Rust: Remove taint steps

paldepind · paldepind · commit 049fab4c72b4 · 2024-12-18T11:22:56.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -46,8 +46,6 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         RustDataFlow::readStep(pred, cs, succ) and
         cs.getContent() instanceof ArrayElementContent
       )
-      or
-      pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -5,14 +5,11 @@ extensions:
     data:
       # Option
       - ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
-      - ["lang:core", "<crate::option::Option>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
       - ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
       # Result
       - ["lang:core", "<crate::result::Result>::unwrap", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
-      - ["lang:core", "<crate::result::Result>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self].Variant[crate::result::Result::Ok(0)]", "ReturnValue", "value", "manual"]
       - ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
-      - ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[self]", "ReturnValue", "taint", "manual"]
       # String
       - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -12,7 +12,7 @@ fn test_env_vars() {
     let var2 = std::env::var_os("PATH").unwrap(); // $ Alert[rust/summary/taint-sources]
 
     sink(var1); // $ MISSING: hasTaintFlow
-    sink(var2); // $ hasTaintFlow
+    sink(var2); // $ MISSING: hasTaintFlow
 
     for (key, value) in std::env::vars() { // $ Alert[rust/summary/taint-sources]
         sink(key); // $ MISSING: hasTaintFlow
@@ -61,7 +61,7 @@ async fn test_reqwest() -> Result<(), reqwest::Error> {
     sink(remote_string1); // $ MISSING: hasTaintFlow
 
     let remote_string2 = reqwest::blocking::get("http://example.com/").unwrap().text().unwrap(); // $ Alert[rust/summary/taint-sources]
-    sink(remote_string2); // $ hasTaintFlow
+    sink(remote_string2); // $ MISSING: hasTaintFlow
 
     let remote_string3 = reqwest::get("http://example.com/").await?.text().await?; // $ Alert[rust/summary/taint-sources]
     sink(remote_string3); // $ MISSING: hasTaintFlow
diff --git a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
@@ -1,25 +1,20 @@
 models
 | 1 | Summary: lang:alloc; <crate::string::String>::as_str; Argument[self]; ReturnValue; taint |
 edges
-| main.rs:20:9:20:9 | s | main.rs:21:9:21:14 | sliced | provenance |  |
 | main.rs:20:9:20:9 | s | main.rs:21:19:21:25 | s[...] | provenance |  |
 | main.rs:20:13:20:22 | source(...) | main.rs:20:9:20:9 | s | provenance |  |
-| main.rs:21:9:21:14 | sliced | main.rs:22:16:22:21 | sliced | provenance |  |
 | main.rs:21:9:21:14 | sliced [&ref] | main.rs:22:16:22:21 | sliced | provenance |  |
 | main.rs:21:18:21:25 | &... [&ref] | main.rs:21:9:21:14 | sliced [&ref] | provenance |  |
 | main.rs:21:19:21:25 | s[...] | main.rs:21:18:21:25 | &... [&ref] | provenance |  |
 | main.rs:26:9:26:10 | s1 | main.rs:29:9:29:10 | s4 | provenance |  |
 | main.rs:26:14:26:23 | source(...) | main.rs:26:9:26:10 | s1 | provenance |  |
 | main.rs:29:9:29:10 | s4 | main.rs:32:10:32:11 | s4 | provenance |  |
-| main.rs:37:9:37:10 | s1 | main.rs:40:10:40:35 | ... + ... | provenance |  |
-| main.rs:37:14:37:23 | source(...) | main.rs:37:9:37:10 | s1 | provenance |  |
 | main.rs:57:9:57:9 | s | main.rs:58:16:58:16 | s | provenance |  |
 | main.rs:57:13:57:22 | source(...) | main.rs:57:9:57:9 | s | provenance |  |
 | main.rs:58:16:58:16 | s | main.rs:58:16:58:25 | s.as_str(...) | provenance | MaD:1 |
 nodes
 | main.rs:20:9:20:9 | s | semmle.label | s |
 | main.rs:20:13:20:22 | source(...) | semmle.label | source(...) |
-| main.rs:21:9:21:14 | sliced | semmle.label | sliced |
 | main.rs:21:9:21:14 | sliced [&ref] | semmle.label | sliced [&ref] |
 | main.rs:21:18:21:25 | &... [&ref] | semmle.label | &... [&ref] |
 | main.rs:21:19:21:25 | s[...] | semmle.label | s[...] |
@@ -28,9 +23,6 @@ nodes
 | main.rs:26:14:26:23 | source(...) | semmle.label | source(...) |
 | main.rs:29:9:29:10 | s4 | semmle.label | s4 |
 | main.rs:32:10:32:11 | s4 | semmle.label | s4 |
-| main.rs:37:9:37:10 | s1 | semmle.label | s1 |
-| main.rs:37:14:37:23 | source(...) | semmle.label | source(...) |
-| main.rs:40:10:40:35 | ... + ... | semmle.label | ... + ... |
 | main.rs:57:9:57:9 | s | semmle.label | s |
 | main.rs:57:13:57:22 | source(...) | semmle.label | source(...) |
 | main.rs:58:16:58:16 | s | semmle.label | s |
@@ -40,5 +32,4 @@ testFailures
 #select
 | main.rs:22:16:22:21 | sliced | main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | $@ | main.rs:20:13:20:22 | source(...) | source(...) |
 | main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |
-| main.rs:40:10:40:35 | ... + ... | main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | $@ | main.rs:37:14:37:23 | source(...) | source(...) |
 | main.rs:58:16:58:25 | s.as_str(...) | main.rs:57:13:57:22 | source(...) | main.rs:58:16:58:25 | s.as_str(...) | $@ | main.rs:57:13:57:22 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/strings/main.rs b/rust/ql/test/library-tests/dataflow/strings/main.rs
@@ -37,7 +37,7 @@ fn string_add_reference() {
     let s1 = source(37);
     let s2 = "1".to_string();
 
-    sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37
+    sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37
     sink("Hello ".to_string() + &s2);
 }
 
diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
@@ -1,7 +1,4 @@
-| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:10 |
-| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap | MaD:2 |
-| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap | MaD:6 |
-| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or | MaD:9 |
+| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:7 |
 | file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:0 |
 | main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... |  |
 | main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... |  |
@@ -11,7 +8,6 @@
 | main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |  |
 | main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |  |
 | main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |  |
-| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... |  |
 | main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] |  |
 | main.rs:64:24:64:24 | s | main.rs:64:24:64:27 | s[1] |  |
 | main.rs:69:9:69:12 | arr2 | main.rs:69:9:69:15 | arr2[1] |  |
diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected
@@ -7,10 +7,8 @@ edges
 | main.rs:22:9:22:9 | a | main.rs:23:9:23:9 | b | provenance |  |
 | main.rs:22:13:22:22 | source(...) | main.rs:22:9:22:9 | a | provenance |  |
 | main.rs:23:9:23:9 | b | main.rs:24:10:24:17 | b as i64 | provenance |  |
-| main.rs:37:13:37:13 | s | main.rs:38:13:38:18 | sliced | provenance |  |
 | main.rs:37:13:37:13 | s | main.rs:38:23:38:29 | s[...] | provenance |  |
 | main.rs:37:17:37:26 | source(...) | main.rs:37:13:37:13 | s | provenance |  |
-| main.rs:38:13:38:18 | sliced | main.rs:39:14:39:19 | sliced | provenance |  |
 | main.rs:38:13:38:18 | sliced [&ref] | main.rs:39:14:39:19 | sliced | provenance |  |
 | main.rs:38:22:38:29 | &... [&ref] | main.rs:38:13:38:18 | sliced [&ref] | provenance |  |
 | main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... [&ref] | provenance |  |
@@ -31,7 +29,6 @@ nodes
 | main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 |
 | main.rs:37:13:37:13 | s | semmle.label | s |
 | main.rs:37:17:37:26 | source(...) | semmle.label | source(...) |
-| main.rs:38:13:38:18 | sliced | semmle.label | sliced |
 | main.rs:38:13:38:18 | sliced [&ref] | semmle.label | sliced [&ref] |
 | main.rs:38:22:38:29 | &... [&ref] | semmle.label | &... [&ref] |
 | main.rs:38:23:38:29 | s[...] | semmle.label | s[...] |
diff --git a/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected b/rust/ql/test/query-tests/security/CWE-089/SqlInjection.expected
diff --git a/rust/ql/test/query-tests/security/CWE-089/sqlx.rs b/rust/ql/test/query-tests/security/CWE-089/sqlx.rs

Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,6 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {`
`46`	`46`	`RustDataFlow::readStep(pred, cs, succ) and`
`47`	`47`	`cs.getContent() instanceof ArrayElementContent`
`48`	`48`	`)`
`49`		`- or`
`50`		`- pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()`
`51`	`49`	`)`
`52`	`50`	`or`
`53`	`51`	`FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ fn string_add_reference() {`
`37`	`37`	`let s1 = source(37);`
`38`	`38`	`let s2 = "1".to_string();`
`39`	`39`
`40`		`- sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37`
	`40`	`+ sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37`
`41`	`41`	`sink("Hello ".to_string() + &s2);`
`42`	`42`	`}`
`43`	`43`