Merge branch 'main' into henrymercer/yaml-regression-test

henrymercer · web-flow · commit 389630a95d62 · 2026-03-26T10:40:17.000Z
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
@@ -12,16 +12,18 @@ internal interface IDotNetCliInvoker
 
         /// <summary>
         /// A minimal environment for running the .NET CLI.
-        /// 
+        ///
         /// DOTNET_CLI_UI_LANGUAGE: The .NET CLI language is set to English to avoid localized output.
         /// MSBUILDDISABLENODEREUSE: To ensure clean environment for each build.
         /// DOTNET_SKIP_FIRST_TIME_EXPERIENCE: To skip first time experience messages.
+        /// DOTNET_CLI_TELEMETRY_OPTOUT: To skip any dotnet telemetry: it's unnecessary and can even cause issues.
         /// </summary>
         static ReadOnlyDictionary<string, string> MinimalEnvironment { get; } = new(new Dictionary<string, string>
         {
             {"DOTNET_CLI_UI_LANGUAGE", "en"},
             {"MSBUILDDISABLENODEREUSE", "1"},
-            {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"}
+            {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"},
+            {"DOTNET_CLI_TELEMETRY_OPTOUT", "1"}
         });
 
         /// <summary>
diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
@@ -69,6 +70,13 @@ module AccessInvalidPointer {
     ModelsAsDataSink() { sinkNode(this, "pointer-access") }
   }
 
+  /**
+   * A barrier for invalid pointer access from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "pointer-access") }
+  }
+
   /**
    * A barrier for invalid pointer access vulnerabilities for values checked to
    * be non-`null`.
diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.security.SensitiveData
 private import codeql.rust.Concepts
@@ -44,6 +45,13 @@ module CleartextLogging {
     ModelsAsDataSink() { sinkNode(this, "log-injection") }
   }
 
+  /**
+   * A barrier for logging from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
+  }
+
   private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
 
   private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
diff --git a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll
@@ -45,4 +45,11 @@ module CleartextStorageDatabase {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) }
   }
+
+  /**
+   * A barrier for cleartext storage vulnerabilities from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
@@ -6,6 +6,7 @@
 private import codeql.util.Unit
 private import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.security.SensitiveData
 private import codeql.rust.Concepts
@@ -55,4 +56,11 @@ module CleartextTransmission {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
   }
+
+  /**
+   * A barrier defined through MaD.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.internal.Node as Node
@@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions {
     override string getSinkType() { result = "DisabledCertificateCheck" }
   }
 
+  /**
+   * A data flow barrier for disabled certificate check vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
   /**
    * A sink for disabled certificate check vulnerabilities from model data.
    */
@@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions {
       )
     }
   }
+
+  /**
+   * A barrier for disabled certificate check vulnerabilities from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
@@ -130,6 +131,19 @@ module HardcodedCryptographicValue {
     override CryptographicValueKind getKind() { result = kind }
   }
 
+  /**
+   * An externally modeled barrier for hard-coded cryptographic value vulnerabilities.
+   *
+   * Note that a barrier will block flow to all hard-coded cryptographic value
+   * sinks, regardless of the `kind` that is specified. For example a barrier of
+   * kind `credentials-key` will block flow to a sink of kind `credentials-iv`.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() {
+      exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind))
+    }
+  }
+
   /**
    * A call to `getrandom` that is a barrier.
    */
diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
@@ -48,6 +49,13 @@ module InsecureCookie {
     ModelsAsDataSink() { sinkNode(this, "cookie-use") }
   }
 
+  /**
+   * A barrier for insecure cookie vulnerabilities from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "cookie-use") }
+  }
+
   /**
    * Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`,
    * with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example,
diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.util.Unit
@@ -44,6 +45,13 @@ module LogInjection {
     ModelsAsDataSink() { sinkNode(this, "log-injection") }
   }
 
+  /**
+   * A barrier for log-injection from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
+  }
+
   /**
    * A barrier for log injection vulnerabilities for nodes whose type is a
    * numeric type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.Concepts
@@ -46,4 +47,11 @@ module RequestForgery {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "request-url") }
   }
+
+  /**
+   * A barrier for request forgery from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "request-url") }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
@@ -6,6 +6,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.util.Unit
@@ -53,12 +54,19 @@ module SqlInjection {
   }
 
   /**
-   * A sink for sql-injection from model data.
+   * A sink for SQL injection from model data.
    */
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "sql-injection") }
   }
 
