Ruby: add local field step to type tracking

asgerf · asgerf · commit 38a3476d37e6 · 2022-10-11T09:03:51.000+02:00
fixup local field steps
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -102,7 +102,67 @@ private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
 }
 
 /** Holds if there is a level step from `nodeFrom` to `nodeTo`. */
-predicate levelStep(Node nodeFrom, Node nodeTo) { summarizedLocalStep(nodeFrom, nodeTo) }
+predicate levelStep(Node nodeFrom, Node nodeTo) {
+  summarizedLocalStep(nodeFrom, nodeTo)
+  or
+  localFieldStep(nodeFrom, nodeTo)
+}
+
+/**
+ * Gets a method of `mod`, with `instance` indicating if this is an instance method.
+ *
+ * Does not take inheritance or the various forms of inclusion into account.
+ */
+pragma[nomagic]
+private MethodBase getAMethod(ModuleBase mod, boolean instance) {
+  not mod instanceof SingletonClass and
+  result = mod.getAMethod() and
+  if result instanceof SingletonMethod then instance = false else instance = true
+  or
+  exists(SingletonClass cls |
+    cls.getValue().(SelfVariableAccess).getCfgScope() = mod and
+    result = cls.getAMethod().(Method) and
+    instance = false
+  )
+}
+
+/**
+ * Gets a value flowing into `field` in `mod`, with `instance` indicating if it's
+ * a field on an instance of `mod` (as opposed to the module object itself).
+ */
+pragma[nomagic]
+private Node fieldPredecessor(ModuleBase mod, boolean instance, string field) {
+  exists(InstanceVariableWriteAccess access, AssignExpr assign |
+    access.getReceiver().getCfgScope() = getAMethod(mod, instance) and
+    field = access.getVariable().getName() and
+    assign.getLeftOperand() = access and
+    result.asExpr().getExpr() = assign.getRightOperand()
+  )
+}
+
+/**
+ * Gets a reference to `field` in `mod`, with `instance` indicating if it's
+ * a field on an instance of `mod` (as opposed to the module object itself).
+ */
+pragma[nomagic]
+private Node fieldSuccessor(ModuleBase mod, boolean instance, string field) {
+  exists(InstanceVariableReadAccess access |
+    access.getReceiver().getCfgScope() = getAMethod(mod, instance) and
+    result.asExpr().getExpr() = access and
+    field = access.getVariable().getName()
+  )
+}
+
+/**
+ * Holds if `pred -> succ` should be used a level step, from a field assignment to
+ * a read within the same class.
+ */
+private predicate localFieldStep(Node pred, Node succ) {
+  exists(ModuleBase mod, boolean instance, string field |
+    pred = fieldPredecessor(mod, instance, field) and
+    succ = fieldSuccessor(mod, instance, field)
+  )
+}
 
 pragma[noinline]
 private predicate argumentPositionMatch(
