Rust: Deref as taint step #20340
Merged
Rust: Deref as taint step #20340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fb155c4 to
bcbf684
Compare
bcbf684 to
5b51bb2
Compare
hvitved
commented
Sep 2, 2025
| @@ -39,12 +39,6 @@ module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig { | |||
| // case like `[0, 0, 0, 0]`) | |||
| isSource(node) | |||
| } | |||
|
|
|||
| predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { | |||
There was a problem hiding this comment.
This is already covered by defaultImplicitTaintRead.
There was a problem hiding this comment.
Pull Request Overview
This PR enhances Rust taint tracking by extending taint flow through dereferenced references. The main change lifts data flow read-steps of ReferenceContent to taint steps, similar to existing ElementContent handling, ensuring that when a reference is a taint source, the data it points to is also considered tainted.
Key changes:
- Add reference dereferencing as a taint propagation path
- Remove redundant
allowImplicitReadpredicate for reference content - Update test expectations to reflect the improved taint tracking behavior
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll | Adds ReferenceContent to taint flow logic alongside ElementContent |
| rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql | Removes allowImplicitRead predicate that is now handled globally |
| rust/ql/test/query-tests/security/CWE-825/main.rs | Updates test annotations and reformats code |
| rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected | Updates expected test results with new taint flow paths |
| rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected | Updates expected results to include additional taint edges |
| rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected | Updates model numbering and flow expectations |
paldepind
approved these changes
Sep 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR lifts data flow read-steps of
ReferenceContentto taint steps, in the same way that we already do forElementContent. The motivation is the same: If a reference is a taint source, then it should be safe to assume that the data pointed to is tainted as well (as opposed to just the reference itself).DCA looks fine.