Merge pull request #20452 from paldepind/rust/mad-source-parameter

Rust, shared: Support `Parameter` in source MaD models

Author: paldepind

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -104,7 +104,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.getStaticCallTarget().getUnderlyingCallable() = sc
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -183,7 +183,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
     )
   }
 
-  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
     none()
   }
 
@@ -195,7 +195,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     sc = viableCallable(result).asSummarizedCallable()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -117,7 +117,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     )
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -132,7 +132,7 @@ private module TypesInput implements Impl::Private::TypesInputSig {
     exists(rk)
   }
 
-  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+  DataFlowType getSourceType(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
     none()
   }
 
@@ -144,7 +144,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     sc = viableCallable(result).asSummarizedCallable()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll

@@ -150,7 +150,9 @@ private module FlowSummaryStepInput implements Private::StepsInputSig {
     )
   }
 
-  DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(SourceBase source) { none() }
+
+  DataFlow::Node getSourceNode(SourceBase source, Private::SummaryComponentStack s) { none() }
 
   DataFlow::Node getSinkNode(SinkBase sink, Private::SummaryComponent sc) { none() }
 }

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll

@@ -105,7 +105,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
         ])
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll

@@ -161,7 +161,9 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.asCall().getAstNode() = sc.(LibraryCallable).getACallSimple()
   }
 
-  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) { none() }
+  DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() }
+
+  Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() }
 
   Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) { none() }
 }

rust/ql/lib/change-notes/2025-09-19-parameter-mad.md

@@ -0,0 +1,7 @@
+---
+category: feature
+---
+* The models-as-data format for sources now supports access paths of the form
+  `Argument[i].Parameter[j]`. This denotes that the source passes tainted data to
+  the `j`th parameter of its `i`th argument (which must be a function or a
+  closure).

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -508,7 +508,8 @@ module RustDataFlow implements InputSig<Location> {
    */
   predicate jumpStep(Node node1, Node node2) {
     FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
-      node2.(FlowSummaryNode).getSummaryNode())
+      node2.(FlowSummaryNode).getSummaryNode()) or
+    FlowSummaryImpl::Private::Steps::sourceJumpStep(node1.(FlowSummaryNode).getSummaryNode(), node2)
   }
 
   pragma[nomagic]

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -6,7 +6,10 @@ private import rust
 private import codeql.dataflow.internal.FlowSummaryImpl
 private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
 private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.internal.PathResolution
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.dataflow.Ssa
+private import codeql.rust.controlflow.CfgNodes
 private import Content
 
 module Input implements InputSig<Location, RustDataFlow> {
@@ -133,16 +136,44 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.asCallCfgNode().getCall().getStaticTarget() = sc
   }
 
-  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
-    sc = Impl::Private::SummaryComponent::return(_) and
+  /** Gets the argument of `source` described by `sc`, if any. */
+  private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+    exists(ArgumentPosition pos |
+      sc = Impl::Private::SummaryComponent::argument(pos) and
+      result = pos.getArgument(source.getCall())
+    )
+  }
+
+  /** Get the callable that `expr` refers to. */
+  private Callable getCallable(Expr expr) {
+    result = resolvePath(expr.(PathExpr).getPath()).(Function)
+    or
+    result = expr.(ClosureExpr)
+    or
+    // The expression is an SSA read of an assignment of a closure
+    exists(Ssa::Definition def, ExprCfgNode value |
+      def.getARead().getAstNode() = expr and
+      def.getAnUltimateDefinition().(Ssa::WriteDefinition).assigns(value) and
+      result = value.getExpr().(ClosureExpr)
+    )
+  }
+
+  RustDataFlow::DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) {
+    result.asCfgScope() = source.getEnclosingCfgScope()
+  }
+
+  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
+    s.head() = Impl::Private::SummaryComponent::return(_) and
     result.asExpr().getExpr() = source.getCall()
     or
-    exists(CallExprBase call, Expr arg, ArgumentPosition pos |
-      result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() = arg and
-      sc = Impl::Private::SummaryComponent::argument(pos) and
-      call = source.getCall() and
-      arg = pos.getArgument(call)
+    exists(ArgumentPosition pos, Expr arg |
+      s.head() = Impl::Private::SummaryComponent::parameter(pos) and
+      arg = getSourceNodeArgument(source, s.tail().headOfSingleton()) and
+      result.asParameter() = getCallable(arg).getParam(pos.getPosition())
     )
+    or
+    result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() =
+      getSourceNodeArgument(source, s.headOfSingleton())
   }
 
   RustDataFlow::Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) {