+  /**
+   * A barrier for SQL injection from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "sql-injection") }
+  }
+
   /**
    * A barrier for SQL injection vulnerabilities for nodes whose type is a numeric
    * type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
@@ -47,6 +47,11 @@ module TaintedPath {
   private class ModelsAsDataSinks extends Sink {
     ModelsAsDataSinks() { sinkNode(this, "path-injection") }
   }
+
+  /** A barrier for path-injection from model data. */
+  private class ModelsAsDataBarriers extends Barrier {
+    ModelsAsDataBarriers() { barrierNode(this, "path-injection") }
+  }
 }
 
 private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) {
diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll
@@ -6,6 +6,7 @@
 import rust
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 
 /**
@@ -32,6 +33,13 @@ module UncontrolledAllocationSize {
     ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) }
   }
 
+  /**
+   * A barrier for uncontrolled allocation size from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) }
+  }
+
   /**
    * A barrier for uncontrolled allocation size that is an upper bound check / guard.
    */
diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 
@@ -59,4 +60,11 @@ module UseOfHttp {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "request-url") }
   }
+
+  /**
+   * A barrier for use of HTTP URLs from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "request-url") }
+  }
 }
diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll
@@ -5,6 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.util.Unit
@@ -44,6 +45,13 @@ module Xss {
     ModelsAsDataSink() { sinkNode(this, "html-injection") }
   }
 
+  /**
+   * A barrier for XSS from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "html-injection") }
+  }
+
   /**
    * A barrier for XSS vulnerabilities for nodes whose type is a
    * numeric or boolean type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -6,6 +6,7 @@
 private import codeql.util.Unit
 private import rust
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.rust.security.Barriers as Barriers
@@ -69,6 +70,13 @@ module RegexInjection {
     ModelsAsDataSink() { sinkNode(this, "regex-use") }
   }
 
+  /**
+   * A barrier for regular expression injection from model data.
+   */
+  private class ModelsAsDataBarrier extends Barrier {
+    ModelsAsDataBarrier() { barrierNode(this, "regex-use") }
+  }
+
   /**
    * An escape barrier for regular expression injection vulnerabilities.
    */
diff --git a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
@@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) { node instanceof Sink }
 
+  predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -138,7 +138,10 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS
 
   Parameter asParameter(NodeExtended node) { result = node.asParameter() }
 
-  predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+  predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    RustTaintTracking::defaultAdditionalTaintStep(nodeFrom, nodeTo, _) and
+    not RustDataFlow::readStep(nodeFrom, _, nodeTo)
+  }
 
   predicate isField(DataFlow::ContentSet c) {
     c.(SingletonContentSet).getContent() instanceof FieldContent

Original file line number	Diff line number	Diff line change
`@@ -45,4 +45,11 @@ module CleartextStorageDatabase {`
`45`	`45`	`private class ModelsAsDataSink extends Sink {`
`46`	`46`	`ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) }`
`47`	`47`	`}`
	`48`	`+`
	`49`	`+ /**`
	`50`	`+ * A barrier for cleartext storage vulnerabilities from model data.`
	`51`	`+ */`
	`52`	`+ private class ModelsAsDataBarrier extends Barrier {`
	`53`	`+ ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) }`
	`54`	`+ }`
`48`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`
`6`	`6`	`import rust`
`7`	`7`	`private import codeql.rust.dataflow.DataFlow`
	`8`	`+private import codeql.rust.dataflow.FlowBarrier`
`8`	`9`	`private import codeql.rust.dataflow.FlowSink`
`9`	`10`	`private import codeql.rust.Concepts`
`10`	`11`	`private import codeql.rust.dataflow.internal.Node as Node`
`@@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions {`
`21`	`22`	`override string getSinkType() { result = "DisabledCertificateCheck" }`
`22`	`23`	`}`
`23`	`24`
	`25`	`+ /**`
	`26`	`+ * A data flow barrier for disabled certificate check vulnerabilities.`
	`27`	`+ */`
	`28`	`+ abstract class Barrier extends DataFlow::Node { }`
	`29`	`+`
`24`	`30`	`/**`
`25`	`31`	`* A sink for disabled certificate check vulnerabilities from model data.`
`26`	`32`	`*/`
`@@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions {`
`42`	`48`	`)`
`43`	`49`	`}`
`44`	`50`	`}`
	`51`	`+`
	`52`	`+ /**`
	`53`	`+ * A barrier for disabled certificate check vulnerabilities from model data.`
	`54`	`+ */`
	`55`	`+ private class ModelsAsDataBarrier extends Barrier {`
	`56`	`+ ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") }`
	`57`	`+ }`
`45`	`58`	`}`