Rust: Allow parameter accesses as sources.

geoffw0 · geoffw0 · commit b3330b563617 · 2025-06-09T17:58:42.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll
@@ -53,13 +53,27 @@ module AccessAfterLifetime {
     )
   }
 
+  /**
+   * Holds if `var` has scope `scope`.
+   */
+  private predicate variableScope(Variable var, BlockExpr scope) {
+    // local variable
+    scope = var.getEnclosingBlock()
+    or
+    // parameter
+    exists(Callable c |
+      var.getParameter().getEnclosingCallable() = c and
+      scope.getParentNode() = c
+    )
+  }
+
   /**
    * Holds if `value` accesses a variable `target` with scope `scope`.
    */
   private predicate valueScope(Expr value, Variable target, BlockExpr scope) {
     // variable access (to a non-reference)
     target = value.(VariableAccess).getVariable() and
-    scope = target.getEnclosingBlock() and
+    variableScope(target, scope) and
     not TypeInference::inferType(value) instanceof RefType
     or
     // field access
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -3,6 +3,7 @@
 | lifetime.rs:70:13:70:14 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:70:13:70:14 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:25:10:25:18 | my_local2 | my_local2 |
 | lifetime.rs:71:13:71:14 | p3 | lifetime.rs:33:9:33:28 | &raw const my_local3 | lifetime.rs:71:13:71:14 | p3 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:31:6:31:14 | my_local3 | my_local3 |
 | lifetime.rs:72:13:72:14 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:72:13:72:14 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:37:10:37:18 | my_local4 | my_local4 |
+| lifetime.rs:73:13:73:14 | p5 | lifetime.rs:43:9:43:15 | &param5 | lifetime.rs:73:13:73:14 | p5 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:42:23:42:28 | param5 | param5 |
 | lifetime.rs:74:13:74:14 | p6 | lifetime.rs:50:9:50:18 | &... | lifetime.rs:74:13:74:14 | p6 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:47:6:47:8 | val | val |
 | lifetime.rs:75:13:75:14 | p7 | lifetime.rs:63:8:63:27 | &raw const my_local7 | lifetime.rs:75:13:75:14 | p7 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:62:7:62:15 | my_local7 | my_local7 |
 | lifetime.rs:76:4:76:5 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:76:4:76:5 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:25:10:25:18 | my_local2 | my_local2 |
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -40,7 +40,7 @@ fn get_local_dangling_raw_mut() -> *mut i64 {
 } // (return value immediately becomes dangling)
 
 fn get_param_dangling(param5: i64) -> *const i64 {
-	return &param5; // $ MISSING: Source[rust/access-after-lifetime-ended]=param5
+	return &param5; // $ Source[rust/access-after-lifetime-ended]=param5
 } // (return value immediately becomes dangling)
 
 fn get_local_field_dangling() -> *const i64 {
@@ -70,7 +70,7 @@ pub fn test_local_dangling() {
 		let v2 = *p2; // $ Alert[rust/access-after-lifetime-ended]=local2
 		let v3 = *p3; // $ Alert[rust/access-after-lifetime-ended]=local3
 		let v4 = *p4; // $ Alert[rust/access-after-lifetime-ended]=local4
-		let v5 = *p5; // $ MISSING: Alert[rust/access-after-lifetime-ended]=param5
+		let v5 = *p5; // $ Alert[rust/access-after-lifetime-ended]=param5
 		let v6 = *p6; // $ Alert[rust/access-after-lifetime-ended]=localfield
 		let v7 = *p7; // $ Alert[rust/access-after-lifetime-ended]=local7
 		*p2 = 8; // $ Alert[rust/access-after-lifetime-ended]=local2
