Rust: Add extensible predicate to exclude fields and block fieldless enum types

paldepind · paldepind · commit 89d736dfbb53 · 2025-11-26T13:09:41.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -11,6 +11,19 @@ private import codeql.rust.internal.TypeInference as TypeInference
 private import codeql.rust.internal.Type as Type
 private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
+/**
+ * Holds if the field `field` should, by default, be excluded from taint steps.
+ * The syntax used to denote field is the same as `Field` for models as data.
+ */
+extensible predicate excludeFieldTaintStep(string field);
+
+private predicate excludedTaintStepContent(Content c) {
+  exists(string arg | excludeFieldTaintStep(arg) |
+    FlowSummaryImpl::encodeContentStructField(c, arg) or
+    FlowSummaryImpl::encodeContentTupleField(c, arg)
+  )
+}
+
 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
@@ -48,13 +61,17 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       // taint is propagated. We limit this to not apply if the type of the
       // operation is a small primitive type as these are often uninteresting
       // (for instance in the case of an injection query).
-      RustDataFlow::readContentStep(pred, _, succ) and
-      not exists(Struct s |
-        s = TypeInference::inferType(succ.asExpr()).(Type::StructType).getStruct()
-      |
-        s instanceof Builtins::NumericType or
-        s instanceof Builtins::Bool or
-        s instanceof Builtins::Char
+      exists(Content c |
+        RustDataFlow::readContentStep(pred, c, succ) and
+        forex(Type::Type t | t = TypeInference::inferType(succ.asExpr()) |
+          not exists(Struct s | s = t.(Type::StructType).getStruct() |
+            s instanceof Builtins::NumericType or
+            s instanceof Builtins::Bool or
+            s instanceof Builtins::Char
+          )
+        ) and
+        not excludedTaintStepContent(c) and
+        not TypeInference::inferType(succ.asExpr()).(Type::EnumType).getEnum().isFieldless()
       )
       or
       // Let all read steps (including those from flow summaries and those that
diff --git a/rust/ql/lib/codeql/rust/internal/Type.qll b/rust/ql/lib/codeql/rust/internal/Type.qll
@@ -140,6 +140,8 @@ class EnumType extends Type, TEnum {
 
   EnumType() { this = TEnum(enum) }
 
+  Enum getEnum() { result = enum }
+
   override TypeParameter getPositionalTypeParameter(int i) {
     result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i))
   }

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,8 @@ class EnumType extends Type, TEnum {`
`140`	`140`
`141`	`141`	`EnumType() { this = TEnum(enum) }`
`142`	`142`
	`143`	`+ Enum getEnum() { result = enum }`
	`144`	`+`
`143`	`145`	`override TypeParameter getPositionalTypeParameter(int i) {`
`144`	`146`	`result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i))`
`145`	`147`	`}`