Rust: Account for trait visibility when resolving paths and methods

paldepind · paldepind · commit e6328650fb5b · 2025-08-29T15:23:03.000+02:00
diff --git a/rust/ql/lib/codeql/rust/internal/PathResolution.qll b/rust/ql/lib/codeql/rust/internal/PathResolution.qll
@@ -216,7 +216,7 @@ abstract class ItemNode extends Locatable {
     // items made available through `use` are available to nodes that contain the `use`
     exists(UseItemNode use |
       use = this.getASuccessor(_, _) and
-      result = use.(ItemNode).getASuccessor(name, kind)
+      result = use.getASuccessor(name, kind)
     )
     or
     exists(ExternCrateItemNode ec | result = ec.(ItemNode).getASuccessor(name, kind) |
@@ -1311,6 +1311,7 @@ private predicate declares(ItemNode item, Namespace ns, string name) {
 class RelevantPath extends Path {
   RelevantPath() { not this = any(VariableAccess va).(PathExpr).getPath() }
 
+  /** Holds if this is an unqualified path with the textual value `name`. */
   pragma[nomagic]
   predicate isUnqualified(string name) {
     not exists(this.getQualifier()) and
@@ -1421,6 +1422,12 @@ private ItemNode unqualifiedPathLookup(RelevantPath p, Namespace ns, SuccessorKi
 pragma[nomagic]
 private predicate isUnqualifiedSelfPath(RelevantPath path) { path.isUnqualified("Self") }
 
+/** Holds if the trait `trait` is visible at the element `element`. */
+bindingset[element, trait]
+predicate traitIsVisible(Element element, TraitItemNode trait) {
+  exists(ItemNode encl | encl.getADescendant*() = element and trait = encl.getASuccessor(_, _))
+}
+
 pragma[nomagic]
 private ItemNode resolvePathCand0(RelevantPath path, Namespace ns) {
   exists(ItemNode res |
@@ -1447,7 +1454,15 @@ private ItemNode resolvePathCandQualifier(RelevantPath qualifier, RelevantPath p
 }
 
 pragma[nomagic]
-private ItemNode resolvePathCandQualified(
+private TraitItemNode assocItemImplementsTrait(AssocItemNode assoc) {
+  exists(ImplItemNodeImpl impl |
+    impl.getAnAssocItem() = assoc and
+    result = impl.resolveTraitTyCand()
+  )
+}
+
+pragma[nomagic]
+private ItemNode resolvePathCandQualified0(
   RelevantPath qualifier, ItemNode q, RelevantPath path, Namespace ns
 ) {
   exists(string name, SuccessorKind kind |
@@ -1457,6 +1472,20 @@ private ItemNode resolvePathCandQualified(
   )
 }
 
+pragma[nomagic]
+private ItemNode resolvePathCandQualified(
+  RelevantPath qualifier, ItemNode q, RelevantPath path, Namespace ns
+) {
+  result = resolvePathCandQualified0(qualifier, q, path, ns) and
+  (
+    // When the result is an associated item of a trait implementation the
+    // implemented trait must be visible.
+    traitIsVisible(path, assocItemImplementsTrait(pragma[only_bind_out](result)))
+    or
+    not exists(ImplItemNode impl | impl.getAnAssocItem() = result and impl.(Impl).hasTrait())
+  )
+}
+
 /** Holds if path `p` must be looked up in namespace `n`. */
 private predicate pathUsesNamespace(Path p, Namespace n) {
   n.isValue() and
@@ -1606,8 +1635,16 @@ private predicate useImportEdge(Use use, string name, ItemNode item, SuccessorKi
         not tree.hasRename() and
         name = item.getName()
         or
-        name = tree.getRename().getName().getText() and
-        name != "_"
+        exists(Rename rename | rename = tree.getRename() |
+          name = rename.getName().getText()
+          or
+          // When the rename doesn't have a name it's an underscore import. This
+          // makes the imported item visible but unnameable. We represent this
+          // by using the name `_` which can never occur in a path.  See also:
+          // https://doc.rust-lang.org/reference/items/use-declarations.html#r-items.use.as-underscore
+          not rename.hasName() and
+          name = "_"
+        )
       )
     )
   )
@@ -1693,7 +1730,7 @@ private module Debug {
     useImportEdge(use, name, item, kind)
   }
 
