WIP

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -49,13 +49,17 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       // operation is a small primitive type as these are often uninteresting
       // (for instance in the case of an injection query).
       RustDataFlow::readContentStep(pred, _, succ) and
+      exists(TypeInference::inferType(succ.asExpr())) and
       not exists(Struct s |
         s = TypeInference::inferType(succ.asExpr()).(Type::StructType).getStruct()
       |
         s instanceof Builtins::NumericType or
         s instanceof Builtins::Bool or
         s instanceof Builtins::Char
-      )
+      ) and
+      not TypeInference::inferType(succ.asExpr()).(Type::EnumType).getEnum().isFieldless() and
+      not succ.asExpr().(FieldExpr).getIdentifier().getText() = "start" and
+      not succ.asExpr().(FieldExpr).getIdentifier().getText() = "end"
       or
       // Let all read steps (including those from flow summaries and those that
       // result in small primitive types) give rise to taint steps.

rust/ql/lib/codeql/rust/elements/internal/EnumImpl.qll

@@ -31,5 +31,14 @@ module Impl {
       result = this.getVariantList().getAVariant() and
       result.getName().getText() = name
     }
+
+    /*
+     * Holds if this is a field-less enum, that is, an enum where no constructors
+     * contain fields.
+     */
+
+    predicate isFieldless() {
+      forall(Variant v | v = this.getVariantList().getAVariant() | not v.hasFieldList())
+    }
   }
 }

rust/ql/lib/codeql/rust/internal/Type.qll

@@ -140,6 +140,8 @@ class EnumType extends Type, TEnum {
 
   EnumType() { this = TEnum(enum) }
 
+  Enum getEnum() { result = enum }
+
   override TypeParameter getPositionalTypeParameter(int i) {
     result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i))
   }