Rust: Add barrier for split_off #21153
Conversation
geoffw0
added
no-change-note-required
There was a problem hiding this comment.
Pull request overview
This PR adds a barrier to the rust/uncontrolled-allocation-size query to prevent false positives for Vec::split_off and String::split_off methods. These methods are recognized as allocation sinks by the query's generated models, but in practice any allocation they perform is bounded by the size of the original collection, making them safe from uncontrolled allocation vulnerabilities.
Changes:
- Added a
ModelledBarrierclass that blocks data flow to the index argument ofsplit_offmethods onVecandString - Added test case demonstrating that
Vec::split_offis correctly identified as safe - Updated expected test results to reflect line number changes from the new test case
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll | Implements a new barrier for split_off methods on Vec and String types |
| rust/ql/test/query-tests/security/CWE-770/main.rs | Adds test case for Vec::split_off with uncontrolled size parameter |
| rust/ql/test/query-tests/security/CWE-770/UncontrolledAllocationSize.expected | Updates expected results with adjusted line numbers from new test code |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll
Fixed
Show fixed
Hide fixed
paldepind
left a comment
paldepind
left a comment
There was a problem hiding this comment.
LGTM! Copilot has a comment about spelling that I think is right.
paldepind
left a comment
paldepind
left a comment
There was a problem hiding this comment.
Thanks for fixing this!
2 participants
Add a barrier for
<alloc::vec::Vec>::split_offinrust/uncontrolled-allocation-size. This method is recognised as a (generated) sink, however in practice the size of any allocation made bysplit_offis bounded by the size of the original vector - so it's never an "uncontrolled" allocation.Update: I've created an issue for adding support for Rust barriers being defined in models-as-data, and convert this barrier to MaD. This isn't particularly high priority right now but if we end up with a lot of barriers the importance could increase.