github · paldepind · Dec 12, 2025 · Jan 12, 2026 · Jan 7, 2026 · Jan 7, 2026
@@ -19,7 +19,8 @@ targets:
 - name: serde
 - name: tokio
 - name: reqwest
-- name: rocket
+# Disabled due to performance issue
+# - name: rocket
 - name: actix-web
 - name: hyper
 - name: clap
@@ -306,7 +306,11 @@ predicate indexAssignment(
   not index.getResolvedTarget().fromSource()
 }
 
-module RustDataFlow implements InputSig<Location> {
+signature module RustDataFlowInputSig {
+  predicate includeDynamicTargets();
+}
+
+module RustDataFlowGen<RustDataFlowInputSig Input> implements InputSig<Location> {
   private import Aliases
   private import codeql.rust.dataflow.DataFlow
   private import Node as Node
@@ -462,7 +466,11 @@ module RustDataFlow implements InputSig<Location> {
   /** Gets a viable implementation of the target of the given `Call`. */
   DataFlowCallable viableCallable(DataFlowCall call) {
     exists(Call c | c = call.asCall() |
-      result.asCfgScope() = c.getARuntimeTarget()
+      (
+        if Input::includeDynamicTargets()
+        then result.asCfgScope() = c.getARuntimeTarget()
+        else result.asCfgScope() = c.getStaticTarget()
+      )
       or
       result.asSummarizedCallable() = getStaticTargetExt(c)
     )
@@ -935,6 +943,12 @@ module RustDataFlow implements InputSig<Location> {
   class DataFlowSecondLevelScope = Void;
 }
 
+module RustDataFlowInput implements RustDataFlowInputSig {
+  predicate includeDynamicTargets() { any() }
+}
+
+module RustDataFlow = RustDataFlowGen<RustDataFlowInput>;
+
 /** Provides logic related to captured variables. */
 module VariableCapture {
   private import codeql.rust.internal.CachedStages
@@ -1110,7 +1124,7 @@ private module Cached {
   }
 
   cached
-  newtype TParameterPosition =
+  newtype TParameterPositionImpl =
     TPositionalParameterPosition(int i) {
       i in [0 .. max([any(ParamList l).getNumberOfParams(), any(ArgList l).getNumberOfArgs()]) - 1]
       or
@@ -1121,6 +1135,8 @@ private module Cached {
     TClosureSelfParameterPosition() or
     TSelfParameterPosition()
 
+  final class TParameterPosition = TParameterPositionImpl;
+
   cached
   newtype TReturnKind = TNormalReturnKind()
 

@@ -1,8 +1,9 @@
 private import rust
+private import codeql.dataflow.DataFlow as DF
 private import codeql.dataflow.TaintTracking
-private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.DataFlow as RustDataFlow
 private import codeql.rust.dataflow.FlowSummary
-private import DataFlowImpl
+private import DataFlowImpl as DataFlowImpl
 private import Node as Node
 private import Content
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -29,7 +30,11 @@ private predicate excludedTaintStepContent(Content c) {
   )
 }
 
-module RustTaintTracking implements InputSig<Location, RustDataFlow> {
+module RustTaintTrackingGen<DataFlowImpl::RustDataFlowInputSig I> implements
+  InputSig<Location, DataFlowImpl::RustDataFlowGen<I>>
+{
+  private module DataFlow = DataFlowImpl::RustDataFlowGen<I>;
+
   predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
   /**
@@ -53,7 +58,7 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       // is tainted and an operation reads from `foo` (e.g., `foo.bar`) then
       // taint is propagated.
       exists(ContentSet cs |
-        RustDataFlow::readStep(pred, cs, succ) and
+        DataFlow::readStep(pred, cs, succ) and
         not excludedTaintStepContent(cs.getAReadContent())
       )
       or
@@ -70,9 +75,11 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       )
       or
       succ.(Node::PostUpdateNode).getPreUpdateNode().asExpr() =
-        getPostUpdateReverseStep(pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), false)
+        DataFlowImpl::getPostUpdateReverseStep(pred.(Node::PostUpdateNode)
+              .getPreUpdateNode()
+              .asExpr(), false)
       or
-      indexAssignment(any(CompoundAssignmentExpr cae),
+      DataFlowImpl::indexAssignment(any(CompoundAssignmentExpr cae),
         pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), _, succ, _)
     )
     or
@@ -92,7 +99,7 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       c instanceof ReferenceContent
     ) and
     // Optional steps are added through isAdditionalFlowStep but we don't want the implicit reads
-    not optionalStep(node, _, _)
+    not DataFlowImpl::optionalStep(node, _, _)
   }
 
   /**
@@ -101,3 +108,5 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
    */
   predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() }
 }
+
+module RustTaintTracking = RustTaintTrackingGen<DataFlowImpl::RustDataFlowInput>;
@@ -29,3 +29,8 @@ extensions:
       - ["<reqwest::async_impl::response::Response>::text", "Argument[self]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["<reqwest::async_impl::response::Response>::bytes", "Argument[self]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["<reqwest::async_impl::response::Response>::chunk", "Argument[self].Reference", "ReturnValue.Future.Field[core::result::Result::Ok(0)].Field[core::option::Option::Some(0)]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: excludeFieldTaintStep
+    data:
+    - ["reqwest::blocking::response::Response::timeout"]