Ruby: add taint step test for hash patterns

aibaars · aibaars · commit 26a0167d6dbc · 2022-01-24T10:31:06.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/ast/Pattern.qll b/ruby/ql/lib/codeql/ruby/ast/Pattern.qll
@@ -97,7 +97,10 @@ private class TPattern =
  * ```
  */
 class CasePattern extends AstNode, TPattern {
-  CasePattern() { casePattern(toGenerated(this)) }
+  CasePattern() {
+    casePattern(toGenerated(this)) or
+    this = any(HashPattern p).getValue(_)
+  }
 }
 
 /**
@@ -267,7 +270,10 @@ class HashPattern extends CasePattern, THashPattern {
   StringlikeLiteral getKey(int n) { toGenerated(result) = this.keyValuePair(n).getKey() }
 
   /** Gets the value of the `n`th pair. */
-  CasePattern getValue(int n) { toGenerated(result) = this.keyValuePair(n).getValue() }
+  AstNode getValue(int n) {
+    toGenerated(result) = this.keyValuePair(n).getValue() or
+    synthChild(this, n, result)
+  }
 
   /** Gets the value for a given key name. */
   CasePattern getValueByKey(string key) {
diff --git a/ruby/ql/lib/codeql/ruby/ast/Variable.qll b/ruby/ql/lib/codeql/ruby/ast/Variable.qll
@@ -115,6 +115,8 @@ class VariableAccess extends Expr instanceof VariableAccessImpl {
     implicitWriteAccess(toGenerated(this))
     or
     this = any(SimpleParameterSynthImpl p).getDefininingAccess()
+    or
+    this = any(HashPattern p).getValue(_)
   }
 
   final override string toString() { result = VariableAccessImpl.super.toString() }
diff --git a/ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll b/ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll
@@ -7,6 +7,7 @@ private import codeql.ruby.ast.internal.Expr
 private import codeql.ruby.ast.internal.Variable
 private import codeql.ruby.ast.internal.Pattern
 private import codeql.ruby.ast.internal.Scope
+private import codeql.ruby.ast.internal.TreeSitter
 private import codeql.ruby.AST
 
 /** A synthesized AST node kind. */
@@ -921,3 +922,35 @@ private module ForLoopDesugar {
     }
   }
 }
+
+/**
+ * ```rb
+ * { a: }
+ * ```
+ * desugars to,
+ * ```rb
+ * { a: a }
+ * ```
+ */
+private module ImplicitHashValueSynthesis {
+  private Ruby::AstNode keyWithoutValue(HashPattern parent, int i) {
+    exists(Ruby::KeywordPattern pair |
+      result = pair.getKey() and
+      result = toGenerated(parent.(HashPattern).getKey(i)) and
+      not exists(pair.getValue())
+    )
+  }
+
+  private class ImplicitHashValueSynthesis extends Synthesis {
+    final override predicate child(AstNode parent, int i, Child child) {
+      exists(TVariableReal variable |
+        access(keyWithoutValue(parent, i), variable) and
+        child = SynthChild(LocalVariableAccessRealKind(variable))
+      )
+    }
+
+    final override predicate location(AstNode n, Location l) {
+      exists(HashPattern p, int i | n = p.getValue(i) and l = keyWithoutValue(p, i).getLocation())
+    }
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/ast/internal/Variable.qll b/ruby/ql/lib/codeql/ruby/ast/internal/Variable.qll
@@ -39,6 +39,8 @@ predicate implicitAssignmentNode(Ruby::AstNode n) {
   or
   n = any(Ruby::HashPattern parent).getChild(_).(Ruby::HashSplatParameter).getName()
   or
+  n = any(Ruby::KeywordPattern parent | not exists(parent.getValue())).getKey()
+  or
   n = any(Ruby::ExceptionVariable ev).getChild()
   or
   n = any(Ruby::For for).getPattern()
@@ -104,10 +106,19 @@ private predicate scopeDefinesParameterVariable(
   )
 }
 
+private string variableName(Ruby::AstNode i) {
+  result = i.(Ruby::Identifier).getValue()
+  or
+  exists(Ruby::KeywordPattern p | i = p.getKey() and not exists(p.getValue()) |
+    result = i.(Ruby::String).getChild(0).(Ruby::StringContent).getValue() or
+    result = i.(Ruby::HashKeySymbol).getValue()
+  )
+}
+
 /** Holds if `name` is assigned in `scope` at `i`. */
-private predicate scopeAssigns(Scope::Range scope, string name, Ruby::Identifier i) {
+private predicate scopeAssigns(Scope::Range scope, string name, Ruby::AstNode i) {
   (explicitAssignmentNode(i, _) or implicitAssignmentNode(i)) and
-  name = i.getValue() and
+  name = variableName(i) and
   scope = scopeOf(i)
 }
 
@@ -132,11 +143,11 @@ private module Cached {
           other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
         )
     } or
-    TLocalVariableReal(Scope::Range scope, string name, Ruby::Identifier i) {
+    TLocalVariableReal(Scope::Range scope, string name, Ruby::AstNode i) {
       scopeDefinesParameterVariable(scope, name, i)
       or
       i =
-        min(Ruby::Identifier other |
+        min(Ruby::AstNode other |
           scopeAssigns(scope, name, other)
         |
           other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
@@ -296,10 +307,10 @@ private module Cached {
   }
 
   cached
-  predicate access(Ruby::Identifier access, VariableReal variable) {
+  predicate access(Ruby::AstNode access, VariableReal variable) {
     exists(string name |
       variable.getNameImpl() = name and
-      name = access.getValue()
+      name = variableName(access)
     |
       variable.getDeclaringScopeImpl() = scopeOf(access) and
       not access.getLocation().strictlyBefore(variable.getLocationImpl()) and
@@ -371,7 +382,7 @@ private predicate inherits(Scope::Range scope, string name, Scope::Range outer)
     (
       scopeDefinesParameterVariable(outer, name, _)
       or
-      exists(Ruby::Identifier i |
+      exists(Ruby::AstNode i |
         scopeAssigns(outer, name, i) and
         i.getLocation().strictlyBefore(scope.getLocation())
       )
@@ -420,7 +431,7 @@ private class VariableRealAdapter extends VariableImpl, TVariableReal instanceof
 class LocalVariableReal extends VariableReal, TLocalVariableReal {
   private Scope::Range scope;
   private string name;
-  private Ruby::Identifier i;
+  private Ruby::AstNode i;
 
   LocalVariableReal() { this = TLocalVariableReal(scope, name, i) }
 
diff --git a/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected b/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected
@@ -70,13 +70,16 @@
 | local_dataflow.rb:50:18:50:18 | [post] x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:51:20:51:20 | x |
 | local_dataflow.rb:51:9:51:15 | "break" | local_dataflow.rb:51:3:51:15 | break |
-| local_dataflow.rb:60:1:86:3 | self (test_case) | local_dataflow.rb:78:12:78:20 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:78:12:78:20 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:79:18:79:24 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:80:22:80:28 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:82:6:82:12 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:83:6:83:12 | self |
-| local_dataflow.rb:60:1:86:3 | self in test_case | local_dataflow.rb:84:6:84:12 | self |
+| local_dataflow.rb:60:1:89:3 | self (test_case) | local_dataflow.rb:78:12:78:20 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:78:12:78:20 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:79:18:79:24 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:80:22:80:28 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:83:6:83:12 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:84:6:84:12 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:85:20:85:26 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:86:26:86:32 | self |
+| local_dataflow.rb:60:1:89:3 | self in test_case | local_dataflow.rb:87:18:87:24 | self |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:60:15:60:15 | x |
 | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:61:12:61:12 | x |
 | local_dataflow.rb:61:7:68:5 | case ... | local_dataflow.rb:61:3:68:5 | ... = ... |
@@ -107,27 +110,42 @@
 | local_dataflow.rb:73:7:73:7 | x | local_dataflow.rb:72:7:73:7 | then ... |
 | local_dataflow.rb:74:3:75:6 | else ... | local_dataflow.rb:69:7:76:5 | case ... |
 | local_dataflow.rb:75:6:75:6 | x | local_dataflow.rb:74:3:75:6 | else ... |
-| local_dataflow.rb:78:7:85:5 | case ... | local_dataflow.rb:78:3:85:5 | ... = ... |
+| local_dataflow.rb:78:7:88:3 | case ... | local_dataflow.rb:78:3:88:3 | ... = ... |
 | local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:79:18:79:24 | self |
 | local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:80:22:80:28 | self |
 | local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:85:20:85:26 | self |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:86:26:86:32 | self |
+| local_dataflow.rb:78:12:78:20 | [post] self | local_dataflow.rb:87:18:87:24 | self |
 | local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:79:18:79:24 | self |
 | local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:80:22:80:28 | self |
 | local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:82:6:82:12 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:85:20:85:26 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:86:26:86:32 | self |
+| local_dataflow.rb:78:12:78:20 | self | local_dataflow.rb:87:18:87:24 | self |
 | local_dataflow.rb:79:11:79:11 | b | local_dataflow.rb:79:23:79:23 | b |
-| local_dataflow.rb:79:13:79:43 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:79:13:79:43 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
 | local_dataflow.rb:79:18:79:24 | call to sink | local_dataflow.rb:79:13:79:43 | then ... |
 | local_dataflow.rb:80:6:80:6 | a | local_dataflow.rb:80:11:80:11 | a |
 | local_dataflow.rb:80:11:80:11 | [post] a | local_dataflow.rb:80:27:80:27 | a |
 | local_dataflow.rb:80:11:80:11 | a | local_dataflow.rb:80:27:80:27 | a |
-| local_dataflow.rb:80:17:80:47 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:80:17:80:47 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
 | local_dataflow.rb:80:22:80:28 | call to sink | local_dataflow.rb:80:17:80:47 | then ... |
 | local_dataflow.rb:81:7:81:7 | c | local_dataflow.rb:82:11:82:11 | c |
 | local_dataflow.rb:81:11:81:11 | d | local_dataflow.rb:83:11:83:11 | d |
 | local_dataflow.rb:81:14:81:14 | e | local_dataflow.rb:84:11:84:11 | e |
-| local_dataflow.rb:81:18:84:32 | then ... | local_dataflow.rb:78:7:85:5 | case ... |
+| local_dataflow.rb:81:18:84:32 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
 | local_dataflow.rb:81:23:84:13 | call to [] | local_dataflow.rb:81:18:84:32 | then ... |
 | local_dataflow.rb:82:6:82:12 | [post] self | local_dataflow.rb:83:6:83:12 | self |
 | local_dataflow.rb:82:6:82:12 | self | local_dataflow.rb:83:6:83:12 | self |
 | local_dataflow.rb:83:6:83:12 | [post] self | local_dataflow.rb:84:6:84:12 | self |
 | local_dataflow.rb:83:6:83:12 | self | local_dataflow.rb:84:6:84:12 | self |
+| local_dataflow.rb:85:11:85:11 | f | local_dataflow.rb:85:25:85:25 | f |
+| local_dataflow.rb:85:15:85:45 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
+| local_dataflow.rb:85:20:85:26 | call to sink | local_dataflow.rb:85:15:85:45 | then ... |
+| local_dataflow.rb:86:16:86:16 | g | local_dataflow.rb:86:31:86:31 | g |
+| local_dataflow.rb:86:21:86:51 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
+| local_dataflow.rb:86:26:86:32 | call to sink | local_dataflow.rb:86:21:86:51 | then ... |
+| local_dataflow.rb:87:8:87:8 | x | local_dataflow.rb:87:23:87:23 | x |
+| local_dataflow.rb:87:13:87:43 | then ... | local_dataflow.rb:78:7:88:3 | case ... |
+| local_dataflow.rb:87:18:87:24 | call to sink | local_dataflow.rb:87:13:87:43 | then ... |
diff --git a/ruby/ql/test/library-tests/dataflow/local/Nodes.expected b/ruby/ql/test/library-tests/dataflow/local/Nodes.expected
@@ -12,7 +12,7 @@ ret
 | local_dataflow.rb:50:3:50:13 | next |
 | local_dataflow.rb:51:3:51:15 | break |
 | local_dataflow.rb:52:3:52:10 | "normal" |
-| local_dataflow.rb:78:3:85:5 | ... = ... |
+| local_dataflow.rb:78:3:88:3 | ... = ... |
 arg
 | local_dataflow.rb:3:8:3:10 | self | local_dataflow.rb:3:8:3:10 | call to p | self |
 | local_dataflow.rb:3:10:3:10 | a | local_dataflow.rb:3:8:3:10 | call to p | position 0 |
@@ -67,3 +67,9 @@ arg
 | local_dataflow.rb:84:6:84:12 | call to sink | local_dataflow.rb:81:23:84:13 | call to [] | position 2 |
 | local_dataflow.rb:84:6:84:12 | self | local_dataflow.rb:84:6:84:12 | call to sink | self |
 | local_dataflow.rb:84:11:84:11 | e | local_dataflow.rb:84:6:84:12 | call to sink | position 0 |
+| local_dataflow.rb:85:20:85:26 | self | local_dataflow.rb:85:20:85:26 | call to sink | self |
+| local_dataflow.rb:85:25:85:25 | f | local_dataflow.rb:85:20:85:26 | call to sink | position 0 |
+| local_dataflow.rb:86:26:86:32 | self | local_dataflow.rb:86:26:86:32 | call to sink | self |
+| local_dataflow.rb:86:31:86:31 | g | local_dataflow.rb:86:26:86:32 | call to sink | position 0 |
+| local_dataflow.rb:87:18:87:24 | self | local_dataflow.rb:87:18:87:24 | call to sink | self |
+| local_dataflow.rb:87:23:87:23 | x | local_dataflow.rb:87:18:87:24 | call to sink | position 0 |
diff --git a/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected b/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected
@@ -5,17 +5,26 @@ edges
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:82:11:82:11 | c |
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:83:11:83:11 | d |
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:84:11:84:11 | e |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:85:25:85:25 | f |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:86:31:86:31 | g |
+| local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:87:23:87:23 | x |
 nodes
 | local_dataflow.rb:78:12:78:20 | call to source :  | semmle.label | call to source :  |
 | local_dataflow.rb:79:23:79:23 | b | semmle.label | b |
 | local_dataflow.rb:80:27:80:27 | a | semmle.label | a |
 | local_dataflow.rb:82:11:82:11 | c | semmle.label | c |
 | local_dataflow.rb:83:11:83:11 | d | semmle.label | d |
 | local_dataflow.rb:84:11:84:11 | e | semmle.label | e |
+| local_dataflow.rb:85:25:85:25 | f | semmle.label | f |
+| local_dataflow.rb:86:31:86:31 | g | semmle.label | g |
+| local_dataflow.rb:87:23:87:23 | x | semmle.label | x |
 subpaths
 #select
 | local_dataflow.rb:79:23:79:23 | b | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:79:23:79:23 | b | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:80:27:80:27 | a | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:80:27:80:27 | a | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:82:11:82:11 | c | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:82:11:82:11 | c | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:83:11:83:11 | d | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:83:11:83:11 | d | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:84:11:84:11 | e | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:84:11:84:11 | e | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:85:25:85:25 | f | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:85:25:85:25 | f | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:86:31:86:31 | g | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:86:31:86:31 | g | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:87:23:87:23 | x | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:87:23:87:23 | x | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
diff --git a/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb b/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb
@@ -82,6 +82,9 @@ def test_case x
      sink(c), # $ hasTaintFlow=1
      sink(d), # $ hasTaintFlow=1
      sink(e)] # $ hasTaintFlow=1
-  end
+  in { a: f } then sink(f) # $ hasTaintFlow=1
+  in { foo: 1, g: } then sink(g) # $ hasTaintFlow=1
+  in { x: } then sink(x) # $ hasTaintFlow=1
+end
 end
 

Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,8 @@ class VariableAccess extends Expr instanceof VariableAccessImpl {`
`115`	`115`	`implicitWriteAccess(toGenerated(this))`
`116`	`116`	`or`
`117`	`117`	`this = any(SimpleParameterSynthImpl p).getDefininingAccess()`
	`118`	`+ or`
	`119`	`+ this = any(HashPattern p).getValue(_)`
`118`	`120`	`}`
`119`	`121`
`120`	`122`	`final override string toString() { result = VariableAccessImpl.super.toString() }`