From 6050a0e1a8ea135196a6c824cf4d363122d77903 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 26 Nov 2025 14:45:31 +0100 Subject: [PATCH 1/4] Rust: Split boolean from number barriers --- rust/ql/lib/codeql/rust/security/Barriers.qll | 41 ++++++++----------- .../rust/security/LogInjectionExtensions.qll | 2 + .../rust/security/SqlInjectionExtensions.qll | 2 + .../regex/RegexInjectionExtensions.qll | 5 ++- 4 files changed, 23 insertions(+), 27 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll index fbe3691b4123..d06287b473fd 100644 --- a/rust/ql/lib/codeql/rust/security/Barriers.qll +++ b/rust/ql/lib/codeql/rust/security/Barriers.qll @@ -1,5 +1,5 @@ /** - * Classes to represent barriers commonly used in dataflow and taint tracking + * Classes to represent barriers commonly used in data flow and taint tracking * configurations. */ @@ -11,35 +11,26 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg private import codeql.rust.controlflow.CfgNodes as CfgNodes private import codeql.rust.frameworks.stdlib.Builtins as Builtins -/** - * A node whose type is a numeric or boolean type, which may be an appropriate - * taint flow barrier for some queries. - */ +/** A node whose type is a numeric. */ class NumericTypeBarrier extends DataFlow::Node { NumericTypeBarrier() { - exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr()) and - s = t.getStruct() - | - s instanceof Builtins::NumericType or - s instanceof Builtins::Bool - ) + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof + Builtins::NumericType } } -/** - * A node whose type is an integral (integer) or boolean type, which may be an - * appropriate taint flow barrier for some queries. - */ -class IntegralOrBooleanTypeBarrier extends DataFlow::Node { - IntegralOrBooleanTypeBarrier() { - exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr()) and - s = t.getStruct() - | - s instanceof Builtins::IntegralType or - s instanceof Builtins::Bool - ) +/** A node whose type is `bool`. */ +class BooleanTypeBarrier extends DataFlow::Node { + BooleanTypeBarrier() { + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof Builtins::Bool + } +} + +/** A node whose type is an integral (integer). */ +class IntegralTypeBarrier extends DataFlow::Node { + IntegralTypeBarrier() { + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof + Builtins::IntegralType } } diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index dafebc96731e..3603933a0bbb 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -49,4 +49,6 @@ module LogInjection { * numeric or boolean type, which is unlikely to expose any vulnerability. */ private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index ff81df37e405..3a58add08571 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -64,4 +64,6 @@ module SqlInjection { * boolean type, which is unlikely to expose any vulnerability. */ private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } } diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 7c445bcbfd89..b6bd0cd899e5 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -94,6 +94,7 @@ module RegexInjection { * We don't include floating point types in this barrier, as `.` is a special character * in regular expressions. */ - private class IntegralOrBooleanTypeBarrier extends Barrier instanceof Barriers::IntegralOrBooleanTypeBarrier - { } + private class IntegralTypeBarrier extends Barrier instanceof Barriers::IntegralTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } } From 081ab499c263c571a685acad51c688c707a186fe Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 26 Nov 2025 14:46:28 +0100 Subject: [PATCH 2/4] Rust: Add barrier for fieldless enum types --- rust/ql/lib/codeql/rust/internal/Type.qll | 3 +++ rust/ql/lib/codeql/rust/security/Barriers.qll | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/rust/ql/lib/codeql/rust/internal/Type.qll b/rust/ql/lib/codeql/rust/internal/Type.qll index ccf5c7543639..9cfa173c1a97 100644 --- a/rust/ql/lib/codeql/rust/internal/Type.qll +++ b/rust/ql/lib/codeql/rust/internal/Type.qll @@ -140,6 +140,9 @@ class EnumType extends Type, TEnum { EnumType() { this = TEnum(enum) } + /** Gets the enum that this enum type represents. */ + Enum getEnum() { result = enum } + override TypeParameter getPositionalTypeParameter(int i) { result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i)) } diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll index d06287b473fd..2ad60aa79acb 100644 --- a/rust/ql/lib/codeql/rust/security/Barriers.qll +++ b/rust/ql/lib/codeql/rust/security/Barriers.qll @@ -34,6 +34,13 @@ class IntegralTypeBarrier extends DataFlow::Node { } } +/** A node whose type is a fieldless enum. */ +class FieldlessEnumTypeBarrier extends DataFlow::Node { + FieldlessEnumTypeBarrier() { + TypeInference::inferType(this.asExpr()).(EnumType).getEnum().isFieldless() + } +} + /** * Holds if guard expression `g` having result `branch` indicates that the * sub-expression `e` is not null. For example when `ptr.is_null()` is From 815af34c6668782c2a813584eb96c89894f23eeb Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 26 Nov 2025 14:47:54 +0100 Subject: [PATCH 3/4] Rust: Add additional barriers to queries --- .../lib/codeql/rust/security/CleartextLoggingExtensions.qll | 6 ++++++ rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll | 3 +++ rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll | 3 +++ 3 files changed, 12 insertions(+) diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll index 0961efd553fd..f634992fb81e 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll @@ -8,6 +8,7 @@ private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts +private import codeql.rust.security.Barriers as Barriers /** * Provides default sources, sinks and barriers for detecting cleartext logging @@ -42,4 +43,9 @@ module CleartextLogging { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index 3603933a0bbb..8ef4f64182ad 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -51,4 +51,7 @@ module LogInjection { private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index 3a58add08571..d82065ec5edf 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -66,4 +66,7 @@ module SqlInjection { private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } From 329df20e55d4a4b6005b2cc80d9343aba4db3a56 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Wed, 26 Nov 2025 15:48:34 +0100 Subject: [PATCH 4/4] Rust: Fix typo Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- rust/ql/lib/codeql/rust/security/Barriers.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll index 2ad60aa79acb..845a689af11a 100644 --- a/rust/ql/lib/codeql/rust/security/Barriers.qll +++ b/rust/ql/lib/codeql/rust/security/Barriers.qll @@ -11,7 +11,7 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg private import codeql.rust.controlflow.CfgNodes as CfgNodes private import codeql.rust.frameworks.stdlib.Builtins as Builtins -/** A node whose type is a numeric. */ +/** A node whose type is a numeric type. */ class NumericTypeBarrier extends DataFlow::Node { NumericTypeBarrier() { TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof