeql.rust.internal.PathResolution private import codeql.rust.dataflow.FlowSummary private import codeql.rust.dataflow.Ssa -private import codeql.rust.controlflow.CfgNodes private import Content module Input implements InputSig { @@ -132,9 +131,7 @@ module Input implements InputSig { private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { - DataFlowCall getACall(Public::SummarizedCallable sc) { - result.asCallCfgNode().getCall().getStaticTarget() = sc - } + DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getStaticTarget() = sc } /** Gets the argument of `source` described by `sc`, if any. */ private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) { @@ -151,10 +148,9 @@ private module StepsInput implements Impl::Private::StepsInputSig { result = expr.(ClosureExpr) or // The expression is an SSA read of an assignment of a closure - exists(Ssa::Definition def, ExprCfgNode value | - def.getARead().getAstNode() = expr and - def.getAnUltimateDefinition().(Ssa::WriteDefinition).assigns(value) and - result = value.getExpr().(ClosureExpr) + exists(Ssa::Definition def | + def.getARead() = expr and + def.getAnUltimateDefinition().(Ssa::WriteDefinition).assigns(result.(ClosureExpr)) ) } @@ -164,7 +160,7 @@ private module StepsInput implements Impl::Private::StepsInputSig { RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { s.head() = Impl::Private::SummaryComponent::return(_) and - result.asExpr().getExpr() = source.getCall() + result.asExpr() = source.getCall() or exists(ArgumentPosition pos, Expr arg | s.head() = Impl::Private::SummaryComponent::parameter(pos) and @@ -172,13 +168,13 @@ private module StepsInput implements Impl::Private::StepsInputSig { result.asParameter() = getCallable(arg).getParam(pos.getPosition()) ) or - result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() = + result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = getSourceNodeArgument(source, s.headOfSingleton()) } RustDataFlow::Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { exists(CallExprBase call, Expr arg, ArgumentPosition pos | - result.asExpr().getExpr() = arg and + result.asExpr() = arg and sc = Impl::Private::SummaryComponent::argument(pos) and call = sink.getCall() and arg = pos.getArgument(call) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll index e46b4375c04c..421f613b5c44 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll @@ -35,17 +35,17 @@ class NodePublic extends TNode { /** * Gets the expression that corresponds to this node, if any. */ - final ExprCfgNode asExpr() { this = TExprNode(result) } + final Expr asExpr() { this = TExprNode(result) } /** * Gets the parameter that corresponds to this node, if any. */ - ParamBase asParameter() { result = this.(SourceParameterNode).getParameter().getParamBase() } + ParamBase asParameter() { result = this.(SourceParameterNode).getParameter() } /** * Gets the pattern that corresponds to this node, if any. */ - final PatCfgNode asPat() { this = TPatNode(result) } + final Pat asPat() { this = TPatNode(result) } } abstract class Node extends NodePublic { @@ -56,9 +56,9 @@ abstract class Node extends NodePublic { abstract CfgScope getCfgScope(); /** - * Gets the control flow node that corresponds to this data flow node. + * Gets the AST node that corresponds to this data flow node, if any. */ - CfgNode getCfgNode() { none() } + AstNode getAstNode() { none() } } /** A data flow node used to model flow summaries. */ @@ -119,16 +119,16 @@ class FlowSummaryNode extends Node, TFlowSummaryNode { } /** A data flow node that corresponds directly to a CFG node for an AST node. */ -abstract class AstCfgFlowNode extends Node { - AstCfgNode n; +abstract class AstNodeNode extends Node { + AstNode n; - final override CfgNode getCfgNode() { result = n } + final override AstNode getAstNode() { result = n } - final override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } + final override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() } - final override Location getLocation() { result = n.getAstNode().getLocation() } + final override Location getLocation() { result = n.getLocation() } - final override string toString() { result = n.getAstNode().toString() } + final override string toString() { result = n.toString() } } /** @@ -139,25 +139,25 @@ abstract class AstCfgFlowNode extends Node { * to multiple `ExprNode`s, just like it may correspond to multiple * `ControlFlow::Node`s. */ -class ExprNode extends AstCfgFlowNode, TExprNode { - override ExprCfgNode n; +class ExprNode extends AstNodeNode, TExprNode { + override Expr n; ExprNode() { this = TExprNode(n) } } -final class PatNode extends AstCfgFlowNode, TPatNode { - override PatCfgNode n; +final class PatNode extends AstNodeNode, TPatNode { + override Pat n; PatNode() { this = TPatNode(n) } } /** A data flow node that corresponds to a name node in the CFG. */ -final class NameNode extends AstCfgFlowNode, TNameNode { - override NameCfgNode n; +final class NameNode extends AstNodeNode, TNameNode { + override Name n; NameNode() { this = TNameNode(n) } - NameCfgNode asName() { result = n } + Name getName() { result = n } } /** @@ -169,20 +169,20 @@ abstract class ParameterNode extends Node { abstract predicate isParameterOf(DataFlowCallable c, ParameterPosition pos); } -final class SourceParameterNode extends AstCfgFlowNode, ParameterNode, TSourceParameterNode { - override ParamBaseCfgNode n; +final class SourceParameterNode extends AstNodeNode, ParameterNode, TSourceParameterNode { + override ParamBase n; SourceParameterNode() { this = TSourceParameterNode(n) } override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - n.getAstNode() = pos.getParameterIn(c.asCfgScope().(Callable).getParamList()) + n = pos.getParameterIn(c.asCfgScope().(Callable).getParamList()) } /** Get the parameter position of this parameter. */ ParameterPosition getPosition() { this.isParameterOf(_, result) } /** Gets the parameter in the CFG that this node corresponds to. */ - ParamBaseCfgNode getParameter() { result = n } + ParamBase getParameter() { result = n } } /** A parameter for a library callable with a flow summary. */ @@ -223,13 +223,13 @@ abstract class ArgumentNode extends Node { } final class ExprArgumentNode extends ArgumentNode, ExprNode { - private CallCfgNode call_; + private Call call_; private RustDataFlow::ArgumentPosition pos_; ExprArgumentNode() { isArgumentForCall(n, call_, pos_) } override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { - call.asCallCfgNode() = call_ and pos = pos_ + call.asCall() = call_ and pos = pos_ } } @@ -238,19 +238,19 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode { * has taken place. */ final class ReceiverNode extends ArgumentNode, TReceiverNode { - private CallCfgNode n; + private Call n; ReceiverNode() { this = TReceiverNode(n, false) } - ExprCfgNode getReceiver() { result = n.getReceiver() } + Expr getReceiver() { result = n.getReceiver() } - MethodCallExprCfgNode getMethodCall() { result = n } + MethodCallExpr getMethodCall() { result = n } override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { - call.asCallCfgNode() = n and pos = TSelfParameterPosition() + call.asCall() = n and pos = TSelfParameterPosition() } - override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } + override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() } override Location getLocation() { result = this.getReceiver().getLocation() } @@ -275,12 +275,12 @@ final class