-  ItemNode debuggetASuccessor(ItemNode i, string name, SuccessorKind kind) {
+  ItemNode debugGetASuccessor(ItemNode i, string name, SuccessorKind kind) {
     i = getRelevantLocatable() and
     result = i.getASuccessor(name, kind)
   }
diff --git a/rust/ql/lib/codeql/rust/internal/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/TypeInference.qll
@@ -1891,7 +1891,7 @@ private predicate methodCandidate(Type type, string name, int arity, Impl impl)
  */
 pragma[nomagic]
 private predicate methodCandidateTrait(Type type, Trait trait, string name, int arity, Impl impl) {
-  trait = resolvePath(impl.(ImplItemNode).getTraitPath()) and
+  trait = impl.(ImplItemNode).resolveTraitTy() and
   methodCandidate(type, name, arity, impl)
 }
 
@@ -1912,7 +1912,12 @@ private module IsInstantiationOfInput implements IsInstantiationOfInputSig<Metho
       methodCandidateTrait(rootType, mc.getTrait(), name, arity, impl)
       or
       not exists(mc.getTrait()) and
-      methodCandidate(rootType, name, arity, impl)
+      methodCandidate(rootType, name, arity, impl) and
+      (
+        traitIsVisible(mc, impl.(ImplItemNode).resolveTraitTy())
+        or
+        not exists(impl.(ImplItemNode).resolveTraitTy())
+      )
     )
   }
 
