Merge pull request #20529 from geoffw0/convert

Rust: Correct from model to taint

Author: geoffw0

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -12,7 +12,7 @@ extensions:
       - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
       - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
       # From
-      - ["<_ as core::convert::From>::from", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["<_ as core::convert::From>::from", "Argument[0]", "ReturnValue", "taint", "manual"]
       # Iterator
       - ["<core::result::Result>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
       - ["<alloc::vec::Vec as value_trait::array::Array>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]

rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll

@@ -69,11 +69,15 @@ module HardcodedCryptographicValue {
   /**
    * An array initialized from a list of literals, considered as a single flow source. For example:
    * ```
-   * `[0, 0, 0, 0]`
+   * [0, 0, 0, 0]
+   * [0; 10]
    * ```
    */
   private class ArrayListSource extends Source {
-    ArrayListSource() { this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr }
+    ArrayListSource() {
+      this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr or
+      this.asExpr().getExpr().(ArrayRepeatExpr).getRepeatOperand() instanceof LiteralExpr
+    }
   }
 
   /**

rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected

@@ -1,5 +1,5 @@
 models
-| 1 | Summary: <_ as core::convert::From>::from; Argument[0]; ReturnValue; value |
+| 1 | Summary: <_ as core::convert::From>::from; Argument[0]; ReturnValue; taint |
 | 2 | Summary: <alloc::string::String as core::convert::From>::from; Argument[0].Reference; ReturnValue; value |
 | 3 | Summary: <alloc::string::String as core::ops::arith::Add>::add; Argument[self]; ReturnValue; value |
 | 4 | Summary: <alloc::string::String>::as_str; Argument[self]; ReturnValue; value |

rust/ql/test/library-tests/dataflow/strings/main.rs

@@ -50,7 +50,7 @@ fn string_add_reference() {
 fn string_from() {
     let s1 = source_slice(36);
     let s2 = String::from(s1);
-    sink(s2); // $ hasValueFlow=36
+    sink(s2); // $ hasTaintFlow=36
 }
 
 fn string_to_string() {

rust/ql/test/query-tests/security/CWE-022/TaintedPath.expected

@@ -123,7 +123,7 @@ models
 | 6 | Sink: std::fs::read_to_string; Argument[0]; path-injection |
 | 7 | Source: std::env::args; ReturnValue.Element; commandargs |
 | 8 | Summary: <_ as core::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
-| 9 | Summary: <_ as core::convert::From>::from; Argument[0]; ReturnValue; value |
+| 9 | Summary: <_ as core::convert::From>::from; Argument[0]; ReturnValue; taint |
 | 10 | Summary: <_ as core::iter::traits::iterator::Iterator>::nth; Argument[self].Element; ReturnValue.Field[core::option::Option::Some(0)]; value |
 | 11 | Summary: <core::option::Option>::unwrap; Argument[self].Field[core::option::Option::Some(0)]; ReturnValue; value |
 | 12 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |