Rust: Restrict results to 'unsafe' blocks.

geoffw0 · geoffw0 · commit 5edd6e85e778 · 2025-06-18T15:45:31.000+01:00
diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
@@ -40,6 +40,11 @@ where
   AccessAfterLifetimeFlow::flowPath(sourceNode, sinkNode) and
   // check that the dereference is outside the lifetime of the target
   AccessAfterLifetime::dereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode(), target) and
+  // include only results inside `unsafe` blocks, as other results tend to be false positives
+  (
+    sinkNode.getNode().asExpr().getExpr().getEnclosingBlock*().isUnsafe() or
+    sinkNode.getNode().asExpr().getExpr().getEnclosingCallable().(Function).isUnsafe()
+  ) and
   // exclude cases with sources / sinks in macros, since these results are difficult to interpret
   not sourceNode.getNode().asExpr().getExpr().isFromMacroExpansion() and
   not sinkNode.getNode().asExpr().getExpr().isFromMacroExpansion()
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -21,7 +21,6 @@
 | lifetime.rs:659:15:659:18 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:659:15:659:18 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:651:7:651:10 | str2 | str2 |
-| lifetime.rs:734:12:734:13 | r1 | lifetime.rs:719:26:719:34 | &... | lifetime.rs:734:12:734:13 | r1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:719:19:719:20 | v2 | v2 |
 | lifetime.rs:789:12:789:13 | p1 | lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:789:12:789:13 | p1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:779:6:779:15 | my_local10 | my_local10 |
 | lifetime.rs:808:10:808:12 | ptr | lifetime.rs:798:9:798:12 | &val | lifetime.rs:808:10:808:12 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:796:6:796:8 | val | val |
 edges
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -716,7 +716,7 @@ enum MyEnum3 {
 impl MyEnum3 {
 	pub fn test_match(&self) -> &i64 {
 		let r1 = match self {
-			MyEnum3::Value(v2) => &v2.value, // $ SPURIOUS: Source[rust/access-after-lifetime-ended]=v2_value
+			MyEnum3::Value(v2) => &v2.value,
 		};
 
 		r1
@@ -731,7 +731,7 @@ pub fn test_enum_members() {
 
 	use_the_stack();
 
-	let v3 = *r1; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=v2_value
+	let v3 = *r1;
 	println!("	v3 = {v3}");
 }
 
