Rust: Model Deref trait in type inference

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -0,0 +1,74 @@
+/** Provides classes for representing implicit dereferences. */
+
+private import rust
+private import codeql.rust.internal.PathResolution
+private import codeql.rust.internal.Type
+private import codeql.rust.internal.TypeInference
+private import codeql.rust.internal.TypeMention
+private import codeql.rust.frameworks.stdlib.Stdlib
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
+private import codeql.util.UnboundList as UnboundListImpl
+
+/** An `impl` block that implements the `Deref` trait. */
+class DerefImplItemNode extends ImplItemNode {
+  DerefImplItemNode() { this.resolveTraitTy() instanceof DerefTrait }
+
+  /** Gets the `deref` function in this `Deref` impl block. */
+  Function getDerefFunction() { result = this.getAssocItem("deref") }
+
+  private SelfParam getSelfParam() { result = this.getDerefFunction().getSelfParam() }
+
+  /**
+   * Resolves the type at `path` of the `self` parameter inside the `deref` function,
+   * stripped of the leading `&`.
+   */
+  pragma[nomagic]
+  Type resolveSelfParamTypeStrippedAt(TypePath path) {
+    exists(TypePath path0 |
+      result = getSelfParamTypeMention(this.getSelfParam()).resolveTypeAt(path0) and
+      path0.isCons(getRefSharedTypeParameter(), path)
+    )
+  }
+
+  /**
+   * Holds if the return type at `path` of the `deref` function, stripped of the
+   * leading `&`, mentions type parameter `tp` at `path`.
+   */
+  pragma[nomagic]
+  predicate returnTypeStrippedMentionsTypeParameterAt(TypeParameter tp, TypePath path) {
+    exists(TypePath path0 |
+      tp = getReturnTypeMention(this.getDerefFunction()).resolveTypeAt(path0) and
+      path0.isCons(getRefSharedTypeParameter(), path)
+    )
+  }
+}
+
+private module UnboundListInput implements UnboundListImpl::InputSig<Location> {
+  private import codeql.rust.elements.internal.generated.Raw
+  private import codeql.rust.elements.internal.generated.Synth
+
+  private class DerefImplItemRaw extends Raw::Impl {
+    DerefImplItemRaw() { this = Synth::convertAstNodeToRaw(any(DerefImplItemNode i)) }
+  }
+
+  private predicate id(DerefImplItemRaw x, DerefImplItemRaw y) { x = y }
+
+  private predicate idOfRaw(DerefImplItemRaw x, int y) = equivalenceRelation(id/2)(x, y)
+
+  class Element = DerefImplItemNode;
+
+  int getId(Element e) { idOfRaw(Synth::convertAstNodeToRaw(e), result) }
+
+  string getElementString(Element e) { result = e.resolveSelfTy().getName() }
+}
+
+private import UnboundListImpl::Make<Location, UnboundListInput>
+
+/**
+ * A sequence of `Deref` impl blocks representing a chain of implicit dereferences,
+ * encoded as a string.
+ */
+class DerefChain = UnboundList;
+
+/** Provides predicates for constructing `DerefChain`s. */
+module DerefChain = UnboundList;

rust/ql/lib/codeql/rust/internal/typeinference/DerefChain.qll

@@ -84,6 +84,7 @@
 | main.rs:292:13:292:14 | * ... | main.rs:251:5:253:5 | fn deref |
 | main.rs:293:5:293:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:295:28:295:37 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:296:13:296:23 | a.min(...) | {EXTERNAL LOCATION} | fn min |
 | main.rs:297:5:297:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:319:28:319:36 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:321:30:321:54 | ...::take_self(...) | main.rs:309:5:311:5 | fn take_self |

