From 5fdc75b13e7ac9eb733d697cd9539ffb9b55c6c0 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 14 Apr 2025 18:34:07 +0100
Subject: [PATCH] Rust: Allow reference content in sinks for taint reach.

---
 rust/ql/src/queries/summary/TaintReach.qll | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rust/ql/src/queries/summary/TaintReach.qll b/rust/ql/src/queries/summary/TaintReach.qll
index 0f00fe6f7c6e..61caf93a3a5e 100644
--- a/rust/ql/src/queries/summary/TaintReach.qll
+++ b/rust/ql/src/queries/summary/TaintReach.qll
@@ -15,6 +15,12 @@ private module TaintReachConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node node) { any() }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from reference content at the sink.
+    isSink(node) and
+    c.getAReadContent() instanceof DataFlow::ReferenceContent
+  }
 }
 
 private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;