Rust: Give regex injection extendable sources as well.

geoffw0 · geoffw0 · commit 47ee6c6b815b · 2025-04-04T18:27:16.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -15,6 +15,11 @@ private import codeql.rust.Concepts
  * injection vulnerabilities, as well as extension points for adding your own.
  */
 module RegexInjection {
+  /**
+   * A data flow source for regular expression injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
   /**
    * A data flow sink for regular expression injection vulnerabilities.
    */
@@ -27,6 +32,11 @@ module RegexInjection {
    */
   abstract class Barrier extends DataFlow::Node { }
 
+  /**
+   * An active threat-model source, considered as a flow source.
+   */
+  private class ActiveThreatModelSourceAsSource extends Source, ActiveThreatModelSource { }
+
   /**
    * A sink for `a` in `Regex::new(a)` when `a` is not a literal.
    */
diff --git a/rust/ql/src/queries/security/CWE-020/RegexInjection.ql b/rust/ql/src/queries/security/CWE-020/RegexInjection.ql
@@ -17,7 +17,6 @@
 private import rust
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.TaintTracking
-private import codeql.rust.Concepts
 private import codeql.rust.security.regex.RegexInjectionExtensions
 
 /**
@@ -26,7 +25,7 @@ private import codeql.rust.security.regex.RegexInjectionExtensions
 module RegexInjectionConfig implements DataFlow::ConfigSig {
   import RegexInjection
 
-  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
