Merge pull request #18394 from paldepind/rust-format

Rust: Value flow and taint flow through formatting strings

Author: paldepind

rust/ql/.generated.list

@@ -173,6 +173,53 @@ final class MethodCallExprCfgNode extends CallExprBaseCfgNode, Nodes::MethodCall
  */
 final class CallExprCfgNode extends CallExprBaseCfgNode, Nodes::CallExprCfgNode { }
 
+/**
+ * A FormatArgsExpr. For example:
+ * ```rust
+ * format_args!("no args");
+ * format_args!("{} foo {:?}", 1, 2);
+ * format_args!("{b} foo {a:?}", a=1, b=2);
+ * let (x, y) = (1, 42);
+ * format_args!("{x}, {y}");
+ * ```
+ */
+final class FormatArgsExprCfgNode extends Nodes::FormatArgsExprCfgNode {
+  private FormatArgsExprChildMapping node;
+
+  FormatArgsExprCfgNode() { node = this.getAstNode() }
+
+  /** Gets the `i`th argument of this format arguments expression (0-based). */
+  ExprCfgNode getArgumentExpr(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArg(i).getExpr(), this, result)
+  }
+
+  /** Gets a format argument of the `i`th format of this format arguments expression (0-based). */
+  FormatTemplateVariableAccessCfgNode getFormatTemplateVariableAccess(int i) {
+    exists(FormatTemplateVariableAccess v |
+      v.getArgument() = node.getFormat(i).getArgument() and
+      result.getFormatTemplateVariableAccess() = v and
+      any(ChildMapping mapping).hasCfgChild(node, v, this, result)
+    )
+  }
+}
+
+/**
+ * A MacroCall. For example:
+ * ```rust
+ * todo!()
+ * ```
+ */
+final class MacroCallCfgNode extends Nodes::MacroCallCfgNode {
+  private MacroCallChildMapping node;
+
+  MacroCallCfgNode() { node = this.getAstNode() }
+
+  /** Gets the CFG node for the expansion of this macro call, if it exists. */
+  CfgNode getExpandedNode() {
+    any(ChildMapping mapping).hasCfgChild(node, node.getExpanded(), this, result)
+  }
+}
+
 /**
  * A record expression. For example:
  * ```rust

rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll

@@ -74,6 +74,10 @@ class RecordPatChildMapping extends ParentAstNode, RecordPat {
   }
 }
 
+class MacroCallChildMapping extends ParentAstNode, MacroCall {
+  override predicate relevantChild(AstNode child) { child = this.getExpanded() }
+}
+
 class FormatArgsExprChildMapping extends ParentAstNode, CfgImpl::ExprTrees::FormatArgsExprTree {
   override predicate relevantChild(AstNode child) { child = this.getChildNode(_) }
 }

rust/ql/lib/codeql/rust/controlflow/internal/CfgNodes.qll

@@ -131,24 +131,8 @@ class LetStmtTree extends PreOrderTree, LetStmt {
   }
 }
 
-class MacroCallTree extends ControlFlowTree, MacroCall {
-  override predicate first(AstNode first) {
-    first(this.getExpanded(), first)
-    or
-    not exists(this.getExpanded()) and first = this
-  }
-
-  override predicate last(AstNode last, Completion c) {
-    last(this.getExpanded(), last, c)
-    or
-    not exists(this.getExpanded()) and
-    last = this and
-    completionIsValidFor(c, last)
-  }
-
-  override predicate succ(AstNode pred, AstNode succ, Completion c) { none() }
-
-  override predicate propagatesAbnormal(AstNode child) { child = this.getExpanded() }
+class MacroCallTree extends StandardPostOrderTree, MacroCall {
+  override AstNode getChildNode(int i) { i = 0 and result = this.getExpanded() }
 }
 
 class MacroStmtsTree extends StandardPreOrderTree, MacroStmts {

rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll

@@ -522,6 +522,7 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
   result = e.(BreakExprCfgNode).getExpr() or
   result = e.(BlockExprCfgNode).getTailExpr() or
   result = e.(MatchExprCfgNode).getArmExpr(_) or
+  result = e.(MacroExprCfgNode).getMacroCall().(MacroCallCfgNode).getExpandedNode() or
   result.(BreakExprCfgNode).getTarget() = e
 }
 

rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll

@@ -46,6 +46,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         RustDataFlow::readStep(pred, cs, succ) and
         cs.getContent() instanceof ArrayElementContent
       )
+      or
+      exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
+        pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
+      )
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -23,6 +23,10 @@ module Impl {
    * ```rust
    * println!("Hello {}", "world");
    * ```
+   * or the `{value:#width$.precision$}` in:
+   * ```rust
+   * println!("Value {value:#width$.precision$}");
+   * ```
    */
   class Format extends Generated::Format {
     private Raw::FormatArgsExpr parent;

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -13,3 +13,7 @@ extensions:
       - ["lang:core", "<crate::result::Result>::unwrap_or", "Argument[0]", "ReturnValue", "value", "manual"]
       # String
       - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
+      # Hint
+      - ["lang:core", "crate::hint::must_use", "Argument[0]", "ReturnValue", "value", "manual"]
+      # Fmt
+      - ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]