SummaryArgumentNode extends FlowSummaryNode, ArgumentNode { * passed into the closure body at an invocation. */ final class ClosureArgumentNode extends ArgumentNode, ExprNode { - private CallExprCfgNode call_; + private CallExpr call_; ClosureArgumentNode() { lambdaCallExpr(call_, _, this.asExpr()) } override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) { - call.asCallCfgNode() = call_ and + call.asCall() = call_ and pos.isClosureSelf() } } @@ -309,7 +309,7 @@ abstract class ReturnNode extends Node { } final class ExprReturnNode extends ExprNode, ReturnNode { - ExprReturnNode() { this.getCfgNode().getASuccessor() instanceof AnnotatedExitCfgNode } + ExprReturnNode() { n.getACfgNode().getASuccessor() instanceof AnnotatedExitCfgNode } override ReturnKind getKind() { result = TNormalReturnKind() } } @@ -329,11 +329,11 @@ abstract class OutNode extends Node { } final private class ExprOutNode extends ExprNode, OutNode { - ExprOutNode() { this.asExpr() instanceof CallCfgNode } + ExprOutNode() { this.asExpr() instanceof Call } /** Gets the underlying call CFG node that includes this out node. */ override DataFlowCall getCall(ReturnKind kind) { - result.asCallCfgNode() = this.getCfgNode() and + result.asCall() = n and kind = TNormalReturnKind() } } @@ -391,27 +391,27 @@ abstract class PostUpdateNode extends PostUpdateNodePublic, Node { } final class ExprPostUpdateNode extends PostUpdateNode, TExprPostUpdateNode { - private ExprCfgNode n; + private Expr e; - ExprPostUpdateNode() { this = TExprPostUpdateNode(n) } + ExprPostUpdateNode() { this = TExprPostUpdateNode(e) } - override Node getPreUpdateNode() { result = TExprNode(n) } + override Node getPreUpdateNode() { result = TExprNode(e) } - override CfgScope getCfgScope() { result = n.getScope() } + override CfgScope getCfgScope() { result = e.getEnclosingCfgScope() } - override Location getLocation() { result = n.getLocation() } + override Location getLocation() { result = e.getLocation() } } final class ReceiverPostUpdateNode extends PostUpdateNode, TReceiverNode { - private CallCfgNode n; + private Call call; - ReceiverPostUpdateNode() { this = TReceiverNode(n, true) } + ReceiverPostUpdateNode() { this = TReceiverNode(call, true) } - override Node getPreUpdateNode() { result = TReceiverNode(n, false) } + override Node getPreUpdateNode() { result = TReceiverNode(call, false) } - override CfgScope getCfgScope() { result = n.getAstNode().getEnclosingCfgScope() } + override CfgScope getCfgScope() { result = call.getEnclosingCfgScope() } - override Location getLocation() { result = n.getReceiver().getLocation() } + override Location getLocation() { result = call.getReceiver().getLocation() } } final class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode { @@ -445,38 +445,46 @@ final class CastNode extends ExprNode { cached newtype TNode = - TExprNode(ExprCfgNode n) { Stages::DataFlowStage::ref() } or - TSourceParameterNode(ParamBaseCfgNode p) or - TPatNode(PatCfgNode p) or - TNameNode(NameCfgNode n) { n.getName() = any(Variable v).getName() } or - TExprPostUpdateNode(ExprCfgNode e) { - isArgumentForCall(e, _, _) - or - lambdaCallExpr(_, _, e) - or - lambdaCreationExpr(e.getExpr()) - or - // Whenever `&mut e` has a post-update node we also create one for `e`. - // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`. - e = any(RefExprCfgNode ref | ref.isMut() and exists(TExprPostUpdateNode(ref))).getExpr() - or - e = - [ - any(IndexExprCfgNode i).getBase(), // - any(FieldExprCfgNode access).getContainer(), // - any(TryExprCfgNode try).getExpr(), // - any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(), // - any(AwaitExprCfgNode a).getExpr(), // - any(MethodCallExprCfgNode mc).getReceiver(), // - getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _) - ] + TExprNode(Expr e) { e.hasEnclosingCfgScope() and Stages::DataFlowStage::ref() } or + TSourceParameterNode(ParamBase p) { p.hasEnclosingCfgScope() } or + TPatNode(Pat p) { p.hasEnclosingCfgScope() } or + TNameNode(Name n) { n = any(Variable v).getName() and n.hasEnclosingCfgScope() } or + TExprPostUpdateNode(Expr e) { + e.hasEnclosingCfgScope() and + ( + isArgumentForCall(e, _, _) + or + lambdaCallExpr(_, _, e) + or + lambdaCreationExpr(e) + or + // Whenever `&mut e` has a post-update node we also create one for `e`. + // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`. + e = any(RefExpr ref | ref.isMut() and exists(TExprPostUpdateNode(ref))).getExpr() + or + e = + [ + any(IndexExpr i).getBase(), // + any(FieldExpr access).getContainer(), // + any(TryExpr try).getExpr(), // + any(PrefixExpr pe | pe.getOperatorName() = "*").getExpr(), // + any(AwaitExpr a).getExpr(), // + any(MethodCallExpr mc).getReceiver(), // + getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _) + ] + ) } or - TReceiverNode(CallCfgNode mc, Boolean isPost) { - mc.getCall().receiverImplicitlyBorrowed() and + TReceiverNode(Call call, Boolean isPost) { + call.hasEnclosingCfgScope() and + call.receiverImplicitlyBorrowed() and // TODO: Handle index expressions as calls in data flow. - not mc.getCall() instanceof IndexExpr + not call instanceof IndexExpr } or TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or - TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or + TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) { + forall(AstNode n | n = sn.getSinkElement() or n = sn.getSourceElement() | + n.hasEnclosingCfgScope() + ) + } or TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c) } or TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll index 49b40474c987..29674cbd1dfb 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll @@ -2,7 +2,6 @@ private import rust private import codeql.rust.controlflow.BasicBlocks as BasicBlocks private import BasicBlocks private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes private import Cfg private import codeql.rust.controlflow.internal.ControlFlowGraphImpl as ControlFlowGraphImpl private import codeql.ssa.Ssa as SsaImplCommon @@ -229,11 +228,11 @@ private module Cached { } cached - CfgNode getARead(Definition def) { + Expr getARead(Definition def) { exists(Variable v, BasicBlock bb, int i | Impl::ssaDefReachesRead(v, def, bb, i) and variableReadCertain(bb, i, v.getAnAccess(), v) and - result = bb.getNode(i) + result = bb.getNode(i).getAstNode() ) } @@ -247,8 +246,10 @@ private module Cached { * without passing through any other non-pseudo read. */ cached - predicate firstRead(Definition def, CfgNode read) { - exists(BasicBlock bb, int i | Impl::firstUse(def, bb, i, true) and read = bb.getNode(i)) + predicate firstRead(Definition def, Expr read) { + exists(BasicBlock bb, int i | + Impl::firstUse(def, bb, i, true) and read = bb.getNode(i).getAstNode() + ) } /** @@ -257,12 +258,12 @@ private module Cached { * passing through another non-pseudo read. */ cached - predicate adjacentReadPair(Definition def, CfgNode read1, CfgNode read2) { + predicate adjacentReadPair(Definition def, Expr read1, Expr read2) { exists(BasicBlock bb1, int i1, BasicBlock bb2, int i2, Variable v | Impl::ssaDefReachesRead(v, def, bb1, i1) and Impl::adjacentUseUse(bb1, i1, bb2, i2, v, true) and - read1 = bb1.getNode(i1) and - read2 = bb2.getNode(i2) + read1 = bb1.getNode(i1).getAstNode() and + read2 = bb2.getNode(i2).getAstNode() ) } @@ -287,7 +288,7 @@ private module Cached { DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo) } - signature predicate guardChecksSig(CfgNodes::AstCfgNode g, Cfg::CfgNode e, boolean branch); + signature predicate guardChecksSig(AstNode g, Expr e, boolean branch); cached // nothing is actually cached module BarrierGuard { @@ -310,47 +311,49 @@ private module Cached { import Cached private import codeql.rust.dataflow.Ssa +private class ExprAlias = Expr; + private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig { private import codeql.rust.dataflow.internal.DataFlowImpl as DataFlowImpl private import codeql.util.Boolean - class Expr extends CfgNodes::AstCfgNode { - predicate hasCfgNode(BasicBlock bb, int i) { this = bb.getNode(i) } + class Expr extends ExprAlias { + predicate hasCfgNode(BasicBlock bb, int i) { this.getACfgNode() = bb.getNode(i) } } Expr getARead(Definition def) { result = Cached::getARead(def) } predicate ssaDefHasSource(WriteDefinition def) { none() } // handled in `DataFlowImpl.qll` instead - private predicate isArg(CfgNodes::CallExprBaseCfgNode call, CfgNodes::ExprCfgNode e) { - call.getArgument(_) = e + private predicate isArg(CallExprBase call, Expr e) { + call.getAnArg() = e or - call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = e + call.(MethodCallExpr).getReceiver() = e or - exists(CfgNodes::ExprCfgNode mid | + exists(Expr mid | isArg(call, mid) and e = DataFlowImpl::getPostUpdateReverseStep(mid, _) ) } predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { - exists(CfgNodes::CallExprBaseCfgNode call, Variable v, BasicBlock bb, int i | + exists(Variable v, BasicBlock bb, int i | def.definesAt(v, bb, i) and mutablyBorrows(bb.getNode(i).getAstNode(), v) and - isArg(call, bb.getNode(i)) + isArg(_, bb.getNode(i).getAstNode()) ) } class GuardValue = Boolean; - class Guard extends CfgNodes::AstCfgNode { + class Guard extends AstNode { /** * Holds if the evaluation of this guard to `branch` corresponds to the edge * from `bb1` to `bb2`. */ predicate hasValueBranchEdge(BasicBlock bb1, BasicBlock bb2, GuardValue branch) { exists(Cfg::ConditionalSuccessor s | - this = bb1.getANode() and + this = bb1.getANode().getAstNode() and bb2 = bb1.getASuccessor(s) and s.getValue() = branch ) @@ -369,7 +372,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu /** Holds if the guard `guard` controls block `bb` upon evaluating to `branch`. */ predicate guardDirectlyControlsBlock(Guard guard, BasicBlock bb, GuardValue branch) { exists(ConditionBasicBlock conditionBlock, ConditionalSuccessor s | - guard = conditionBlock.getLastNode() and + guard = conditionBlock.getLastNode().getAstNode() and s.getValue() = branch and conditionBlock.edgeDominates(bb, s) ) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index b702c514c1ab..544bed64730f 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -1,6 +1,5 @@ private import rust private import codeql.dataflow.TaintTracking -private import codeql.rust.controlflow.CfgNodes private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.FlowSummary private import DataFlowImpl @@ -21,22 +20,22 @@ module RustTaintTracking implements InputSig { Stages::DataFlowStage::ref() and model = "" and ( - exists(BinaryExprCfgNode binary | + exists(BinaryExpr binary | binary.getOperatorName() = ["+", "-", "*", "/", "%", "&", "|", "^", "<<", ">>"] and pred.asExpr() = [binary.getLhs(), binary.getRhs()] and succ.asExpr() = binary ) or - exists(PrefixExprCfgNode prefix | + exists(PrefixExpr prefix | prefix.getOperatorName() = ["-", "!"] and pred.asExpr() = prefix.getExpr() and succ.asExpr() = prefix ) or - pred.asExpr() = succ.asExpr().(CastExprCfgNode).getExpr() + pred.asExpr() = succ.asExpr().(CastExpr).getExpr() or - exists(IndexExprCfgNode index | - index.getIndex() instanceof RangeExprCfgNode and + exists(IndexExpr index | + index.getIndex() instanceof RangeExpr and pred.asExpr() = index.getBase() and succ.asExpr() = index ) @@ -52,8 +51,16 @@ module RustTaintTracking implements InputSig { cs.getContent() instanceof ReferenceContent ) or - exists(FormatArgsExprCfgNode format | succ.asExpr() = format | - pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)] + exists(FormatArgsExpr format | succ.asExpr() = format | + pred.asExpr() = format.getAnArg().getExpr() + or + pred.asExpr() = + any(FormatTemplateVariableAccess v | + exists(Format f | + f = format.getAFormat() and + v.getArgument() = [f.getArgumentRef(), f.getWidthArgument(), f.getPrecisionArgument()] + ) + ) ) or succ.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = diff --git a/rust/ql/lib/codeql/rust/elements/AssignmentOperation.qll b/rust/ql/lib/codeql/rust/elements/AssignmentOperation.qll index a3ca1722b577..6fbbdf7cd812 100644 --- a/rust/ql/lib/codeql/rust/elements/AssignmentOperation.qll +++ b/rust/ql/lib/codeql/rust/elements/AssignmentOperation.qll @@ -25,6 +25,11 @@ final class AssignmentOperation = AssignmentOperationImpl; final class AssignmentExpr extends AssignmentOperationImpl { AssignmentExpr() { this.getOperatorName() = "=" } + /** + * Gets a write access that occurs in the left-hand side of this assignment expression. + */ + VariableWriteAccess getAWriteAccess() { this = result.getAssignmentExpr() } + override string getAPrimaryQlClass() { result = "AssignmentExpr" } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll index 69138190dba3..554942f0fddc 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll @@ -59,6 +59,9 @@ module Impl { ) } + /** Holds if this node is inside a CFG scope. */ + predicate hasEnclosingCfgScope() { exists(this.getEnclosingCfgScope()) } + /** Gets the block that encloses this node, if any. */ cached BlockExpr getEnclosingBlock() { diff --git a/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll index 9011109b194e..6fcba9900bea 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll @@ -1,4 +1,3 @@ -// generated by codegen, remove this comment if you wish to edit this file /** * This module provides a hand-modifiable wrapper around the generated class `BlockExpr`. * @@ -26,5 +25,10 @@ module Impl { * } * ``` */ - class BlockExpr extends Generated::BlockExpr { } + class BlockExpr extends Generated::BlockExpr { + /** + * Gets the tail expression of this block, if it exists. + */ + Expr getTailExpr() { result = this.getStmtList().getTailExpr() } + } } diff --git a/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll index e8c800bc9b8c..158d20e0703a 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll @@ -21,6 +21,11 @@ module Impl { * ``` */ class ParenExpr extends Generated::ParenExpr { - override string toStringImpl() { result = "(" + this.getExpr().toAbbreviatedString() + ")" } + override string toStringImpl() { + result = "(" + this.getExpr().toAbbreviatedString() + ")" + or + not exists(this.getExpr().toAbbreviatedString()) and + result = "(...)" + } } } diff --git a/rust/ql/lib/codeql/rust/frameworks/Poem.qll b/rust/ql/lib/codeql/rust/frameworks/Poem.qll index 2554d8452939..ad57ba1dc943 100644 --- a/rust/ql/lib/codeql/rust/frameworks/Poem.qll +++ b/rust/ql/lib/codeql/rust/frameworks/Poem.qll @@ -11,7 +11,7 @@ private import codeql.rust.Concepts private class PoemHandlerParam extends RemoteSource::Range { PoemHandlerParam() { exists(TupleStructPat param | - this.asPat().getPat() = param.getAField() and + this.asPat() = param.getAField() and param.getStruct().getCanonicalPath() = ["poem::web::query::Query", "poem::web::path::Path"] ) } diff --git a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll index b34b3abf7cb8..b6accba0734d 100644 --- a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll +++ b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll @@ -25,7 +25,7 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range { // a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`, // `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices`, `rc2::Rc2::new_with_eff_key_len` or similar. exists(CallExprBase ce, string rawAlgorithmName | - ce = this.asExpr().getExpr() and + ce = this.asExpr() and ce.getStaticTarget().