Skip to content

Rust: Also lift read steps in summaries as taint steps #21122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hvitved merged 1 commit into from
Jan 9, 2026
Merged

Rust: Also lift read steps in summaries as taint steps #21122

hvitved merged 1 commit into from
Jan 9, 2026

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Jan 8, 2026
edited
Loading

Does what the title says.

DCA looks good: A good number of new alerts, and no performance regressions.

@github-actions github-actions bot added documentation Rust Pull requests that update Rust code labels Jan 8, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 8, 2026
View reviewed changes
rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
}

private class ImplicitDerefOutNode extends ImplicitDerefNode, OutNode {
private DataFlowCall call;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
rust/ql/lib/codeql/rust/internal/TypeInference.qll
bindingset[derefChain, borrow, strippedTypePath, strippedType]
private predicate hasNoCompatibleNonBlanketLikeTargetCheck(
string derefChain, BorrowKind borrow, TypePath strippedTypePath, Type strippedType
DerefChain derefChain, BorrowKind borrow, TypePath strippedTypePath, Type strippedType

Check warning

Code scanning / CodeQL

Missing QLDoc for parameter Warning

The QLDoc has no documentation for borrow, or derefChain, or path, but the QLDoc mentions unknown
@hvitved hvitved force-pushed the rust/summary-read-taint-step branch from 67a4cff to c1533de Compare January 8, 2026 10:03
@hvitved hvitved force-pushed the rust/summary-read-taint-step branch from c1533de to 209ee92 Compare January 9, 2026 11:14
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Jan 9, 2026
@hvitved hvitved marked this pull request as ready for review January 9, 2026 13:33
@hvitved hvitved requested a review from a team as a code owner January 9, 2026 13:33
@hvitved hvitved requested review from Copilot and paldepind January 9, 2026 13:33
Copilot AI reviewed Jan 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR generalizes taint propagation through read steps in Rust data flow analysis. Previously, only element and reference content would propagate taint through all read steps (including flow summaries). Now, all content types participate in taint propagation through read steps, unless explicitly excluded.

Key changes:

  • Simplified taint tracking logic to treat all read steps uniformly
  • Enables flow summaries to properly participate in taint propagation for all content types
  • Fixes previously missing taint flows through operations like .clone().into_string().unwrap() and .lines().nth(1).unwrap().clone()

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll Simplified taint step logic to apply to all read steps rather than just element/reference content
rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected Updated test expectations with new flow summaries (MaD 18-22) for Vec::from conversions
rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected Added new taint edges for PathBuf conversions through field reads
rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected Updated with new String::from flow summaries and renumbered existing models
rust/ql/test/library-tests/dataflow/sources/stdin/test.rs Removed MISSING marker - taint flow now properly detected through .clone()
rust/ql/test/library-tests/dataflow/sources/stdin/InlineFlow.expected Added new edges for clone and nth operations, new models for these operations
rust/ql/test/library-tests/dataflow/sources/file/test.rs Removed MISSING marker - taint flow now detected through .into_string().unwrap()
rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected Added new OsString::into_string flow summary
rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected Added new Pin::new flow summary and updated model numbering

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

paldepind
paldepind approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@paldepind paldepind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks!

@hvitved hvitved merged commit 636bbe3 into github:main Jan 9, 2026
28 checks passed
@hvitved hvitved deleted the rust/summary-read-taint-step branch January 9, 2026 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@paldepind paldepind paldepind approved these changes

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hvitved @paldepind