Skip to content

Rust: Tweaks and improvements to data flow barriers #20921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 27, 2025
Merged

Rust: Tweaks and improvements to data flow barriers #20921

merged 4 commits into from
Nov 27, 2025

Conversation

@paldepind
Copy link
Contributor

@paldepind paldepind commented Nov 26, 2025
edited
Loading

  • Adds a new barrier for fieldless enum types. Such enum are just a bunch of cases, so often they are not interesting to track.
  • Split the boolean and numeric barriers apart. I think this scales better with more barriers (such as the above one).
  • Add more barriers to a few queries. The boolean guard for cleartext logging in particular fixes some false results that I observed over on Rust: Lift content reads as taint steps #20879.

@github-actions github-actions bot added the Rust Pull requests that update Rust code label Nov 26, 2025
@paldepind paldepind marked this pull request as ready for review November 26, 2025 14:22
@paldepind paldepind requested a review from a team as a code owner November 26, 2025 14:22
Copilot AI review requested due to automatic review settings November 26, 2025 14:22
@paldepind paldepind added the no-change-note-required This PR does not need a change note label Nov 26, 2025
Copilot finished reviewing on behalf of paldepind November 26, 2025 14:25
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors data flow barriers to improve specificity and reduce false positives in security queries. The main changes split combined barriers into separate, more specific ones, and add a new barrier type for fieldless enums.

  • Refactors IntegralOrBooleanTypeBarrier into separate IntegralTypeBarrier and BooleanTypeBarrier classes for better granularity
  • Introduces a new FieldlessEnumTypeBarrier to filter out fieldless enum types that are typically not interesting to track
  • Applies these barriers to security queries (SQL injection, log injection, cleartext logging, and regex injection) to reduce false positives

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
rust/ql/lib/codeql/rust/security/Barriers.qll Splits combined barriers into separate classes, adds FieldlessEnumTypeBarrier, and improves comment clarity
rust/ql/lib/codeql/rust/internal/Type.qll Adds getEnum() accessor method to EnumType for consistency with other type classes
rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll Updates to use separate IntegralTypeBarrier and BooleanTypeBarrier
rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll Adds BooleanTypeBarrier and FieldlessEnumTypeBarrier
rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll Adds BooleanTypeBarrier and FieldlessEnumTypeBarrier
rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll Adds Barriers import, BooleanTypeBarrier, and FieldlessEnumTypeBarrier

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@paldepind
Rust: Fix typo
329df20 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@paldepind paldepind merged commit 8b32679 into github:main Nov 27, 2025
18 checks passed
@paldepind paldepind deleted the rust/barrier-tweaks branch November 27, 2025 07:56
@geoffw0 geoffw0 mentioned this pull request Nov 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hvitved hvitved hvitved approved these changes

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@paldepind @hvitved