(Function).getName().getText() = ["new", "new_from_slice", "new_with_eff_key_len", "new_from_slices"] and // extract the algorithm name from the type of `ce` or its receiver. diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll b/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll index 773aa77f80f7..d078f08c1680 100644 --- a/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll +++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll @@ -4,20 +4,16 @@ private import rust private import codeql.rust.Concepts -private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes private import codeql.rust.dataflow.DataFlow private import codeql.rust.internal.PathResolution /** * A call to the `starts_with` method on a `Path`. */ -private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::MethodCallExprCfgNode { - StartswithCall() { - this.getMethodCallExpr().getStaticTarget().getCanonicalPath() = "::starts_with" - } +private class StartswithCall extends Path::SafeAccessCheck::Range, MethodCallExpr { + StartswithCall() { this.getStaticTarget().getCanonicalPath() = "::starts_with" } - override predicate checks(Cfg::CfgNode e, boolean branch) { + override predicate checks(Expr e, boolean branch) { e = this.getReceiver() and branch = true } diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll index 4b3177c9df95..6e8077ebae00 100644 --- a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll @@ -39,6 +39,14 @@ module AccessAfterLifetime { */ abstract class Barrier extends DataFlow::Node { } + /** + * Holds if the value `source` points to accesses a variable `target` with scope `scope`. + */ + pragma[nomagic] + predicate sourceValueScope(Source source, Variable target, BlockExpr scope) { + valueScope(source.getTarget(), target, scope) + } + /** * Holds if the pair `(source, sink)`, that represents a flow from a * pointer or reference to a dereference, has its dereference outside the @@ -47,8 +55,8 @@ module AccessAfterLifetime { bindingset[source, sink] predicate dereferenceAfterLifetime(Source source, Sink sink, Variable target) { exists(BlockExpr valueScope, BlockExpr accessScope | - valueScope(source.getTarget(), target, valueScope) and - accessScope = sink.asExpr().getExpr().getEnclosingBlock() and + sourceValueScope(source, target, valueScope) and + accessScope = sink.asExpr().getEnclosingBlock() and not mayEncloseOnStack(valueScope, accessScope) ) } @@ -104,7 +112,7 @@ module AccessAfterLifetime { private class RefExprSource extends Source { Expr targetValue; - RefExprSource() { this.asExpr().getExpr().(RefExpr).getExpr() = targetValue } + RefExprSource() { this.asExpr().(RefExpr).getExpr() = targetValue } override Expr getTarget() { result = targetValue } } @@ -114,6 +122,6 @@ module AccessAfterLifetime { * variables through closures properly. */ private class ClosureBarrier extends Barrier { - ClosureBarrier() { this.asExpr().getExpr().getEnclosingCallable() instanceof ClosureExpr } + ClosureBarrier() { this.asExpr().getEnclosingCallable() instanceof ClosureExpr } } } diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll index 444db0142090..bddc2d8ee5a9 100644 --- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll @@ -50,7 +50,7 @@ module AccessInvalidPointer { * A pointer access using the unary `*` operator. */ private class DereferenceSink extends Sink { - DereferenceSink() { any(DerefExpr p).getExpr() = this.asExpr().getExpr() } + DereferenceSink() { any(DerefExpr p).getExpr() = this.asExpr() } } /** diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll index cc5ac55fd1bb..a55e30aa13e8 100644 --- a/rust/ql/lib/codeql/rust/security/Barriers.qll +++ b/rust/ql/lib/codeql/rust/security/Barriers.qll @@ -16,7 +16,7 @@ private import codeql.rust.frameworks.stdlib.Builtins as Builtins class NumericTypeBarrier extends DataFlow::Node { NumericTypeBarrier() { exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr().getExpr()) and + t = TypeInference::inferType(this.asExpr()) and s = t.getStruct() | s instanceof Builtins::NumericType or @@ -32,7 +32,7 @@ class NumericTypeBarrier extends DataFlow::Node { class IntegralOrBooleanTypeBarrier extends DataFlow::Node { IntegralOrBooleanTypeBarrier() { exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr().getExpr()) and + t = TypeInference::inferType(this.asExpr()) and s = t.getStruct() | s instanceof Builtins::IntegralType or diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index bc487e42ef0a..a7fb35d138b8 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -63,7 +63,7 @@ module HardcodedCryptographicValue { * A literal, considered as a flow source. */ private class LiteralSource extends Source { - LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr } + LiteralSource() { this.asExpr() instanceof LiteralExpr } } /** @@ -75,8 +75,8 @@ module HardcodedCryptographicValue { */ private class ArrayListSource extends Source { ArrayListSource() { - this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr or - this.asExpr().getExpr().(ArrayRepeatExpr).getRepeatOperand() instanceof LiteralExpr + this.asExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr or + this.asExpr().(ArrayRepeatExpr).getRepeatOperand() instanceof LiteralExpr } } @@ -106,7 +106,7 @@ module HardcodedCryptographicValue { exists(CallExprBase ce | ce.getStaticTarget().(Addressable).getCanonicalPath() = ["getrandom::fill", "getrandom::getrandom"] and - this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0) + this.asExpr().getParentNode*() = ce.getArgList().getArg(0) ) } } diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll index d5d15c821d87..8e9f855209e8 100644 --- a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll @@ -85,13 +85,13 @@ module InsecureCookie { cookieOptionalBarrier(summaryNode, attrib, arg) and // find a call and arg referenced by this optional barrier ce.getStaticTarget() = summaryNode.getSummarizedCallable() and - ce.getArg(arg) = argNode.asExpr().getExpr() and + ce.getArg(arg) = argNode.asExpr() and // check if the argument is always `true` ( if forex(DataFlow::Node argSourceNode, BooleanLiteralExpr argSourceValue | DataFlow::localFlow(argSourceNode, argNode) and - argSourceValue = argSourceNode.asExpr().getExpr() + argSourceValue = argSourceNode.asExpr() | argSourceValue.getTextValue() = "true" ) @@ -101,7 +101,7 @@ module InsecureCookie { // and find the node where this happens (we can't just use the flow summary node, since its // shared across all calls to the modeled function, we need a node specific to this call) ( - node.asExpr().getExpr() = ce.(MethodCallExpr).getReceiver() // e.g. `a` in `a.set_secure(true)` + node.asExpr() = ce.(MethodCallExpr).getReceiver() // e.g. `a` in `a.set_secure(true)` or exists(BasicBlock bb, int i | // associated SSA node diff --git a/rust/ql/lib/codeql/rust/security/SensitiveData.qll b/rust/ql/lib/codeql/rust/security/SensitiveData.qll index 4e6ba21a2d28..1b6abdd52fbf 100644 --- a/rust/ql/lib/codeql/rust/security/SensitiveData.qll +++ b/rust/ql/lib/codeql/rust/security/SensitiveData.qll @@ -29,7 +29,7 @@ private class SensitiveDataCall extends SensitiveData { SensitiveDataCall() { exists(CallExprBase call, string name | - call = this.asExpr().getExpr() and + call = this.asExpr() and name = [ call.getStaticTarget().