take2

hvitved · hvitved · commit 0e31eee7ad8a · 2025-08-23T19:21:45.000+02:00
diff --git a/rust/ql/lib/codeql/rust/internal/PathResolution.qll b/rust/ql/lib/codeql/rust/internal/PathResolution.qll
@@ -208,7 +208,6 @@ abstract class ItemNode extends Locatable {
     crateDefEdge(this, name, result, kind)
     or
     crateDependencyEdge(this, name, result) and
-    not declaresDirectly(this, TTypeNamespace(), name) and
     kind.isInternal()
     or
     externCrateEdge(this, name, result) and
@@ -1233,17 +1232,23 @@ private class BuiltinSourceFile extends SourceFileItemNode {
   BuiltinSourceFile() { this.getFile().getParentContainer() instanceof Builtins::BuiltinsFolder }
 }
 
+pragma[nomagic]
+private predicate crateDependency(SourceFileItemNode file, string name, CrateItemNode dep) {
+  exists(CrateItemNode c | dep = c.(Crate).getDependency(name) | file = c.getASourceFile())
+}
+
 /**
  * Holds if `file` depends on crate `dep` named `name`.
  */
 pragma[nomagic]
 private predicate crateDependencyEdge(SourceFileItemNode file, string name, CrateItemNode dep) {
-  exists(CrateItemNode c | dep = c.(Crate).getDependency(name) | file = c.getASourceFile())
+  crateDependency(file, name, dep)
   or
-  // All files _should_ belong to a crate, but for those where we cannot identify the crate,
-  // we give access to all crates as a fallback.
-  not file = any(Crate c).getASourceFile() and
-  name = dep.getName()
+  // As a fallback, give all files access to crates that do not conflict with known dependencies
+  // and declarations.
+  name = dep.getName() and
+  not declaresDirectly(file, TTypeNamespace(), name) and
+  not crateDependency(file, name, _)
 }
 
 private predicate useTreeDeclares(UseTree tree, string name) {
diff --git a/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,18 +1,54 @@
 multipleCallTargets
 | test.rs:98:14:98:43 | ...::_print(...) |
 | test.rs:110:14:110:33 | ...::_print(...) |
+| test.rs:113:23:113:46 | ...::builder(...) |
+| test.rs:113:23:113:55 | ... .uri(...) |
+| test.rs:113:23:113:78 | ... .body(...) |
 | test.rs:113:62:113:77 | ...::from(...) |
+| test.rs:120:19:120:42 | ...::builder(...) |
+| test.rs:120:19:120:51 | ... .uri(...) |
+| test.rs:120:19:120:74 | ... .body(...) |
 | test.rs:120:58:120:73 | ...::from(...) |
+| test.rs:124:9:124:25 | response.status() |
+| test.rs:124:9:124:38 | ... .is_success() |
+| test.rs:130:18:130:32 | response.body() |
+| test.rs:131:18:131:36 | response.body_mut() |
+| test.rs:133:24:133:43 | response.into_body() |
 | test.rs:136:22:136:43 | ...::_print(...) |
 | test.rs:141:22:141:43 | ...::_print(...) |
 | test.rs:145:22:145:44 | ...::_print(...) |
+| test.rs:158:27:158:44 | response.headers() |
+| test.rs:160:16:160:63 | headers.contains_key(...) |
 | test.rs:161:26:161:110 | ...::_print(...) |
+| test.rs:161:47:161:64 | response.headers() |
+| test.rs:163:22:163:65 | ... .to_str() |
+| test.rs:164:22:164:67 | ... .as_bytes() |
+| test.rs:165:22:165:60 | headers.get(...) |
+| test.rs:168:16:168:51 | headers.contains_key(...) |
 | test.rs:169:26:169:111 | ...::_print(...) |
+| test.rs:169:47:169:64 | response.headers() |
+| test.rs:169:47:169:84 | ... .get(...) |
+| test.rs:169:47:169:102 | ... .to_str() |
+| test.rs:170:22:170:48 | headers.get(...) |
+| test.rs:171:22:171:48 | headers.get(...) |
+| test.rs:171:22:171:66 | ... .to_str() |
+| test.rs:172:22:172:48 | headers.get(...) |
+| test.rs:172:22:172:68 | ... .as_bytes() |
+| test.rs:176:16:176:57 | headers.contains_key(...) |
+| test.rs:177:22:177:39 | response.headers() |
+| test.rs:177:22:177:65 | ... .get(...) |
+| test.rs:178:31:178:67 | headers.get_all(...) |
 | test.rs:179:30:179:68 | ...::_print(...) |
+| test.rs:179:45:179:59 | cookie.to_str() |
+| test.rs:181:26:181:40 | cookie.to_str() |
+| test.rs:185:33:185:53 | response.into_parts() |
+| test.rs:187:16:187:69 | ... .contains_key(...) |
 | test.rs:188:26:188:105 | ...::_print(...) |
+| test.rs:188:47:188:96 | ... .to_str() |
+| test.rs:190:22:190:71 | ... .to_str() |
+| test.rs:191:22:191:73 | ... .as_bytes() |
+| test.rs:192:22:192:66 | ... .get(...) |
 | test.rs:229:22:229:72 | ... .read_to_string(...) |
-| test.rs:483:22:483:50 | file.read_to_end(...) |
-| test.rs:489:22:489:53 | file.read_to_string(...) |
 | test.rs:610:18:610:38 | ...::_print(...) |
 | test.rs:615:18:615:45 | ...::_print(...) |
 | test.rs:619:25:619:49 | address.to_socket_addrs() |
@@ -87,3 +123,57 @@ multipleCallTargets
 | web_frameworks.rs:102:14:102:25 | a.as_bytes() |
 | web_frameworks.rs:158:14:158:23 | a.as_str() |
 | web_frameworks.rs:159:14:159:25 | a.as_bytes() |
+| web_frameworks.rs:188:14:188:27 | request.body() |
+| web_frameworks.rs:189:9:189:25 | request.headers() |
+| web_frameworks.rs:189:9:189:39 | ... .get(...) |
+| web_frameworks.rs:190:14:190:32 | request.into_body() |
+multiplePathResolutions
+| test.rs:113:23:113:26 | http |
+| test.rs:113:23:113:35 | ...::Request |
+| test.rs:120:19:120:22 | http |
+| test.rs:120:19:120:31 | ...::Request |
+| test.rs:160:37:160:40 | http |
+| test.rs:160:37:160:48 | ...::header |
+| test.rs:160:37:160:62 | ...::CONTENT_TYPE |
+| test.rs:161:66:161:69 | http |
+| test.rs:161:66:161:77 | ...::header |
+| test.rs:161:66:161:91 | ...::CONTENT_TYPE |
+| test.rs:162:31:162:34 | http |
+| test.rs:162:31:162:42 | ...::header |
+| test.rs:162:31:162:56 | ...::CONTENT_TYPE |
+| test.rs:163:30:163:33 | http |
+| test.rs:163:30:163:41 | ...::header |
+| test.rs:163:30:163:55 | ...::CONTENT_TYPE |
+| test.rs:164:30:164:33 | http |
+| test.rs:164:30:164:41 | ...::header |
+| test.rs:164:30:164:55 | ...::CONTENT_TYPE |
+| test.rs:165:34:165:37 | http |
+| test.rs:165:34:165:45 | ...::header |
+| test.rs:165:34:165:59 | ...::CONTENT_TYPE |
+| test.rs:176:37:176:40 | http |
+| test.rs:176:37:176:48 | ...::header |
+| test.rs:176:37:176:56 | ...::COOKIE |
+| test.rs:177:45:177:48 | http |
+| test.rs:177:45:177:56 | ...::header |
+| test.rs:177:45:177:64 | ...::COOKIE |
+| test.rs:178:47:178:50 | http |
+| test.rs:178:47:178:58 | ...::header |
+| test.rs:178:47:178:66 | ...::COOKIE |
+| test.rs:187:43:187:46 | http |
+| test.rs:187:43:187:54 | ...::header |
+| test.rs:187:43:187:68 | ...::CONTENT_TYPE |
+| test.rs:188:61:188:64 | http |
+| test.rs:188:61:188:72 | ...::header |
+| test.rs:188:61:188:86 | ...::CONTENT_TYPE |
+| test.rs:189:37:189:40 | http |
+| test.rs:189:37:189:48 | ...::header |
+| test.rs:189:37:189:62 | ...::CONTENT_TYPE |
+| test.rs:190:36:190:39 | http |
+| test.rs:190:36:190:47 | ...::header |
+| test.rs:190:36:190:61 | ...::CONTENT_TYPE |
+| test.rs:191:36:191:39 | http |
+| test.rs:191:36:191:47 | ...::header |
+| test.rs:191:36:191:61 | ...::CONTENT_TYPE |
+| test.rs:192:40:192:43 | http |
+| test.rs:192:40:192:51 | ...::header |
+| test.rs:192:40:192:65 | ...::CONTENT_TYPE |
diff --git a/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/TypeInferenceConsistency.expected b/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/TypeInferenceConsistency.expected
@@ -1,4 +1,11 @@
 nonUniqueCertainType
+| file:///home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/http-body-1.0.1/src/lib.rs:140:9:140:28 | SelfParam | Ptr.&T |
+| file:///home/runner/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/http-body-1.0.1/src/lib.rs:165:9:165:28 | SelfParam | Ptr.&T |
 | web_frameworks.rs:139:30:139:39 | ...::get(...) |  |
 | web_frameworks.rs:140:34:140:43 | ...::get(...) |  |
 | web_frameworks.rs:141:30:141:39 | ...::get(...) |  |
+| web_frameworks.rs:186:9:186:15 | request |  |
+| web_frameworks.rs:186:9:186:15 | request |  |
+| web_frameworks.rs:188:14:188:20 | request |  |
+| web_frameworks.rs:189:9:189:15 | request |  |
+| web_frameworks.rs:190:14:190:20 | request |  |
diff --git a/rust/ql/test/query-tests/security/CWE-770/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-770/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,3 +1,18 @@
 multipleCallTargets
+| main.rs:218:14:218:30 | ...::malloc(...) |
+| main.rs:219:13:219:27 | ...::malloc(...) |
+| main.rs:220:13:220:37 | ...::aligned_alloc(...) |
+| main.rs:221:13:221:37 | ...::aligned_alloc(...) |
+| main.rs:222:13:222:31 | ...::calloc(...) |
+| main.rs:223:13:223:55 | ...::calloc(...) |
+| main.rs:224:13:224:32 | ...::realloc(...) |
 | main.rs:229:13:229:40 | ...::with_capacity(...) |
 | main.rs:233:18:233:47 | ...::with_capacity(...) |
+multiplePathResolutions
+| main.rs:218:14:218:17 | libc |
+| main.rs:219:13:219:16 | libc |
+| main.rs:220:13:220:16 | libc |
+| main.rs:221:13:221:16 | libc |
+| main.rs:222:13:222:16 | libc |
+| main.rs:223:13:223:16 | libc |
+| main.rs:224:13:224:16 | libc |
diff --git a/rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,4 +1,6 @@
 multipleCallTargets
+| deallocation.rs:106:16:106:32 | ...::malloc(...) |
+| deallocation.rs:112:3:112:41 | ...::free(...) |
 | deallocation.rs:260:11:260:29 | ...::from(...) |
 | deallocation.rs:261:11:261:29 | ...::from(...) |
 | lifetime.rs:610:13:610:31 | ...::from(...) |
@@ -7,3 +9,7 @@ multipleCallTargets
 | lifetime.rs:612:41:612:52 | bar.as_str() |
 | lifetime.rs:628:13:628:31 | ...::from(...) |
 | lifetime.rs:629:32:629:43 | baz.as_str() |
+multiplePathResolutions
+| deallocation.rs:106:16:106:19 | libc |
+| deallocation.rs:112:3:112:6 | libc |
+| deallocation.rs:112:29:112:32 | libc |
