Skip to content

Rust: Data flow through trait methods #19881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 27, 2025
Merged

Rust: Data flow through trait methods #19881

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a4ed5da
Rust: Add data flow tests involving traits
hvitved Jun 25, 2025
5e265b1
Rust: Trait call dispatch in dataflow
hvitved Jun 25, 2025
3e54c61
Rust: Add MaD trait tests
hvitved Jun 25, 2025
8c24039
Rust: Apply MaD trait models to implementations
hvitved Jun 25, 2025
9a48459
Add change note
hvitved Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Rust: Apply MaD trait models to implementations
  • Loading branch information
@hvitved
hvitved committed Jun 25, 2025
commit 8c240399c16767eb1be2bc8a0b5f5e551196ce9c
12 changes: 11 additions & 1 deletion rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -407,7 +407,17 @@ module RustDataFlow implements InputSig<Location> {
exists(Call c | c = call.asCallCfgNode().getCall() |
result.asCfgScope() = c.getARuntimeTarget()
or
result.asSummarizedCallable() = c.getStaticTarget()
exists(SummarizedCallable sc, Function staticTarget |
staticTarget = c.getStaticTarget() and
sc = result.asSummarizedCallable()
|
sc = staticTarget
or
// only apply trait models to concrete implementations when they are not
// defined in source code
staticTarget.implements(sc) and
not staticTarget.fromSource()
)
)
}

Expand Down
6 changes: 6 additions & 0 deletions rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
* - `Field[t(i)]`: position `i` inside the variant/struct with canonical path `v`, for example
* `Field[core::option::Option::Some(0)]`.
* - `Field[i]`: the `i`th element of a tuple.
* - `Reference`: the referenced value.
* - `Future`: the value being computed asynchronously.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good spot. 👍

* 3. The `kind` column is a tag that can be referenced from QL to determine to
* which classes the interpreted elements should be added. For example, for
* sources `"remote"` indicates a default remote flow source, and for summaries
Expand Down Expand Up @@ -211,6 +213,10 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
this.getCanonicalPath() = path
}

override predicate hasProvenance(Provenance provenance) {
summaryModel(path, _, _, _, provenance, _)
}

override predicate propagatesFlow(
string input, string output, boolean preservesValue, string model
) {
Expand Down
4 changes: 2 additions & 2 deletions rust/ql/test/library-tests/dataflow/models/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,10 +360,10 @@ fn test_trait_model<T: Ord>(x: T) {
sink(x4); // $ hasValueFlow=25

let x5 = source(26).lt(&1);
sink(x5); // $ MISSING: hasTaintFlow=26
sink(x5); // $ hasTaintFlow=26

let x6 = source(27) < 1;
sink(x6); // $ MISSING: hasTaintFlow=27
sink(x6); // $ hasTaintFlow=27
}

#[tokio::main]
Expand Down
Loading
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy