Rust: Taint flow through operations using MaD

hvitved · hvitved · commit 8a00ac7d408d · 2025-12-02T15:35:40.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -255,8 +255,12 @@ module LocalFlow {
     )
     or
     // An edge from a pattern/expression to its corresponding SSA definition.
-    nodeFrom.(AstNodeNode).getAstNode() =
-      nodeTo.(SsaNode).asDefinition().(Ssa::WriteDefinition).getWriteAccess()
+    exists(AstNode n |
+      n = nodeTo.(SsaNode).asDefinition().(Ssa::WriteDefinition).getWriteAccess() and
+      if n = any(CompoundAssignmentExpr ca).getLhs()
+      then n = nodeFrom.(PostUpdateNode).getPreUpdateNode().(AstNodeNode).getAstNode()
+      else n = nodeFrom.(AstNodeNode).getAstNode()
+    )
     or
     nodeFrom.(SourceParameterNode).getParameter().(Param).getPat() = nodeTo.asPat()
     or
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -20,18 +20,6 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
     Stages::DataFlowStage::ref() and
     model = "" and
     (
-      exists(BinaryExpr binary |
-        binary.getOperatorName() = ["+", "-", "*", "/", "%", "&", "|", "^", "<<", ">>"] and
-        pred.asExpr() = [binary.getLhs(), binary.getRhs()] and
-        succ.asExpr() = binary
-      )
-      or
-      exists(PrefixExpr prefix |
-        prefix.getOperatorName() = ["-", "!"] and
-        pred.asExpr() = prefix.getExpr() and
-        succ.asExpr() = prefix
-      )
-      or
       pred.asExpr() = succ.asExpr().(CastExpr).getExpr()
       or
       exists(IndexExpr index |
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml
@@ -9,10 +9,70 @@ extensions:
       # Index
       - ["<_ as core::ops::index::Index>::index", "Argument[self].Reference.Element", "ReturnValue.Reference", "value", "manual"]
       - ["<_ as core::ops::index::IndexMut>::index_mut", "Argument[self].Reference.Element", "ReturnValue.Reference", "value", "manual"]
-      # Arithmetic
+      # Unary operators
+      - ["<_ as core::ops::arith::Neg>::neg", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Not>::not", "Argument[self]", "ReturnValue", "taint", "manual"]
+      # Arithmetic operators
       - ["<_ as core::ops::arith::Add>::add", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<_ as core::ops::arith::Add>::add", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["<_ as core::ops::arith::Add>::add", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Sub>::sub", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Sub>::sub", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Sub>::sub", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Mul>::mul", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Mul>::mul", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Mul>::mul", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Div>::div", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Div>::div", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Div>::div", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Rem>::rem", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Rem>::rem", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::arith::Rem>::rem", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      # Arithmetic assignment expressions
+      - ["<_ as core::ops::arith::AddAssign>::add_assign", "Argument[self].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::AddAssign>::add_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::AddAssign>::add_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::SubAssign>::sub_assign", "Argument[self].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::SubAssign>::sub_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::SubAssign>::sub_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::MulAssign>::mul_assign", "Argument[self].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::MulAssign>::mul_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::MulAssign>::mul_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::DivAssign>::div_assign", "Argument[self].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::DivAssign>::div_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::DivAssign>::div_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::RemAssign>::rem_assign", "Argument[self].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::RemAssign>::rem_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::arith::RemAssign>::rem_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      # Bitwise operators