(Function).getName().getText(), @@ -50,7 +50,6 @@ private class SensitiveVariableAccess extends SensitiveData { SensitiveVariableAccess() { HeuristicNames::nameIndicatesSensitiveData(this.asExpr() - .getExpr() .(VariableAccess) .getVariable() .(Variable) @@ -69,7 +68,7 @@ private class SensitiveFieldAccess extends SensitiveData { SensitiveDataClassification classification; SensitiveFieldAccess() { - exists(FieldExpr fe | fieldExprParentField*(fe) = this.asExpr().getExpr() | + exists(FieldExpr fe | fieldExprParentField*(fe) = this.asExpr() | HeuristicNames::nameIndicatesSensitiveData(fe.getIdentifier().getText(), classification) ) } diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll index 9310999bd3dd..2d097c0aa4cd 100644 --- a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll @@ -8,7 +8,6 @@ private import codeql.rust.dataflow.TaintTracking private import codeql.rust.Concepts private import codeql.rust.dataflow.internal.DataFlowImpl private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes /** * Provides default sources, sinks and barriers for detecting path injection @@ -50,16 +49,16 @@ module TaintedPath { } } -private predicate sanitizerGuard(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) { - g.(SanitizerGuard::Range).checks(node, branch) +private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) { + g.(SanitizerGuard::Range).checks(e, branch) } /** Provides a class for modeling new path safety checks. */ module SanitizerGuard { /** A data-flow node that checks that a path is safe to access. */ - abstract class Range extends CfgNodes::AstCfgNode { - /** Holds if this guard validates `node` upon evaluating to `branch`. */ - abstract predicate checks(Cfg::CfgNode node, boolean branch); + abstract class Range extends AstNode { + /** Holds if this guard validates `e` upon evaluating to `branch`. */ + abstract predicate checks(Expr e, boolean branch); } } @@ -67,15 +66,14 @@ module SanitizerGuard { * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for * path traversal. */ -private class DotDotCheck extends SanitizerGuard::Range, CfgNodes::MethodCallExprCfgNode { +private class DotDotCheck extends SanitizerGuard::Range, MethodCallExpr { DotDotCheck() { - this.getAstNode().(CallExprBase).getStaticTarget().(Addressable).getCanonicalPath() = + this.getStaticTarget().(Addressable).getCanonicalPath() = ["::contains", "::contains"] and - this.getArgument(0).getAstNode().(LiteralExpr).getTextValue() = - ["\"..\"", "\"../\"", "\"..\\\""] + this.getArg(0).(LiteralExpr).getTextValue() = ["\"..\"", "\"../\"", "\"..\\\""] } - override predicate checks(Cfg::CfgNode e, boolean branch) { + override predicate checks(Expr e, boolean branch) { e = this.getReceiver() and branch = false } diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll index 2f4898f6e9da..c6251563ea6f 100644 --- a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll @@ -7,8 +7,6 @@ import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.FlowSink -private import codeql.rust.controlflow.ControlFlowGraph as Cfg -private import codeql.rust.controlflow.CfgNodes as CfgNodes /** * Provides default sources, sinks and barriers for detecting uncontrolled @@ -45,23 +43,24 @@ module UncontrolledAllocationSize { /** * Holds if comparison `g` having result `branch` indicates an upper bound for the sub-expression - * `node`. For example when the comparison `x < 10` is true, we have an upper bound for `x`. + * `e`. For example when the comparison `x < 10` is true, we have an upper bound for `x`. */ - private predicate isUpperBoundCheck(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) { - exists(BinaryExpr cmp | g = cmp.getACfgNode() | - node = cmp.(RelationalOperation).getLesserOperand().getACfgNode() and - branch = true - or - node = cmp.(RelationalOperation).getGreaterOperand().getACfgNode() and - branch = false - or - cmp instanceof EqualsOperation and - [cmp.getLhs(), cmp.getRhs()].getACfgNode() = node and - branch = true - or - cmp instanceof NotEqualsOperation and - [cmp.getLhs(), cmp.getRhs()].getACfgNode() = node and - branch = false - ) + private predicate isUpperBoundCheck(AstNode g, Expr e, boolean branch) { + g = + any(BinaryExpr cmp | + e = cmp.(RelationalOperation).getLesserOperand() and + branch = true + or + e = cmp.(RelationalOperation).getGreaterOperand() and + branch = false + or + cmp instanceof EqualsOperation and + [cmp.getLhs(), cmp.getRhs()] = e and + branch = true + or + cmp instanceof NotEqualsOperation and + [cmp.getLhs(), cmp.getRhs()] = e and + branch = false + ) } } diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll index bd91cde238f3..076ed42edfbb 100644 --- a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll @@ -50,7 +50,7 @@ module UseOfHttp { * An HTTP string literal as a source. */ private class HttpStringLiteralAsSource extends Source { - HttpStringLiteralAsSource() { this.asExpr().getExpr() instanceof HttpStringLiteral } + HttpStringLiteralAsSource() { this.asExpr() instanceof HttpStringLiteral } } /** diff --git a/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll b/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll index 7b6b6c801d75..bd29f0498b35 100644 --- a/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/WeakSensitiveDataHashingExtensions.qll @@ -189,7 +189,7 @@ class ModeledHashOperation extends Cryptography::CryptographicOperation::Range { exists(CallExpr call | sinkNode(input, "hasher-input") and call = input.(Node::FlowSummaryNode).getSinkElement().getCall() and - call = this.asExpr().getExpr() and + call = this.asExpr() and algorithmName = call.getFunction().(PathExpr).getPath().getQualifier().getText() ) } diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 750517708af9..7c445bcbfd89 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -6,7 +6,6 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow -private import codeql.rust.controlflow.CfgNodes private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.security.Barriers as Barriers @@ -57,8 +56,8 @@ module RegexInjection { exists(CallExprBase call, Addressable a | call.getStaticTarget() = a and a.getCanonicalPath() = "::new" and - this.asExpr().getExpr() = call.getArg(0) and - not this.asExpr() instanceof LiteralExprCfgNode + this.asExpr() = call.getArg(0) and + not this.asExpr() instanceof LiteralExpr ) } } @@ -78,7 +77,6 @@ module RegexInjection { // A barrier is any call to a function named `escape`, in particular this // makes calls to `regex::escape` a barrier. this.asExpr() - .getExpr() .(CallExpr) .getFunction() .(PathExpr) diff --git a/rust/ql/lib/utils/test/InlineFlowTest.qll b/rust/ql/lib/utils/test/InlineFlowTest.qll index 9ba92f7757be..938559620fc0 100644 --- a/rust/ql/lib/utils/test/InlineFlowTest.qll +++ b/rust/ql/lib/utils/test/InlineFlowTest.qll @@ -18,20 +18,20 @@ private import internal.InlineExpectationsTestImpl as InlineExpectationsTestImpl * representation of the path has `name` as a prefix. */ bindingset[name] -private predicate callTargetName(CallExprCfgNode call, string name) { - call.getFunction().(PathExprCfgNode).toString().matches(name + "%") +private predicate callTargetName(CallExpr call, string name) { + call.getFunction().