Rust: Split boolean from number barriers

Author: paldepind

rust/ql/lib/codeql/rust/security/Barriers.qll

@@ -1,5 +1,5 @@
 /**
- * Classes to represent barriers commonly used in dataflow and taint tracking
+ * Classes to represent barriers commonly used in data flow and taint tracking
  * configurations.
  */
 
@@ -11,35 +11,26 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg
 private import codeql.rust.controlflow.CfgNodes as CfgNodes
 private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
-/**
- * A node whose type is a numeric or boolean type, which may be an appropriate
- * taint flow barrier for some queries.
- */
+/** A node whose type is a numeric. */
 class NumericTypeBarrier extends DataFlow::Node {
   NumericTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::NumericType or
-      s instanceof Builtins::Bool
-    )
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::NumericType
   }
 }
 
-/**
- * A node whose type is an integral (integer) or boolean type, which may be an
- * appropriate taint flow barrier for some queries.
- */
-class IntegralOrBooleanTypeBarrier extends DataFlow::Node {
-  IntegralOrBooleanTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::IntegralType or
-      s instanceof Builtins::Bool
-    )
+/** A node whose type is `bool`. */
+class BooleanTypeBarrier extends DataFlow::Node {
+  BooleanTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof Builtins::Bool
+  }
+}
+
+/** A node whose type is an integral (integer). */
+class IntegralTypeBarrier extends DataFlow::Node {
+  IntegralTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::IntegralType
   }
 }
 

rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll

@@ -49,4 +49,6 @@ module LogInjection {
    * numeric or boolean type, which is unlikely to expose any vulnerability.
    */
   private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }

rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll

@@ -64,4 +64,6 @@ module SqlInjection {
    * boolean type, which is unlikely to expose any vulnerability.
    */
   private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }

rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll

@@ -94,6 +94,7 @@ module RegexInjection {
    * We don't include floating point types in this barrier, as `.` is a special character
    * in regular expressions.
    */
-  private class IntegralOrBooleanTypeBarrier extends Barrier instanceof Barriers::IntegralOrBooleanTypeBarrier
-  { }
+  private class IntegralTypeBarrier extends Barrier instanceof Barriers::IntegralTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }