Skip to content

Rust: Add Result::Err to excludeFieldTaintStep #21114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hvitved merged 1 commit into from
Jan 7, 2026
Merged

Rust: Add Result::Err to excludeFieldTaintStep #21114

hvitved merged 1 commit into from
Jan 7, 2026
+2 −1

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Jan 7, 2026
edited
Loading

The motivation here is that if a Result value is user-controllable, then it likely means that only the Ok branch is controllable. DCA confirms that we have fewer results for rust/log-injection and rust/cleartext-logging.

@github-actions github-actions bot added the Rust Pull requests that update Rust code label Jan 7, 2026
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Jan 7, 2026
@hvitved hvitved marked this pull request as ready for review January 7, 2026 11:51
@hvitved hvitved requested a review from a team as a code owner January 7, 2026 11:51
@hvitved hvitved requested review from Copilot and paldepind January 7, 2026 11:51
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Result::Err to the excludeFieldTaintStep configuration to prevent taint from flowing through the error variant of Result types. The rationale is that when a Result value is user-controllable, typically only the Ok branch contains controllable data, not the Err branch. This change reduces false positives in security queries like rust/log-injection and rust/cleartext-logging.

Key Changes

  • Added core::result::Result::Err(0) to the excludeFieldTaintStep list

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

paldepind
paldepind approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@paldepind paldepind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems very reasonable!

@hvitved hvitved merged commit 2d4da80 into github:main Jan 7, 2026
25 checks passed
@hvitved hvitved deleted the rust/exclude-result-err-taint-step branch January 7, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@paldepind paldepind paldepind approved these changes

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hvitved @paldepind