Ruby: Add test that illustrates missing flow for keyword arguments

hvitved · hvitved · commit 38ede2538560 · 2022-08-04T14:39:22.000+02:00
diff --git a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
@@ -1,4 +1,6 @@
 failures
+| params_flow.rb:17:13:17:82 | # $ hasValueFlow=3 $ hasValueFlow=6 $ hasValueFlow=8 $ hasValueFlow=16 | Missing result:hasValueFlow=16 |
+| params_flow.rb:26:13:26:66 | # $ hasValueFlow=9 $ hasValueFlow=13 $ hasValueFlow=14 | Missing result:hasValueFlow=14 |
 edges
 | params_flow.rb:9:16:9:17 | p1 :  | params_flow.rb:10:10:10:11 | p1 |
 | params_flow.rb:9:20:9:21 | p2 :  | params_flow.rb:11:10:11:11 | p2 |
@@ -26,6 +28,10 @@ edges
 | params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:25:12:25:13 | p1 :  |
 | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | params_flow.rb:25:17:25:24 | **kwargs [element :p3] :  |
 | params_flow.rb:35:25:35:28 | args [element :p3] :  | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  |
+| params_flow.rb:37:34:37:42 | call to taint :  | params_flow.rb:38:10:38:13 | args [element :p2] :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p2] :  | params_flow.rb:25:17:25:24 | **kwargs [element :p2] :  |
+| params_flow.rb:38:10:38:13 | args [element :p2] :  | params_flow.rb:38:8:38:13 | ** ... [element :p2] :  |
+| params_flow.rb:41:13:41:21 | call to taint :  | params_flow.rb:16:18:16:19 | p2 :  |
 nodes
 | params_flow.rb:9:16:9:17 | p1 :  | semmle.label | p1 :  |
 | params_flow.rb:9:20:9:21 | p2 :  | semmle.label | p2 :  |
@@ -60,6 +66,10 @@ nodes
 | params_flow.rb:35:12:35:20 | call to taint :  | semmle.label | call to taint :  |
 | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | semmle.label | ** ... [element :p3] :  |
 | params_flow.rb:35:25:35:28 | args [element :p3] :  | semmle.label | args [element :p3] :  |
+| params_flow.rb:37:34:37:42 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p2] :  | semmle.label | ** ... [element :p2] :  |
+| params_flow.rb:38:10:38:13 | args [element :p2] :  | semmle.label | args [element :p2] :  |
+| params_flow.rb:41:13:41:21 | call to taint :  | semmle.label | call to taint :  |
 subpaths
 #select
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint :  | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint :  | call to taint :  |
@@ -70,8 +80,10 @@ subpaths
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:21:27:21:34 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:21:27:21:34 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:22:13:22:20 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:22:13:22:20 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:23:16:23:23 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:23:16:23:23 | call to taint :  | call to taint :  |
+| params_flow.rb:18:10:18:11 | p2 | params_flow.rb:41:13:41:21 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:41:13:41:21 | call to taint :  | call to taint :  |
 | params_flow.rb:26:10:26:11 | p1 | params_flow.rb:33:12:33:19 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:33:12:33:19 | call to taint :  | call to taint :  |
 | params_flow.rb:26:10:26:11 | p1 | params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:35:12:35:20 | call to taint :  | call to taint :  |
 | params_flow.rb:28:10:28:22 | ( ... ) | params_flow.rb:33:26:33:34 | call to taint :  | params_flow.rb:28:10:28:22 | ( ... ) | $@ | params_flow.rb:33:26:33:34 | call to taint :  | call to taint :  |
+| params_flow.rb:28:10:28:22 | ( ... ) | params_flow.rb:37:34:37:42 | call to taint :  | params_flow.rb:28:10:28:22 | ( ... ) | $@ | params_flow.rb:37:34:37:42 | call to taint :  | call to taint :  |
 | params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:33:41:33:49 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:33:41:33:49 | call to taint :  | call to taint :  |
 | params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:34:14:34:22 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:34:14:34:22 | call to taint :  | call to taint :  |
diff --git a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
@@ -14,22 +14,28 @@ def positional(p1, p2)
 positional(taint(1), taint(2))
 
 def keyword(p1:, p2:)
-    sink p1 # $ hasValueFlow=3 $ hasValueFlow=6 $ hasValueFlow=8
-    sink p2 # $ hasValueFlow=4 $ hasValueFlow=5 $ hasValueFlow=7
+    sink p1 # $ hasValueFlow=3 $ hasValueFlow=6 $ hasValueFlow=8 $ hasValueFlow=16
+    sink p2 # $ hasValueFlow=4 $ hasValueFlow=5 $ hasValueFlow=7 $ hasValueFlow=17
 end
 
 keyword(p1: taint(3), p2: taint(4))
 keyword(p2: taint(5), p1: taint(6))
 keyword(:p2 => taint(7), :p1 => taint(8))
 
 def kwargs(p1:, **kwargs)
-    sink p1 # $ hasValueFlow=9 $ hasValueFlow=13
+    sink p1 # $ hasValueFlow=9 $ hasValueFlow=13 $ hasValueFlow=14
     sink (kwargs[:p1])
-    sink (kwargs[:p2]) # $ hasValueFlow=10
+    sink (kwargs[:p2]) # $ hasValueFlow=10 $ hasValueFlow=15
     sink (kwargs[:p3]) # $ hasValueFlow=11 $ hasValueFlow=12
     sink (kwargs[:p4])
 end
 
 kwargs(p1: taint(9), p2: taint(10), p3: taint(11), p4: "")
 args = { p3: taint(12), p4: "" }
 kwargs(p1: taint(13), **args)
+
+args = {:p1 => taint(14), :p2 => taint(15) }
+kwargs(**args)
+
+args = {:p1 => taint(16) }
+keyword(p2: taint(17), **args)