diff --git a/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected
@@ -11,11 +11,8 @@ multipleCallTargets
 | test.rs:179:30:179:68 | ...::_print(...) |
 | test.rs:188:26:188:105 | ...::_print(...) |
 | test.rs:229:22:229:72 | ... .read_to_string(...) |
-| test.rs:513:22:513:50 | file.read_to_end(...) |
-| test.rs:519:22:519:53 | file.read_to_string(...) |
 | test.rs:697:18:697:38 | ...::_print(...) |
 | test.rs:702:18:702:45 | ...::_print(...) |
-| test.rs:706:25:706:49 | address.to_socket_addrs() |
 | test.rs:720:38:720:42 | ...::_print(...) |
 | test.rs:724:38:724:54 | ...::_print(...) |
 | test.rs:729:38:729:51 | ...::_print(...) |
@@ -76,12 +73,6 @@ multipleCallTargets
 | test.rs:977:14:977:29 | ...::_print(...) |
 | test.rs:979:27:979:36 | ...::_print(...) |
 | test.rs:980:28:980:41 | ...::_print(...) |
-| test_futures_io.rs:35:26:35:63 | pinned.poll_read(...) |
-| test_futures_io.rs:62:22:62:50 | pinned.poll_fill_buf(...) |
-| test_futures_io.rs:69:23:69:67 | ... .poll_fill_buf(...) |
-| test_futures_io.rs:93:26:93:63 | pinned.poll_read(...) |
-| test_futures_io.rs:116:22:116:50 | pinned.poll_fill_buf(...) |
-| test_futures_io.rs:145:26:145:49 | ...::with_capacity(...) |
 | web_frameworks.rs:13:14:13:22 | a.as_str() |
 | web_frameworks.rs:13:14:13:23 | a.as_str() |
 | web_frameworks.rs:14:14:14:24 | a.as_bytes() |
diff --git a/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,6 +1,3 @@
 multipleCallTargets
 | main.rs:118:9:118:11 | f(...) |
-| main.rs:494:13:494:27 | ...::a_method(...) |
-| main.rs:498:13:498:27 | ...::a_method(...) |
-| main.rs:502:13:502:27 | ...::a_method(...) |
 | proc_macro.rs:9:5:9:10 | ...::new(...) |
diff --git a/rust/ql/test/library-tests/path-resolution/main.rs b/rust/ql/test/library-tests/path-resolution/main.rs
@@ -491,15 +491,15 @@ mod trait_visibility {
         let x = X; // $ item=X
         {
             use m::Foo; // $ item=Foo
-            X::a_method(&x); // $ item=X_Foo::a_method SPURIOUS: item=X_Bar::a_method
+            X::a_method(&x); // $ item=X_Foo::a_method
         }
         {
             use m::Bar; // $ item=Bar
-            X::a_method(&x); // $ item=X_Bar::a_method SPURIOUS: item=X_Foo::a_method
+            X::a_method(&x); // $ item=X_Bar::a_method
         }
         {
             use m::Bar as _; // $ item=Bar
-            X::a_method(&x); // $ item=X_Bar::a_method SPURIOUS: item=X_Foo::a_method
+            X::a_method(&x); // $ item=X_Bar::a_method
         }
     } // trait_visibility::f
 }
diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected
@@ -236,16 +236,13 @@ resolvePath
 | main.rs:493:17:493:22 | ...::Foo | main.rs:465:9:467:9 | trait Foo |
 | main.rs:494:13:494:13 | X | main.rs:473:9:473:21 | struct X |
 | main.rs:494:13:494:23 | ...::a_method | main.rs:475:26:478:13 | fn a_method |
-| main.rs:494:13:494:23 | ...::a_method | main.rs:481:26:484:13 | fn a_method |
 | main.rs:497:17:497:17 | m | main.rs:464:5:486:5 | mod m |
 | main.rs:497:17:497:22 | ...::Bar | main.rs:469:9:471:9 | trait Bar |
 | main.rs:498:13:498:13 | X | main.rs:473:9:473:21 | struct X |
-| main.rs:498:13:498:23 | ...::a_method | main.rs:475:26:478:13 | fn a_method |
 | main.rs:498:13:498:23 | ...::a_method | main.rs:481:26:484:13 | fn a_method |
 | main.rs:501:17:501:17 | m | main.rs:464:5:486:5 | mod m |
 | main.rs:501:17:501:22 | ...::Bar | main.rs:469:9:471:9 | trait Bar |
 | main.rs:502:13:502:13 | X | main.rs:473:9:473:21 | struct X |
-| main.rs:502:13:502:23 | ...::a_method | main.rs:475:26:478:13 | fn a_method |
 | main.rs:502:13:502:23 | ...::a_method | main.rs:481:26:484:13 | fn a_method |
 | main.rs:515:10:515:16 | MyTrait | main.rs:508:5:510:5 | trait MyTrait |
 | main.rs:516:9:516:9 | S | main.rs:512:5:512:13 | struct S |
diff --git a/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,8 +1,5 @@
 multipleCallTargets
 | dereference.rs:61:15:61:24 | e1.deref() |
-| main.rs:153:13:153:24 | x.a_method() |
-| main.rs:157:13:157:24 | x.a_method() |
-| main.rs:161:13:161:24 | x.a_method() |
 | main.rs:2357:13:2357:31 | ...::from(...) |
 | main.rs:2358:13:2358:31 | ...::from(...) |
 | main.rs:2359:13:2359:31 | ...::from(...) |
diff --git a/rust/ql/test/library-tests/type-inference/main.rs b/rust/ql/test/library-tests/type-inference/main.rs
@@ -150,15 +150,15 @@ mod trait_visibility {
         let x = X;
         {
             use m::Foo;
-            x.a_method(); // $ target=Foo::a_method SPURIOUS: target=Bar::a_method
+            x.a_method(); // $ target=Foo::a_method
         }
         {
             use m::Bar;
-            x.a_method(); // $ target=Bar::a_method SPURIOUS: target=Foo::a_method
+            x.a_method(); // $ target=Bar::a_method
         }
         {
             use m::Bar as _;
-            x.a_method(); // $ target=Bar::a_method SPURIOUS: target=Foo::a_method
+            x.a_method(); // $ target=Bar::a_method
         }
         {
             use m::Bar;
diff --git a/rust/ql/test/query-tests/security/CWE-117/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-117/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,3 +1,2 @@
 multipleCallTargets
 | main.rs:9:43:9:63 | ...::from(...) |
-| main.rs:44:19:44:32 | username.len() |
diff --git a/rust/ql/test/query-tests/security/CWE-312/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-312/CONSISTENCY/PathResolutionConsistency.expected
@@ -72,7 +72,6 @@ multipleCallTargets
 | test_logging.rs:195:15:195:38 | ...::_eprint(...) |
 | test_logging.rs:229:30:229:71 | ... .as_str() |
 | test_logging.rs:242:16:242:61 | ... .as_bytes() |
-| test_logging.rs:243:5:245:66 | ... .write_all(...) |
 | test_logging.rs:245:20:245:65 | ... .as_bytes() |
 | test_logging.rs:248:15:248:60 | ... .as_bytes() |
 | test_logging.rs:251:15:251:60 | ... .as_bytes() |
diff --git a/rust/ql/test/query-tests/security/CWE-770/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-770/CONSISTENCY/PathResolutionConsistency.expected