(PathExpr).toString().matches(name + "%") } private module FlowTestImpl implements InputSig { predicate defaultSource(DataFlow::Node source) { callTargetName(source.asExpr(), "source") } predicate defaultSink(DataFlow::Node sink) { - any(CallExprCfgNode call | callTargetName(call, "sink")).getArgument(_) = sink.asExpr() + any(CallExpr call | callTargetName(call, "sink")).getAnArg() = sink.asExpr() } private string getSourceArgString(DataFlow::Node src) { defaultSource(src) and - result = src.asExpr().(CallExprCfgNode).getArgument(0).toString() + result = src.asExpr().(CallExpr).getArg(0).toString() or sourceNode(src, _) and result = src.(Node::FlowSummaryNode).getSourceElement().getCall().getArg(0).toString() and diff --git a/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql b/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql index b1c56114c7bd..1e3ae49f56f9 100644 --- a/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql +++ b/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql @@ -37,7 +37,7 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { // flow from `a` to `&a` - node2.asExpr().getExpr().(RefExpr).getExpr() = node1.asExpr().getExpr() + node2.asExpr().(RefExpr).getExpr() = node1.asExpr() } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { diff --git a/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql b/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql index dd09f2f8f20b..d5aa87ad7090 100644 --- a/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql +++ b/rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql @@ -36,7 +36,7 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { // flow from `a` to `&a` - node2.asExpr().getExpr().(RefExpr).getExpr() = node1.asExpr().getExpr() + node2.asExpr().(RefExpr).getExpr() = node1.asExpr() } predicate observeDiffInformedIncrementalMode() { any() } diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql index fa8d9765d7ce..b9bf80c94749 100644 --- a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql +++ b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql @@ -26,17 +26,17 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node instanceof AccessAfterLifetime::Source and // exclude cases with sources in macros, since these results are difficult to interpret - not node.asExpr().getExpr().isFromMacroExpansion() + not node.asExpr().isFromMacroExpansion() } predicate isSink(DataFlow::Node node) { node instanceof AccessAfterLifetime::Sink and // exclude cases with sinks in macros, since these results are difficult to interpret - not node.asExpr().getExpr().isFromMacroExpansion() and + not node.asExpr().isFromMacroExpansion() and // include only results inside `unsafe` blocks, as other results tend to be false positives ( - node.asExpr().getExpr().getEnclosingBlock*().isUnsafe() or - node.asExpr().getExpr().getEnclosingCallable().(Function).isUnsafe() + node.asExpr().getEnclosingBlock*().isUnsafe() or + node.asExpr().getEnclosingCallable().(Function).isUnsafe() ) } @@ -45,11 +45,9 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSourceLocation(DataFlow::Node source) { - exists(Variable target, DataFlow::Node sink | + exists(Variable target | + AccessAfterLifetime::sourceValueScope(source, target, _) and result = [target.getLocation(), source.getLocation()] - | - isSink(sink) and - AccessAfterLifetime::dereferenceAfterLifetime(source, sink, target) ) } } diff --git a/rust/ql/src/queries/unusedentities/UnusedValue.ql b/rust/ql/src/queries/unusedentities/UnusedValue.ql index 07e80b00b45a..8ef6b85ebe75 100644 --- a/rust/ql/src/queries/unusedentities/UnusedValue.ql +++ b/rust/ql/src/queries/unusedentities/UnusedValue.ql @@ -21,7 +21,7 @@ where not write.isFromMacroExpansion() and not isAllowableUnused(v) and // SSA definitions are only created for live writes - not write = any(Ssa::WriteDefinition def).getWriteAccess().getAstNode() and + not write = any(Ssa::WriteDefinition def).getWriteAccess() and // avoid overlap with the unused variable query not isUnused(v) select write, "Variable $@ is assigned a value that is never used.", v, v.getText() diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll index 754bb53357a8..420051f4ee1e 100644 --- a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll +++ b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll @@ -120,7 +120,7 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS } QualifiedCallable getAsExprEnclosingCallable(NodeExtended node) { - result.getFunction() = node.asExpr().getScope() + result.getFunction() = node.asExpr().getEnclosingCfgScope() } Parameter asParameter(NodeExtended node) { result = node.asParameter() } diff --git a/rust/ql/test/library-tests/dataflow/barrier/inline-flow.expected b/rust/ql/test/library-tests/dataflow/barrier/inline-flow.expected index 266b4c4be8ce..68da00c4312f 100644 --- a/rust/ql/test/library-tests/dataflow/barrier/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/barrier/inline-flow.expected @@ -1,7 +1,8 @@ models edges | main.rs:9:13:9:19 | ...: ... | main.rs:10:11:10:11 | s | provenance | | -| main.rs:10:11:10:11 | s | main.rs:9:30:14:1 | { ... } | provenance | | +| main.rs:10:11:10:11 | s | main.rs:12:9:12:9 | s | provenance | | +| main.rs:12:9:12:9 | s | main.rs:9:30:14:1 | { ... } | provenance | | | main.rs:21:9:21:9 | s | main.rs:22:10:22:10 | s | provenance | | | main.rs:21:13:21:21 | source(...) | main.rs:21:9:21:9 | s | provenance | | | main.rs:26:9:26:9 | s | main.rs:27:22:27:22 | s | provenance | | @@ -16,6 +17,7 @@ nodes | main.rs:9:13:9:19 | ...: ... | semmle.label | ...: ... | | main.rs:9:30:14:1 | { ... } | semmle.label | { ... } | | main.rs:10:11:10:11 | s | semmle.label | s | +| main.rs:12:9:12:9 | s | semmle.label | s | | main.rs:17:10:17:18 | source(...) | semmle.label | source(...) | | main.rs:21:9:21:9 | s | semmle.label | s | | main.rs:21:13:21:21 | source(...) | semmle.label | source(...) | diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected index a7df3fdf7b3f..36a1c74018ed 100644 --- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected +++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected @@ -82,12 +82,14 @@ localStep | main.rs:57:9:57:9 | a | main.rs:57:9:57:9 | [SSA] a | | main.rs:57:9:57:9 | a | main.rs:57:9:57:9 | a | | main.rs:57:13:59:5 | loop { ... } | main.rs:57:9:57:9 | a | +| main.rs:57:18:59:5 | { ... } | main.rs:57:13:59:5 | loop { ... } | | main.rs:58:9:58:15 | break 1 | main.rs:57:13:59:5 | loop { ... } | | main.rs:58:15:58:15 | 1 | main.rs:58:9:58:15 | break 1 | | main.rs:61:9:61:9 | [SSA] b | main.rs:64:10:64:10 | b | | main.rs:61:9:61:9 | b | main.rs:61:9:61:9 | [SSA] b | | main.rs:61:9:61:9 | b | main.rs:61:9:61:9 | b | | main.rs:61:13:63:5 | loop { ... } | main.rs:61:9:61:9 | b | +| main.rs:61:18:63:5 | { ... } | main.rs:61:13:63:5 | loop { ... } | | main.rs:62:9:62:23 | break ... | main.rs:61:13:63:5 | loop { ... } | | main.rs:62:15:62:23 | source(...) | main.rs:62:9:62:23 | break ... | | main.rs:68:9:68:13 | mut i | main.rs:68:13:68:13 | i | @@ -131,6 +133,7 @@ localStep | main.rs:92:9:92:9 | a | main.rs:92:9:92:9 | [SSA] a | | main.rs:92:9:92:9 | a | main.rs:92:9:92:9 | a | | main.rs:92:13:97:5 | 'block: { ... } | main.rs:92:9:92:9 | a | +| main.rs:93:14:95:9 | { ... } | main.rs:93:9:95:9 | if b {...} | | main.rs:94:13:94:26 | break 'block 1 | main.rs:92:13:97:5 | 'block: { ... } | | main.rs:94:26:94:26 | 1 | main.rs:94:13:94:26 | break 'block 1 | | main.rs:96:9:96:9 | 2 | main.rs:92:13:97:5 | 'block: { ... } | @@ -143,6 +146,7 @@ localStep | main.rs:102:9:102:9 | a | main.rs:102:9:102:9 | [SSA] a | | main.rs:102:9:102:9 | a | main.rs:102:9:102:9 | a | | main.rs:102:13:107:5 | 'block: { ... } | main.rs:102:9:102:9 | a | +| main.rs:103:14:105:9 | { ... } | main.rs:103:9:105:9 | if b {...} | | main.rs:104:13:104:26 | break 'block 1 | main.rs:102:13:107:5 | 'block: { ... } | | main.rs:104:26:104:26 | 1 | main.rs:104:13:104:26 | break 'block 1 | | main.rs:106:9:106:22 | break 'block 2 | main.rs:102:13:107:5 | 'block: { ... } | @@ -713,6 +717,7 @@ localStep | main.rs:480:16:480:19 | name | main.rs:480:16:480:19 | [SSA] name | | main.rs:480:16:480:19 | name | main.rs:480:16:480:19 | name | | main.rs:481:9:485:9 | if cond {...} | main.rs:480:31:486:5 | { ... } | +| main.rs:481:17:485:9 | { ... } | main.rs:481:9:485:9 | if cond {...} | | main.rs:482:17:482:17 | [SSA] n | main.rs:483:18:483:18 | n | | main.rs:482:17:482:17 | n | main.rs:482:17:482:17 | [SSA] n | | main.rs:482:17:482:17 | n | main.rs:482:17:482:17 | n | diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected index 00640ed9aa47..7b6fd011d031 100644 --- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected +++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected @@ -163,8 +163,9 @@ edges | main.rs:352:11:352:12 | s1 [A] | main.rs:356:11:356:12 | s1 [A] | provenance | | | main.rs:353:9:353:25 | ...::A(...) [A] | main.rs:353:24:353:24 | n | provenance | | | main.rs:353:24:353:24 | n | main.rs:353:35:353:35 | n | provenance | | -| main.rs:356:11:356:12 | s1 [A] | main.rs:357:9:357:25 | ...::A(...) [A] | provenance | | +| main.rs:356:11:356:12 | s1 [A] | main.rs:357:9:357:45 | ... \| ... [A] | provenance | | | main.rs:357:9:357:25 | ...::A(...) [A] | main.rs:357:24:357:24 | n | provenance | | +| main.rs:357:9:357:45 | ... \| ... [A] | main.rs:357:9:357:25 | ...::A(...) [A] | provenance | | | main.rs:357:24:357:24 | n | main.rs:357:55:357:55 | n | provenance | | | main.rs:368:9:368:10 | s1 [A] | main.rs:370:11:370:12 | s1 [A] | provenance | | | main.rs:368:14:368:26 | A(...) [A] | main.rs:368:9:368:10 | s1 [A] | provenance | | @@ -173,8 +174,9 @@ edges | main.rs:370:11:370:12 | s1 [A] | main.rs:374:11:374:12 | s1 [A] | provenance | | | main.rs:371:9:371:12 | A(...) [A] | main.rs:371:11:371:11 | n | provenance | | | main.rs:371:11:371:11 | n | main.rs:371:22:371:22 | n | provenance | | -| main.rs:374:11:374:12 | s1 [A] | main.rs:375:9:375:12 | A(...) [A] | provenance | | +| main.rs:374:11:374:12 | s1 [A] | main.rs:375:9:375:19 | ... \| ... [A] | provenance | | | main.rs:375:9:375:12 | A(...) [A] | main.rs:375:11:375:11 | n | provenance | | +| main.rs:375:9:375:19 | ... \| ... [A] | main.rs:375:9:375:12 | A(...) [A] | provenance | | | main.rs:375:11:375:11 | n | main.rs:375:29:375:29 | n | provenance | | | main.rs:389:9:389:10 | s1 [C] | main.rs:393:11:393:12 | s1 [C] | provenance | | | main.rs:389:14:391:5 | ...::C {...} [C] | main.rs:389:9:389:10 | s1 [C] | provenance | | @@ -183,8 +185,9 @@ edges | main.rs:393:11:393:12 | s1 [C] | main.rs:397:11:397:12 | s1 [C] | provenance | | | main.rs:394:9:394:38 | ...::C {...} [C] | main.rs:394:36:394:36 | n | provenance | | | main.rs:394:36:394:36 | n | main.rs:394:48:394:48 | n | provenance | | -| main.rs:397:11:397:12 | s1 [C] | main.rs:398:9:398:38 | ...::C {...} [C] | provenance | | +| main.rs:397:11:397:12 | s1 [C] | main.rs:398:9:398:71 | ... \| ... [C] | provenance | | | main.rs:398:9:398:38 | ...::C {...} [C] | main.rs:398:36:398:36 | n | provenance | | +| main.rs:398:9:398:71 | ... \| ... [C] | main.rs:398:9:398:38 | ...::C {...} [C] | provenance | | | main.rs:398:36:398:36 | n | main.rs:398:81:398:81 | n | provenance | | | main.rs:409:9:409:10 | s1 [C] | main.rs:413:11:413:12 | s1 [C] | provenance | | | main.rs:409:14:411:5 | C {...} [C] | main.rs:409:9:409:10 | s1 [C] | provenance | | @@ -193,8 +196,9 @@ edges | main.rs:413:11:413:12 | s1 [C] | main.rs:417:11:417:12 | s1 [C] | provenance | | | main.rs:414:9:414:24 | C {...} [C] | main.rs:414:22:414:22 | n | provenance | | | main.rs:414:22:414:22 | n | main.rs:414:34:414:34 | n | provenance | | -| main.rs:417:11:417:12 | s1 [C] | main.rs:418:9:418:24 | C {...} [C] | provenance | | +| main.rs:417:11:417:12 | s1 [C] | main.rs:418:9:418:43 | ... \| ... [C] | provenance | | | main.rs:418:9:418:24 | C {...} [C] | main.rs:418:22:418:22 | n | provenance | | +| main.rs:418:9:418:43 | ... \| ... [C] | main.rs:418:9:418:24 | C {...} [C] | provenance | | | main.rs:418:22:418:22 | n | main.rs:418:53:418:53 | n | provenance | | | main.rs:430:9:430:12 | arr1 [element] | main.rs:431:14:431:17 | arr1 [element] | provenance | | | main.rs:430:16:430:33 | [...] [element] | main.rs:430:9:430:12 | arr1 [element] | provenance | | @@ -443,6 +447,7 @@ nodes | main.rs:353:35:353:35 | n | semmle.label | n | | main.rs:356:11:356:12 | s1 [A] | semmle.label | s1 [A] | | main.rs:357:9:357:25 | ...::A(...) [A] | semmle.label | ...::A(...) [A] | +| main.rs:357:9:357:45 | ... \| ... [A] | semmle.label | ... \| ... [A] | | main.rs:357:24:357:24 | n | semmle.label | n | | main.rs:357:55:357:55 | n | semmle.label | n | | main.rs:368:9:368:10 | s1 [A] | semmle.label | s1 [A] | @@ -454,6 +459,7 @@ nodes | main.rs:371:22:371:22 | n | semmle.label | n | | main.rs:374:11:374:12 | s1 [A] | semmle.label | s1 [A] | | main.rs:375:9:375:12 | A(...) [A] | semmle.label | A(...) [A] | +| main.rs:375:9:375:19 | ... \| ... [A] | semmle.label | ... \| ... [A] | | main.rs:375:11:375:11 | n | semmle.label | n | | main.rs:375:29:375:29 | n | semmle.label | n | | main.rs:389:9:389:10 | s1 [C] | semmle.label | s1 [C] | @@ -465,6 +471,7 @@ nodes | main.rs:394:48:394:48 | n | semmle.label | n | | main.rs:397:11:397:12 | s1 [C] | semmle.label | s1 [C] | | main.rs:398:9:398:38 | ...::C {...} [C] | semmle.label | ...::C {...} [C] | +| main.rs:398:9:398:71 | ... \| ... [C] | semmle.label | ... \| ... [C] | | main.rs:398:36:398:36 | n | semmle.label | n | | main.rs:398:81:398:81 | n | semmle.label | n | | main.rs:409:9:409:10 | s1 [C] | semmle.label | s1 [C] | @@ -476,6 +483,7 @@ nodes | main.rs:414:34:414:34 | n | semmle.label | n | | main.rs:417:11:417:12 | s1 [C] | semmle.label | s1 [C] | | main.rs:418:9:418:24 | C {...} [C] | semmle.label | C {...} [C] | +| main.rs:418:9:418:43 | ... \| ... [C] | semmle.label | ... \| ... [C] | | main.rs:418:22:418:22 | n | semmle.label | n | | main.rs:418:53:418:53 | n | semmle.label | n | | main.rs:430:9:430:12 | arr1 [element] | semmle.label | arr1 [element] | diff --git a/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.ql b/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.ql index 09b4ab5bf908..9e46b7c3ad2b 100644 --- a/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.ql +++ b/rust/ql/test/library-tests/dataflow/sources/env/InlineFlow.ql @@ -16,7 +16,7 @@ module MyFlowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { any(CallExpr call | call.getFunction().(PathExpr).getPath().getSegment().getIdentifier().getText() = "sink" - ).getArgList().getAnArg() = sink.asExpr().getExpr() + ).getArgList().getAnArg() = sink.asExpr() } predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { diff --git a/rust/ql/test/library-tests/sensitivedata/SensitiveData.ql b/rust/ql/test/library-tests/sensitivedata/SensitiveData.ql index 0d5e748f80eb..6372e81555d9 100644 --- a/rust/ql/test/library-tests/sensitivedata/SensitiveData.ql +++ b/rust/ql/test/library-tests/sensitivedata/SensitiveData.ql @@ -13,7 +13,7 @@ module SensitiveDataConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { any(CallExpr call | call.getFunction().