Rust: Adapt to changes in FlowSummaryImpl

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll

@@ -17,9 +17,13 @@ module SummarizedCallable {
     Range() { any() }
 
     override predicate propagatesFlow(
-      string input, string output, boolean preservesValue, string model
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
     ) {
-      this.propagatesFlow(input, output, preservesValue) and model = ""
+      this.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
+      model = "QL"
     }
 
     /**
@@ -31,6 +35,6 @@ module SummarizedCallable {
   }
 }
 
-final class SummarizedCallable = SummarizedCallable::Range;
+class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;
 
 final class Provenance = Impl::Public::Provenance;

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -30,6 +30,8 @@ module Input implements InputSig<Location, RustDataFlow> {
 
   class SummarizedCallableBase = Function;
 
+  predicate callableFromSource(SummarizedCallableBase c) { c.fromSource() }
+
   abstract private class SourceSinkBase extends AstNode {
     /** Gets the associated call. */
     abstract Call getCall();

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -111,60 +111,38 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   )
 }
 
-private predicate summaryModel(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  exists(string path, Function f0 |
-    summaryModel(path, input, output, kind, provenance, madId) and
-    f0.getCanonicalPath() = path
-  |
-    f = f0 and
-    isInherited = false
-    or
-    f.implements(f0) and
-    isInherited = true
-  )
-}
-
-private predicate summaryModelRelevant(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  summaryModel(f, input, output, kind, provenance, isInherited, madId) and
-  // Only apply generated or inherited models to functions in library code and
-  // when no strictly better model exists
-  if provenance.isGenerated() or isInherited = true
-  then
-    not f.fromSource() and
-    not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
-      provenance.isGenerated() and other.isManual()
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  QlBuiltins::ExtensionId madId;
+
+  SummarizedCallableFromModel() {
+    exists(string path, Function f, Provenance p |
+      summaryModel(path, input_, output_, kind, p, madId) and
+      f.getCanonicalPath() = path
+    |
+      this = f and isExact_ = true and p_ = p
       or
-      provenance = other and isInherited = true
+      this.implements(f) and
+      isExact_ = false and
+      // making inherited models generated means that source code definitions and
+      // exact generated models take precedence
+      p_ = "hq-generated"
     )
-  else any()
-}
-
-private class SummarizedCallableFromModel extends SummarizedCallable::Range {
-  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _, _) }
-
-  override predicate hasProvenance(Provenance provenance) {
-    summaryModelRelevant(this, _, _, _, provenance, _, _)
   }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
-    exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModelRelevant(this, input, output, kind, _, _, madId) and
-      model = "MaD:" + madId.toString()
-    |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = "MaD:" + madId.toString()
   }
 }
 
@@ -211,7 +189,7 @@ private module Debug {
   private predicate relevantManualModel(SummarizedCallableImpl sc, string can) {
     exists(Provenance manual |
       can = sc.getCanonicalPath() and
-      summaryModelRelevant(sc, _, _, _, manual, false, _) and
+      sc.(SummarizedCallableFromModel).propagatesFlow(_, _, _, manual, true, _) and
       manual.isManual()
     )
   }
@@ -221,7 +199,7 @@ private module Debug {
   ) {
     exists(RustDataFlow::ParameterPosition pos, TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(input, _, _, _) and
+      sc.propagatesFlow(input, _, _, _, _, _) and
       input.head() = SummaryComponent::argument(pos) and
       p = pos.getParameterIn(sc.getParamList()) and
       tm.resolveType() instanceof RefType and
@@ -238,7 +216,7 @@ private module Debug {
   ) {
     exists(TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(_, output, _, _) and
+      sc.propagatesFlow(_, output, _, _, _, _) and
       tm.resolveType() instanceof RefType and
       output.head() = SummaryComponent::return(_) and
       not output.tail().head() =

rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll

@@ -41,11 +41,13 @@ private class ReflexiveFrom extends SummarizedCallable::Range {
   }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
     input = "Argument[0]" and
     output = "ReturnValue" and
     preservesValue = true and
+    p = "manual" and
+    isExact = true and
     model = "ReflexiveFrom"
   }
 }

rust/ql/lib/codeql/rust/frameworks/stdlib/ffi.model.yml

@@ -5,4 +5,6 @@ extensions:
     data:
       - ["<std::ffi::os_str::OsStr>::to_str", "Argument[self].Reference.Field[std::ffi::os_str::OsStr::inner]", "ReturnValue.Field[core::option::Option::Some(0)].Reference", "taint", "manual"]
       - ["<std::ffi::os_str::OsStr>::to_string_lossy", "Argument[self].Reference.Field[std::ffi::os_str::OsStr::inner]", "ReturnValue.Field[alloc::borrow::Cow::Owned(0)]", "taint", "manual"]
-      - ["<std::ffi::os_str::OsStr>::as_encoded_bytes", "Argument[self].Reference.Field[std::ffi::os_str::OsStr::inner]", "ReturnValue.Reference", "taint", "manual"]
+      - ["<std::ffi::os_str::OsStr>::as_encoded_bytes", "Argument[self].Reference.Field[std::ffi::os_str::OsStr::inner]", "ReturnValue.Reference", "taint", "manual"]
+      # Overwrite generated model
+      - ["<std::ffi::os_str::OsString as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml

@@ -86,3 +86,7 @@ extensions:
       - ["<std::fs::Metadata>::len", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       - ["<std::fs::Metadata>::modified", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["<std::fs::Metadata>::permissions", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      # Overwrite generated models
+      - ["<std::fs::File as std::io::Read>::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::fs::File as std::io::Read>::read_to_string", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      

rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml

@@ -26,3 +26,18 @@ extensions:
       - ["<std::io::stdio::Stdin>::lock", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       - ["<std::io::stdio::Stdin>::read_line", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
       - ["<std::io::Split as core::iter::traits::iterator::Iterator>::next", "Argument[self].Reference.Element", "ReturnValue.Field[core::option::Option::Some(0)].Field[core::result::Result::Ok(0)]", "value", "manual"]
+      # Overwrite generated models
+      - ["<std::io::stdio::Stdin as std::io::Read>::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::Stdin as std::io::Read>::read_to_string", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::Stdin as std::io::Read>::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::Stdin as std::io::Read>::read_exact", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinLock as std::io::Read>::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinLock as std::io::Read>::read_to_string", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinLock as std::io::Read>::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinLock as std::io::Read>::read_exact", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinLock as std::io::BufRead>::fill_buf", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
+      - ["<std::io::stdio::StdinRaw as std::io::Read>::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinRaw as std::io::Read>::read_to_string", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinRaw as std::io::Read>::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::stdio::StdinRaw as std::io::Read>::read_exact", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
+      - ["<std::io::buffered::bufreader::BufReader as std::io::BufRead>::fill_buf", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]