+      - ["<_ as core::ops::bit::BitAnd>::bitand", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitAnd>::bitand", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitAnd>::bitand", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitOr>::bitor", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitOr>::bitor", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitOr>::bitor", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitXor>::bitxor", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitXor>::bitxor", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitXor>::bitxor", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      # Bitwise assignment operators
+      - ["<_ as core::ops::bit::BitAndAssign>::bitand_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitAndAssign>::bitand_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitOrAssign>::bitor_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitOrAssign>::bitor_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitXorAssign>::bitxor_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::BitXorAssign>::bitxor_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      # Shift operators
+      - ["<_ as core::ops::bit::Shl>::shl", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Shl>::shl", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Shl>::shl", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Shr>::shr", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Shr>::shr", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<_ as core::ops::bit::Shr>::shr", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
+      # Shift assignment operators
+      - ["<_ as core::ops::bit::ShlAssign>::shl_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::ShlAssign>::shl_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::ShrAssign>::shr_assign", "Argument[0]", "Argument[self].Reference", "taint", "manual"]
+      - ["<_ as core::ops::bit::ShrAssign>::shr_assign", "Argument[0].Reference", "Argument[self].Reference", "taint", "manual"]
       # Clone
       - ["<_ as core::clone::Clone>::clone", "Argument[self].Reference", "ReturnValue", "value", "manual"]
       # Conversions
diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
@@ -1,11 +1,6 @@
-| main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... |
-| main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... |
 | main.rs:8:20:8:20 | s | main.rs:8:14:8:20 | FormatArgsExpr |
-| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... |
-| main.rs:13:14:13:17 | 1i64 | main.rs:13:10:13:17 | ... + ... |
 | main.rs:16:5:16:5 | [post] b [borrowed] | main.rs:16:5:16:5 | [post] b |
 | main.rs:20:5:20:5 | [post] c [borrowed] | main.rs:20:5:20:5 | [post] c |
-| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... |
 | main.rs:31:13:31:13 | a | main.rs:31:13:31:19 | a as u8 |
 | main.rs:32:10:32:10 | b | main.rs:32:10:32:17 | b as i64 |
 | main.rs:32:10:32:17 | [post] b as i64 | main.rs:32:10:32:10 | [post] b |
diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected
@@ -1,20 +1,28 @@
 models
 | 1 | Summary: <_ as core::ops::arith::Add>::add; Argument[self]; ReturnValue; taint |
-| 2 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
-| 3 | Summary: <core::i64 as core::ops::arith::Add>::add; Argument[self]; ReturnValue; taint |
-| 4 | Summary: <core::i64 as core::ops::arith::Neg>::neg; Argument[self]; ReturnValue; taint |
+| 2 | Summary: <_ as core::ops::arith::AddAssign>::add_assign; Argument[0].Reference; Argument[self].Reference; taint |
+| 3 | Summary: <_ as core::ops::arith::AddAssign>::add_assign; Argument[0]; Argument[self].Reference; taint |
+| 4 | Summary: <_ as core::ops::arith::AddAssign>::add_assign; Argument[self].Reference; Argument[self].Reference; taint |
+| 5 | Summary: <_ as core::ops::arith::Neg>::neg; Argument[self]; ReturnValue; taint |
+| 6 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
+| 7 | Summary: <core::i64 as core::ops::arith::Add>::add; Argument[self]; ReturnValue; taint |
+| 8 | Summary: <core::i64 as core::ops::arith::Neg>::neg; Argument[self]; ReturnValue; taint |
 edges
 | main.rs:12:9:12:9 | a | main.rs:13:10:13:10 | a | provenance |  |
-| main.rs:12:9:12:9 | a | main.rs:13:10:13:17 | ... + ... | provenance |  |
 | main.rs:12:13:12:22 | source(...) | main.rs:12:9:12:9 | a | provenance |  |
 | main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... | provenance | MaD:1 |
-| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... | provenance | MaD:3 |