Original file line number	Diff line number	Diff line change
`@@ -491,15 +491,15 @@ mod trait_visibility {`
`491`	`491`	`let x = X; // $ item=X`
`492`	`492`	`{`
`493`	`493`	`use m::Foo; // $ item=Foo`
`494`		`- X::a_method(&x); // $ item=X_Foo::a_method SPURIOUS: item=X_Bar::a_method`
	`494`	`+ X::a_method(&x); // $ item=X_Foo::a_method`
`495`	`495`	`}`
`496`	`496`	`{`
`497`	`497`	`use m::Bar; // $ item=Bar`
`498`		`- X::a_method(&x); // $ item=X_Bar::a_method SPURIOUS: item=X_Foo::a_method`
	`498`	`+ X::a_method(&x); // $ item=X_Bar::a_method`
`499`	`499`	`}`
`500`	`500`	`{`
`501`	`501`	`use m::Bar as _; // $ item=Bar`
`502`		`- X::a_method(&x); // $ item=X_Bar::a_method SPURIOUS: item=X_Foo::a_method`
	`502`	`+ X::a_method(&x); // $ item=X_Bar::a_method`
`503`	`503`	`}`
`504`	`504`	`} // trait_visibility::f`
`505`	`505`	`}`
Original file line number	Diff line number	Diff line change
`@@ -150,15 +150,15 @@ mod trait_visibility {`
`150`	`150`	`let x = X;`
`151`	`151`	`{`
`152`	`152`	`use m::Foo;`
`153`		`- x.a_method(); // $ target=Foo::a_method SPURIOUS: target=Bar::a_method`
	`153`	`+ x.a_method(); // $ target=Foo::a_method`
`154`	`154`	`}`
`155`	`155`	`{`
`156`	`156`	`use m::Bar;`
`157`		`- x.a_method(); // $ target=Bar::a_method SPURIOUS: target=Foo::a_method`
	`157`	`+ x.a_method(); // $ target=Bar::a_method`
`158`	`158`	`}`
`159`	`159`	`{`
`160`	`160`	`use m::Bar as _;`
`161`		`- x.a_method(); // $ target=Bar::a_method SPURIOUS: target=Foo::a_method`
	`161`	`+ x.a_method(); // $ target=Bar::a_method`
`162`	`162`	`}`
`163`	`163`	`{`
`164`	`164`	`use m::Bar;`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,2 @@`
`1`	`1`	`multipleCallTargets`
`2`	`2`	`\| main.rs:9:43:9:63 \| ...::from(...) \|`
`3`		`-\| main.rs:44:19:44:32 \| username.len() \|`