(PathExpr).getPath().getSegment().getIdentifier().getText() = "sink" - ).getArgList().getAnArg() = sink.asExpr().getExpr() + ).getArgList().getAnArg() = sink.asExpr() } } diff --git a/rust/ql/test/library-tests/variables/Ssa.ql b/rust/ql/test/library-tests/variables/Ssa.ql index d93a1f13b649..8ca9bd15e666 100644 --- a/rust/ql/test/library-tests/variables/Ssa.ql +++ b/rust/ql/test/library-tests/variables/Ssa.ql @@ -10,17 +10,17 @@ query predicate definition(Ssa::Definition def, Variable v) { toBeTested(v.getEnclosingCfgScope()) and def.getSourceVariable() = v } -query predicate read(Ssa::Definition def, Variable v, CfgNode read) { +query predicate read(Ssa::Definition def, Variable v, Expr read) { toBeTested(v.getEnclosingCfgScope()) and def.getSourceVariable() = v and read = def.getARead() } -query predicate firstRead(Ssa::Definition def, Variable v, CfgNode read) { +query predicate firstRead(Ssa::Definition def, Variable v, Expr read) { toBeTested(v.getEnclosingCfgScope()) and def.getSourceVariable() = v and read = def.getAFirstRead() } -query predicate adjacentReads(Ssa::Definition def, Variable v, CfgNode read1, CfgNode read2) { +query predicate adjacentReads(Ssa::Definition def, Variable v, Expr read1, Expr read2) { toBeTested(v.getEnclosingCfgScope()) and def.getSourceVariable() = v and def.hasAdjacentReads(read1, read2) @@ -54,4 +54,4 @@ query predicate ultimateDef(Ssa::Definition def, Definition ult) { ult != def } -query predicate assigns(Ssa::WriteDefinition def, CfgNode value) { def.assigns(value) } +query predicate assigns(Ssa::WriteDefinition def, Expr value) { def.assigns(value) } From d2bb53a81ee004e4830712253a9ea0daae882a15 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 19 Nov 2025 13:31:24 +0100 Subject: [PATCH 2/4] Rust: Run codegen --- rust/ql/.generated.list | 1 - rust/ql/.gitattributes | 1 - rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index 5ed2894e273f..fc9e0d0f30c5 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -235,7 +235,6 @@ lib/codeql/rust/elements/internal/AwaitExprConstructor.qll 44ff1653e73d5b9f6885c lib/codeql/rust/elements/internal/BecomeExprConstructor.qll ba073aaa256cb8827a0307c3128d50f62b11aac0b1f324e48c95f30351a9b942 3a787ded505c3158fa4f4923f66e8ecdcb7b5f86f27f64c5412dc32dca031f18 lib/codeql/rust/elements/internal/BinaryExprConstructor.qll 7f9b17757f78b9fb7c46e21d2040a77fa50083bef4911c8464991c3d1ad91d87 a59390cd8e896c0bfbdc9ba0674e06d980ffcefa710fbc9886be52ed427e9717 lib/codeql/rust/elements/internal/BlockExprConstructor.qll 438337c807645e98a01440f3f4610d68b0567ba15c8f51dc43bf5a30c9af3696 48ce7a546910c884619762349b8ada9836284f8008298fdb0070a38f7ddf25a0 -lib/codeql/rust/elements/internal/BlockExprImpl.qll 36ac09e4a6eeeec22919b62b1d004bdb5bb2527e67932c308aec383a770768d6 3b4b2a2014f6fe075c63a2d633b297566b548ef2e4343cadf067a9edbcadc876 lib/codeql/rust/elements/internal/BoxPatConstructor.qll 153f110ba25fd6c889092bfd16f73bb610fa60d6e0c8965d5f44d2446fcd48a2 9324cf0d8aa29945551bf8ab64801d598f57aab8cd4e19bcd4e9ef8a4a4e06eb lib/codeql/rust/elements/internal/BreakExprConstructor.qll 356be043c28e0b34fdf925a119c945632ee883c6f5ebb9a27003c6a8d250afd9 bb77e66b04bb9489340e7506931559b94285c6904b6f9d2f83b214cba4f3cfd5 lib/codeql/rust/elements/internal/CallExprConstructor.qll 742b38e862e2cf82fd1ecc4d4fc5b4782a9c7c07f031452b2bae7aa59d5aa13a cad6e0a8be21d91b20ac2ec16cab9c30eae810b452c0f1992ed87d5c7f4144dc diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes index bde61270e6aa..99728972ec7a 100644 --- a/rust/ql/.gitattributes +++ b/rust/ql/.gitattributes @@ -237,7 +237,6 @@ /lib/codeql/rust/elements/internal/BecomeExprConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/BinaryExprConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/BlockExprConstructor.qll linguist-generated -/lib/codeql/rust/elements/internal/BlockExprImpl.qll linguist-generated /lib/codeql/rust/elements/internal/BoxPatConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/BreakExprConstructor.qll linguist-generated /lib/codeql/rust/elements/internal/CallExprConstructor.qll linguist-generated diff --git a/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll index 6fcba9900bea..9e8576dc440b 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/BlockExprImpl.qll @@ -11,6 +11,7 @@ private import codeql.rust.elements.internal.generated.BlockExpr * be referenced directly. */ module Impl { + // the following QLdoc is generated: if you need to edit it, do it in the schema file /** * A block expression. For example: * ```rust From e4853ab0600795f1983fadff531cab7b717fb623 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 19 Nov 2025 13:18:13 +0100 Subject: [PATCH 3/4] Add change note --- rust/ql/lib/change-notes/2025-11-19-dataflow-ast.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 rust/ql/lib/change-notes/2025-11-19-dataflow-ast.md diff --git a/rust/ql/lib/change-notes/2025-11-19-dataflow-ast.md b/rust/ql/lib/change-notes/2025-11-19-dataflow-ast.md new file mode 100644 index 000000000000..04883ef37d57 --- /dev/null +++ b/rust/ql/lib/change-notes/2025-11-19-dataflow-ast.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* The type `DataFlow::Node` is now based directly on the AST instead of the CFG, which means that predicates like `asExpr()` return AST nodes instead of CFG nodes. \ No newline at end of file From d4fdf956a02f0e2549baa50d6de41e851db75589 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 20 Nov 2025 11:03:53 +0100 Subject: [PATCH 4/4] Address review comments --- rust/ql/lib/codeql/rust/dataflow/internal/Node.qll | 2 +- .../codeql/rust/elements/internal/ParenExprImpl.qll | 13 +++++++++++++ .../rust/security/AccessAfterLifetimeExtensions.qll | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll index 421f613b5c44..2191714d6a17 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll @@ -118,7 +118,7 @@ class FlowSummaryNode extends Node, TFlowSummaryNode { } } -/** A data flow node that corresponds directly to a CFG node for an AST node. */ +/** A data flow node that corresponds directly to an AST node. */ abstract class AstNodeNode extends Node { AstNode n; diff --git a/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll index 158d20e0703a..f52fd3aa0674 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/ParenExprImpl.qll @@ -24,6 +24,19 @@ module Impl { override string toStringImpl() { result = "(" + this.getExpr().toAbbreviatedString() + ")" or + // In macro expansions such as + // + // ```rust + // [ + // "a", + // "b", + // #[cfg(target_os = "macos")] + // "c", + // ] + // ``` + // + // the last array element will give rise to an empty `ParenExpr` when not + // compiling for macos. not exists(this.getExpr().toAbbreviatedString()) and result = "(...)" } diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll index 6e8077ebae00..06438fef0c8f 100644 --- a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll @@ -40,7 +40,7 @@ module AccessAfterLifetime { abstract class Barrier extends DataFlow::Node { } /** - * Holds if the value `source` points to accesses a variable `target` with scope `scope`. + * Holds if the value pointed to by `source` accesses a variable `target` with scope `scope`. */ pragma[nomagic] predicate sourceValueScope(Source source, Variable target, BlockExpr scope) {