Rust: Lift content reads as taint steps

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -7,6 +7,9 @@ private import Node as Node
 private import Content
 private import FlowSummaryImpl as FlowSummaryImpl
 private import codeql.rust.internal.CachedStages
+private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.Type as Type
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
@@ -51,6 +54,20 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         cs.getContent() instanceof ReferenceContent
       )
       or
+      // Lift read steps as taint steps. This has the effect that if `foo` is
+      // tainted and an operation reads from `foo`, for instance `foo.bar`, then
+      // the operation will carry taint as well.  We limit this to not lift
+      // reads if the type being read is not a small primitive type. These are
+      // often uninteresting, for instance in the case of injection queries.
+      RustDataFlow::readContentStep(pred, _, succ) and
+      not exists(Struct s |
+        s = TypeInference::inferType(succ.asExpr()).(Type::StructType).getStruct()
+      |
+        s instanceof Builtins::NumericType or
+        s instanceof Builtins::Bool or
+        s instanceof Builtins::Char
+      )
+      or
       exists(FormatArgsExpr format | succ.asExpr() = format |
         pred.asExpr() = format.getAnArg().getExpr()
         or