-| main.rs:15:9:15:13 | mut b | main.rs:17:10:17:10 | b | provenance |  |
+| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... | provenance | MaD:7 |
+| main.rs:15:9:15:13 | mut b | main.rs:16:5:16:5 | b | provenance |  |
 | main.rs:15:17:15:26 | source(...) | main.rs:15:9:15:13 | mut b | provenance |  |
-| main.rs:25:9:25:9 | a | main.rs:26:10:26:11 | - ... | provenance |  |
+| main.rs:16:5:16:5 | [post] b | main.rs:17:10:17:10 | b | provenance |  |
+| main.rs:16:5:16:5 | b | main.rs:16:5:16:5 | [post] b | provenance | MaD:4 |
+| main.rs:20:5:20:5 | [post] c | main.rs:21:10:21:10 | c | provenance |  |
+| main.rs:20:10:20:19 | source(...) | main.rs:20:5:20:5 | [post] c | provenance | MaD:2 |
+| main.rs:20:10:20:19 | source(...) | main.rs:20:5:20:5 | [post] c | provenance | MaD:3 |
 | main.rs:25:9:25:9 | a | main.rs:26:11:26:11 | a | provenance |  |
 | main.rs:25:13:25:22 | source(...) | main.rs:25:9:25:9 | a | provenance |  |
-| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... | provenance | MaD:4 |
+| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... | provenance | MaD:5 |
+| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... | provenance | MaD:8 |
 | main.rs:30:9:30:9 | a | main.rs:31:9:31:9 | b | provenance |  |
 | main.rs:30:13:30:22 | source(...) | main.rs:30:9:30:9 | a | provenance |  |
 | main.rs:31:9:31:9 | b | main.rs:32:10:32:17 | b as i64 | provenance |  |
@@ -23,11 +31,11 @@ edges
 | main.rs:45:17:45:26 | source(...) | main.rs:45:13:45:13 | s | provenance |  |
 | main.rs:46:13:46:18 | sliced [&ref] | main.rs:47:14:47:19 | sliced | provenance |  |
 | main.rs:46:22:46:29 | &... [&ref] | main.rs:46:13:46:18 | sliced [&ref] | provenance |  |
-| main.rs:46:23:46:23 | s | main.rs:46:23:46:29 | s[...] | provenance | MaD:2 |
+| main.rs:46:23:46:23 | s | main.rs:46:23:46:29 | s[...] | provenance | MaD:6 |
 | main.rs:46:23:46:29 | s[...] | main.rs:46:22:46:29 | &... [&ref] | provenance |  |
 | main.rs:61:13:61:15 | arr | main.rs:62:14:62:16 | arr | provenance |  |
 | main.rs:61:19:61:28 | source(...) | main.rs:61:13:61:15 | arr | provenance |  |
-| main.rs:62:14:62:16 | arr | main.rs:62:14:62:19 | arr[1] | provenance | MaD:2 |
+| main.rs:62:14:62:16 | arr | main.rs:62:14:62:19 | arr[1] | provenance | MaD:6 |
 | main.rs:77:9:77:12 | [post] arr2 [element] | main.rs:78:14:78:17 | arr2 | provenance |  |
 | main.rs:77:19:77:28 | source(...) | main.rs:77:9:77:12 | [post] arr2 [element] | provenance |  |
 nodes
@@ -37,7 +45,12 @@ nodes
 | main.rs:13:10:13:17 | ... + ... | semmle.label | ... + ... |
 | main.rs:15:9:15:13 | mut b | semmle.label | mut b |
 | main.rs:15:17:15:26 | source(...) | semmle.label | source(...) |
+| main.rs:16:5:16:5 | [post] b | semmle.label | [post] b |
+| main.rs:16:5:16:5 | b | semmle.label | b |
 | main.rs:17:10:17:10 | b | semmle.label | b |
+| main.rs:20:5:20:5 | [post] c | semmle.label | [post] c |
+| main.rs:20:10:20:19 | source(...) | semmle.label | source(...) |
+| main.rs:21:10:21:10 | c | semmle.label | c |
 | main.rs:25:9:25:9 | a | semmle.label | a |
 | main.rs:25:13:25:22 | source(...) | semmle.label | source(...) |
 | main.rs:26:10:26:11 | - ... | semmle.label | - ... |
@@ -65,6 +78,7 @@ testFailures
 #select
 | main.rs:13:10:13:17 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:17 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) |
 | main.rs:17:10:17:10 | b | main.rs:15:17:15:26 | source(...) | main.rs:17:10:17:10 | b | $@ | main.rs:15:17:15:26 | source(...) | source(...) |
+| main.rs:21:10:21:10 | c | main.rs:20:10:20:19 | source(...) | main.rs:21:10:21:10 | c | $@ | main.rs:20:10:20:19 | source(...) | source(...) |
 | main.rs:26:10:26:11 | - ... | main.rs:25:13:25:22 | source(...) | main.rs:26:10:26:11 | - ... | $@ | main.rs:25:13:25:22 | source(...) | source(...) |
 | main.rs:32:10:32:17 | b as i64 | main.rs:30:13:30:22 | source(...) | main.rs:32:10:32:17 | b as i64 | $@ | main.rs:30:13:30:22 | source(...) | source(...) |
 | main.rs:47:14:47:19 | sliced | main.rs:45:17:45:26 | source(...) | main.rs:47:14:47:19 | sliced | $@ | main.rs:45:17:45:26 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs
@@ -14,11 +14,11 @@ fn addition() {
 
     let mut b = source(58);
     b += 2i64;
-    sink(b); // $ MISSING: hasTaintFlow=58 $ SPURIOUS: hasValueFlow=58
+    sink(b); // $ hasTaintFlow=58
 
     let mut c = 0i64; // for now, we cannot resolve `+=` when `0i64` is replaced with `0`
     c += source(99);
-    sink(c); // $ MISSING: hasTaintFlow=99
+    sink(c); // $ hasTaintFlow=99
 }
 
 fn negation() {