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -35,7 +35,8 @@ models
 | 34 | Summary: <_ as tokio::io::util::async_read_ext::AsyncReadExt>::read_to_string; Argument[self].Reference; Argument[0].Reference; taint |
 | 35 | Summary: <_ as tokio::io::util::async_read_ext::AsyncReadExt>::read_u8; Argument[self].Reference; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
 | 36 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 37 | Summary: <std::path::PathBuf>::as_path; Argument[self].Reference; ReturnValue.Reference; value |
+| 37 | Summary: <std::path::Path>::canonicalize; Argument[self].Reference.OptionalBarrier[normalize-path]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 38 | Summary: <std::path::PathBuf>::as_path; Argument[self].Reference; ReturnValue.Reference; value |
 edges
 | test.rs:12:13:12:18 | buffer | test.rs:13:14:13:19 | buffer | provenance |  |
 | test.rs:12:31:12:43 | ...::read | test.rs:12:31:12:55 | ...::read(...) [Ok] | provenance | Src:MaD:11  |
@@ -51,12 +52,15 @@ edges
 | test.rs:22:22:22:52 | TryExpr | test.rs:22:13:22:18 | buffer | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:30:14:30:17 | path | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:31:14:31:17 | path | provenance |  |
+| test.rs:29:13:29:16 | path | test.rs:40:14:40:17 | path | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:41:14:41:17 | path | provenance |  |
 | test.rs:29:20:29:27 | e.path() | test.rs:29:13:29:16 | path | provenance |  |
 | test.rs:29:22:29:25 | path | test.rs:29:20:29:27 | e.path() | provenance | Src:MaD:4 MaD:4 |
 | test.rs:30:14:30:17 | path | test.rs:30:14:30:25 | path.clone() | provenance | MaD:18 |
 | test.rs:31:14:31:17 | path | test.rs:31:14:31:25 | path.clone() | provenance | MaD:18 |
-| test.rs:31:14:31:25 | path.clone() | test.rs:31:14:31:35 | ... .as_path() | provenance | MaD:37 |
+| test.rs:31:14:31:25 | path.clone() | test.rs:31:14:31:35 | ... .as_path() | provenance | MaD:38 |
+| test.rs:40:14:40:17 | path | test.rs:40:14:40:32 | path.canonicalize() [Ok] | provenance | MaD:37 |
+| test.rs:40:14:40:32 | path.canonicalize() [Ok] | test.rs:40:14:40:41 | ... .unwrap() | provenance | MaD:36 |
 | test.rs:43:13:43:21 | file_name | test.rs:44:14:44:22 | file_name | provenance |  |
 | test.rs:43:13:43:21 | file_name | test.rs:49:14:49:22 | file_name | provenance |  |
 | test.rs:43:25:43:37 | e.file_name() | test.rs:43:13:43:21 | file_name | provenance |  |
@@ -273,6 +277,9 @@ nodes
 | test.rs:31:14:31:17 | path | semmle.label | path |
 | test.rs:31:14:31:25 | path.clone() | semmle.label | path.clone() |
 | test.rs:31:14:31:35 | ... .as_path() | semmle.label | ... .as_path() |
+| test.rs:40:14:40:17 | path | semmle.label | path |
+| test.rs:40:14:40:32 | path.canonicalize() [Ok] | semmle.label | path.canonicalize() [Ok] |
+| test.rs:40:14:40:41 | ... .unwrap() | semmle.label | ... .unwrap() |
 | test.rs:41:14:41:17 | path | semmle.label | path |
 | test.rs:43:13:43:21 | file_name | semmle.label | file_name |
 | test.rs:43:25:43:37 | e.file_name() | semmle.label | e.file_name() |
@@ -492,6 +499,7 @@ testFailures
 | test.rs:23:14:23:19 | buffer | test.rs:22:22:22:39 | ...::read_to_string | test.rs:23:14:23:19 | buffer | $@ | test.rs:22:22:22:39 | ...::read_to_string | ...::read_to_string |
 | test.rs:30:14:30:25 | path.clone() | test.rs:29:22:29:25 | path | test.rs:30:14:30:25 | path.clone() | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:31:14:31:35 | ... .as_path() | test.rs:29:22:29:25 | path | test.rs:31:14:31:35 | ... .as_path() | $@ | test.rs:29:22:29:25 | path | path |
+| test.rs:40:14:40:41 | ... .unwrap() | test.rs:29:22:29:25 | path | test.rs:40:14:40:41 | ... .unwrap() | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:41:14:41:17 | path | test.rs:29:22:29:25 | path | test.rs:41:14:41:17 | path | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:44:14:44:30 | file_name.clone() | test.rs:43:27:43:35 | file_name | test.rs:44:14:44:30 | file_name.clone() | $@ | test.rs:43:27:43:35 | file_name | file_name |
 | test.rs:49:14:49:22 | file_name | test.rs:43:27:43:35 | file_name | test.rs:49:14:49:22 | file_name | $@ | test.rs:43:27:43:35 | file_name | file_name |

rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected

@@ -7,6 +7,9 @@
 | test.rs:51:52:51:59 | read_dir | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:54:22:54:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:55:27:55:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:57:56:57:63 | read_dir | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:60:22:60:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:61:27:61:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:65:22:65:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:74:31:74:45 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:79:31:79:45 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/file/TaintSources.expected

@@ -37,7 +37,7 @@ fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
         sink(path.to_path_buf()); // $ MISSING: hasTaintFlow
         sink(path.file_name().unwrap()); // $ MISSING: hasTaintFlow
         sink(path.extension().unwrap()); // $ MISSING: hasTaintFlow
-        sink(path.canonicalize().unwrap()); // $ MISSING: hasTaintFlow
+        sink(path.canonicalize().unwrap()); // $ hasTaintFlow
         sink(path); // $ hasTaintFlow
 
         let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
@@ -54,11 +54,11 @@ fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
         let path = e.path(); // $ Alert[rust/summary/taint-sources]
         let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
     }
-    for entry in std::path::PathBuf::from("directory").read_dir()? {
+    for entry in std::path::PathBuf::from("directory").read_dir()? { // $ Alert[rust/summary/taint-sources]
         let e = entry?;
 
-        let path = e.path(); // $ MISSING: Alert[rust/summary/taint-sources]
-        let file_name = e.file_name(); // $ MISSING: Alert[rust/summary/taint-sources]
+        let path = e.path(); // $ Alert[rust/summary/taint-sources]
+        let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
     }
 
     {