Rust: Implement neutral models for Rust.

Author: geoffw0

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -89,6 +89,15 @@ extensible predicate summaryModel(
   QlBuiltins::ExtensionId madId
 );
 
+/**
+ * Holds if a neutral model of kind `kind` exists for the function with canonical path `path`.  The
+ * only effect of a neutral model is to prevent generated and inherited models of the corresponding
+ * `kind` (`source`, `sink` or `summary`) from being applied.
+ */
+extensible predicate neutralModel(
+  string path, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
 /**
  * Holds if the given extension tuple `madId` should pretty-print as `model`.
  *
@@ -109,6 +118,11 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
     summaryModel(path, input, output, kind, _, madId) and
     model = "Summary: " + path + "; " + input + "; " + output + "; " + kind
   )
+  or
+  exists(string path, string kind |
+    neutralModel(path, kind, _, madId) and
+    model = "Neutral: " + path + "; " + kind
+  )
 }
 
 private predicate summaryModel(
@@ -133,16 +147,19 @@ private predicate summaryModelRelevant(
 ) {
   summaryModel(f, input, output, kind, provenance, isInherited, madId) and
   // Only apply generated or inherited models to functions in library code and
-  // when no strictly better model exists
-  if provenance.isGenerated() or isInherited = true
-  then
-    not f.fromSource() and
-    not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
-      provenance.isGenerated() and other.isManual()
-      or
-      provenance = other and isInherited = true
-    )
-  else any()
+  // when no strictly better model (or neutral model) exists
+  (
+    if provenance.isGenerated() or isInherited = true
+    then
+      not f.fromSource() and
+      not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
+        provenance.isGenerated() and other.isManual()
+        or
+        provenance = other and isInherited = true
+      ) and
+      not neutralModel(f.getCanonicalPath(), "summary", _, _)
+    else any()
+  )
 }
 
 private class SummarizedCallableFromModel extends SummarizedCallable::Range {
@@ -180,6 +197,11 @@ private class FlowSourceFromModel extends FlowSource::Range {
     exists(QlBuiltins::ExtensionId madId |
       sourceModel(path, output, kind, provenance, madId) and
       model = "MaD:" + madId.toString()
+    ) and
+    // Only apply generated models when no neutral model exists
+    not (
+      provenance.isGenerated() and
+      neutralModel(path, "source", _, _)
     )
   }
 }
@@ -196,6 +218,11 @@ private class FlowSinkFromModel extends FlowSink::Range {
     exists(QlBuiltins::ExtensionId madId |
       sinkModel(path, input, kind, provenance, madId) and
       model = "MaD:" + madId.toString()
+    ) and
+    // Only apply generated models when no neutral model exists
+    not (
+      provenance.isGenerated() and
+      neutralModel(path, "sink", _, _)
     )
   }
 }

rust/ql/test/library-tests/dataflow/models/main.rs

@@ -434,10 +434,10 @@ fn test_neutrals() {
     // generated and a neutral model, should not have flow.
 
     sink(generated_source(1)); // $ hasValueFlow=1
-    sink(neutral_generated_source(2)); // $ SPURIOUS: hasValueFlow=2
+    sink(neutral_generated_source(2));
     sink(neutral_manual_source(3)); // $ hasValueFlow=3
     generated_sink(source(4)); // $ hasValueFlow=4
-    neutral_generated_sink(source(5)); // $ SPURIOUS: hasValueFlow=5
+    neutral_generated_sink(source(5));
     neutral_manual_sink(source(6)); // $ hasValueFlow=6
 }