Merge pull request #20921 from paldepind/rust/barrier-tweaks

paldepind · web-flow · commit 8b3267947533 · 2025-11-27T08:56:04.000+01:00
Rust: Tweaks and improvements to data flow barriers
diff --git a/rust/ql/lib/codeql/rust/internal/Type.qll b/rust/ql/lib/codeql/rust/internal/Type.qll
@@ -140,6 +140,9 @@ class EnumType extends Type, TEnum {
 
   EnumType() { this = TEnum(enum) }
 
+  /** Gets the enum that this enum type represents. */
+  Enum getEnum() { result = enum }
+
   override TypeParameter getPositionalTypeParameter(int i) {
     result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i))
   }
diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll
@@ -1,5 +1,5 @@
 /**
- * Classes to represent barriers commonly used in dataflow and taint tracking
+ * Classes to represent barriers commonly used in data flow and taint tracking
  * configurations.
  */
 
@@ -11,35 +11,33 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg
 private import codeql.rust.controlflow.CfgNodes as CfgNodes
 private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
-/**
- * A node whose type is a numeric or boolean type, which may be an appropriate
- * taint flow barrier for some queries.
- */
+/** A node whose type is a numeric type. */
 class NumericTypeBarrier extends DataFlow::Node {
   NumericTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::NumericType or
-      s instanceof Builtins::Bool
-    )
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::NumericType
   }
 }
 
-/**
- * A node whose type is an integral (integer) or boolean type, which may be an
- * appropriate taint flow barrier for some queries.
- */
-class IntegralOrBooleanTypeBarrier extends DataFlow::Node {
-  IntegralOrBooleanTypeBarrier() {
-    exists(StructType t, Struct s |
-      t = TypeInference::inferType(this.asExpr()) and
-      s = t.getStruct()
-    |
-      s instanceof Builtins::IntegralType or
-      s instanceof Builtins::Bool
-    )
+/** A node whose type is `bool`. */
+class BooleanTypeBarrier extends DataFlow::Node {
+  BooleanTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof Builtins::Bool
+  }
+}
+
+/** A node whose type is an integral (integer). */
+class IntegralTypeBarrier extends DataFlow::Node {
+  IntegralTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof
+      Builtins::IntegralType
+  }
+}
+
+/** A node whose type is a fieldless enum. */
+class FieldlessEnumTypeBarrier extends DataFlow::Node {
+  FieldlessEnumTypeBarrier() {
+    TypeInference::inferType(this.asExpr()).(EnumType).getEnum().isFieldless()
   }
 }
 
diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
@@ -8,6 +8,7 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.security.SensitiveData
 private import codeql.rust.Concepts
+private import codeql.rust.security.Barriers as Barriers
 
 /**
  * Provides default sources, sinks and barriers for detecting cleartext logging
@@ -42,4 +43,9 @@ module CleartextLogging {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "log-injection") }
   }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
+
+  private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
+  { }
 }
diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
@@ -49,4 +49,9 @@ module LogInjection {
    * numeric or boolean type, which is unlikely to expose any vulnerability.
    */
   private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
+
+  private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
+  { }
 }
diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
@@ -64,4 +64,9 @@ module SqlInjection {
    * boolean type, which is unlikely to expose any vulnerability.
    */
   private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
+
+  private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
+  { }
 }
diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -94,6 +94,7 @@ module RegexInjection {
    * We don't include floating point types in this barrier, as `.` is a special character
    * in regular expressions.
    */
-  private class IntegralOrBooleanTypeBarrier extends Barrier instanceof Barriers::IntegralOrBooleanTypeBarrier
-  { }
+  private class IntegralTypeBarrier extends Barrier instanceof Barriers::IntegralTypeBarrier { }
+
+  private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 }

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,9 @@ class EnumType extends Type, TEnum {`
`140`	`140`
`141`	`141`	`EnumType() { this = TEnum(enum) }`
`142`	`142`
	`143`	`+ /** Gets the enum that this enum type represents. */`
	`144`	`+ Enum getEnum() { result = enum }`
	`145`	`+`
`143`	`146`	`override TypeParameter getPositionalTypeParameter(int i) {`
`144`	`147`	`result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i))`
`145`	`148`	`}`