Rust, shared: Support Parameter in source MaD models

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -104,7 +104,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.getStaticCallTarget().getUnderlyingCallable() = sc
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -183,7 +183,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
     )
   }
 
-  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
     none()
   }
 
@@ -195,7 +195,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     sc = viableCallable(result).asSummarizedCallable()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -117,7 +117,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     )
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -132,7 +132,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
     exists(rk)
   }
 
-  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
     none()
   }
 
@@ -144,7 +144,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     sc = viableCallable(result).asSummarizedCallable()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll

@@ -150,7 +150,9 @@ private module FlowSummaryStepInput implements Private::StepsInputSig {
     )
   }
 
-  DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(SourceBase source) { none() }
+
+  DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponentStack s) { none() }
 
   DataFlow::Node getSinkNode(SinkBase sink, Private::SummaryComponent sc) { none() }
 }

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll

@@ -105,7 +105,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
         ])
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll

@@ -161,7 +161,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.asCall().getAstNode() = sc.(LibraryCallable).getACallSimple()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

rust/ql/lib/change-notes/2025-09-19-parameter-mad.md

@@ -0,0 +1,7 @@
+---
+category: feature
+---
+* The models-as-data format for sources now supports access paths of the form
+  `Argument[i].Parameter[j]`. This denotes that the source passes tainted data to
+  the `j`th parameter of it's `i`th argument (which must be a function or a
+  closure).

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -508,7 +508,8 @@ module RustDataFlow implements InputSig<Location> {
    */
   predicate jumpStep(Node node1, Node node2) {
     FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
-      node2.(FlowSummaryNode).getSummaryNode())
+      node2.(FlowSummaryNode).getSummaryNode()) or
+    FlowSummaryImpl::Private::Steps::sourceJumpStep(node1.(FlowSummaryNode).getSummaryNode(), node2)
   }
 
   pragma[nomagic]

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -6,7 +6,10 @@ private import rust
 private import codeql.dataflow.internal.FlowSummaryImpl
 private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
 private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.internal.PathResolution
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.dataflow.Ssa
+private import codeql.rust.controlflow.CfgNodes
 private import Content
 
 module Input implements InputSig<Location, RustDataFlow> {
@@ -133,16 +136,44 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.asCallCfgNode().getCall().getStaticTarget() = sc
   }
 
-  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
-    sc = Impl::Private::SummaryComponent::return(_) and
+  /** Gets the argument of `source` described by `sc`, if any. */
+  private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+    exists(ArgumentPosition pos |
+      sc = Impl::Private::SummaryComponent::argument(pos) and
+      result = pos.getArgument(source.getCall())
+    )
+  }
+
+  /** Get the callable that `expr` refers to. */
+  private Callable getCallable(Expr expr) {
+    result = resolvePath(expr.(PathExpr).getPath()).(Function)
+    or
+    result = expr.(ClosureExpr)
+    or
+    // The expression is an SSA read of an assignment of a closure
+    exists(Ssa::Definition def, ExprCfgNode value |
+      def.getARead().getAstNode() = expr and
+      def.getAnUltimateDefinition().(Ssa::WriteDefinition).assigns(value) and
+      result = value.getExpr().(ClosureExpr)
+    )
+  }
+
+  RustDataFlow::DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) {
+    result.asCfgScope() = source.getEnclosingCfgScope()
+  }
+
+  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
+    s.head() = Impl::Private::SummaryComponent::return(_) and
     result.asExpr().getExpr() = source.getCall()
     or
-    exists(CallExprBase call, Expr arg, ArgumentPosition pos |
-      result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() = arg and
-      sc = Impl::Private::SummaryComponent::argument(pos) and
-      call = source.getCall() and
-      arg = pos.getArgument(call)
+    exists(ArgumentPosition pos, Expr arg |
+      s.head() = Impl::Private::SummaryComponent::parameter(pos) and
+      arg = getSourceNodeArgument(source, s.tail().head()) and
+      result.asParameter() = getCallable(arg).getParam(pos.getPosition())
     )
+    or
+    result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() =
+      getSourceNodeArgument(source, s.head())
   }
 
   RustDataFlow::Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) {

rust/ql/lib/utils/test/InlineFlowTest.qll

@@ -34,10 +34,9 @@ private module FlowTestImpl implements InputSig<Location, RustDataFlow> {
     result = src.asExpr().(CallExprCfgNode).getArgument(0).toString()
     or
     sourceNode(src, _) and
-    exists(CallExprBase call |
-      call = src.(Node::FlowSummaryNode).getSourceElement().getCall() and
-      result = call.getArgList().getArg(0).toString()
-    )
+    result = src.(Node::FlowSummaryNode).getSourceElement().getCall().getArg(0).toString() and
+    // Don't use the result if it contains spaces
+    not result.matches("% %")
   }
 
   bindingset[src, sink]

rust/ql/test/library-tests/dataflow/models/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,2 +1,2 @@
 multipleCallTargets
-| main.rs:362:14:362:30 | ... .lt(...) |
+| main.rs:389:14:389:30 | ... .lt(...) |

rust/ql/test/library-tests/dataflow/models/main.rs

@@ -249,6 +249,33 @@ fn test_enum_method_source() {
     }
 }
 
+mod source_into_function {
+    use super::sink;
+
+    // has a source model
+    fn pass_source<A>(_i: i64, f: impl FnOnce(i64) -> A) -> A {
+        f(42)
+    }
+
+    fn test_source_into_function() {
+        let a = |a| sink(a); // $ hasValueFlow=1
+        pass_source(1, a);
+
+        pass_source(2, |a| {
+            sink(a); // $ hasValueFlow=2
+        });
+
+        fn f(a: i64) {
+            sink(a) // $ hasValueFlow=3
+        }
+        pass_source(3, f);
+
+        pass_source(4, async move |a| {
+            sink(a); // $ hasValueFlow=4
+        });
+    }
+}
+
 // has a sink model
 fn enum_sink(e: MyFieldEnum) {}