Handle via: :all in Rails routes

hmac · hmac · commit 47823b5a9adb · 2022-02-02T16:26:20.000+13:00
ActionDispatch modelling now understands that

    match "/foo", to: "foo#bar", via: :all

is equivalent to

    match "/foo",
      to: "foo#bar",
      via: [:get, :post, :put, :patch, :delete]
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionDispatch.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionDispatch.qll
@@ -325,7 +325,7 @@ module ActionDispatch {
      * See `ExplicitRoute`
      */
     TExplicitRoute(RouteBlock b, MethodCall m) {
-      b.getAStmt() = m and m.getMethodName() in ["get", "post", "put", "patch", "delete"]
+      b.getAStmt() = m and m.getMethodName() = anyHttpMethod()
     } or
     /**
      * See `ResourcesRoute`
@@ -518,7 +518,7 @@ module ActionDispatch {
       (
         result = extractController(this.getActionString())
         or
-        // If not controller is specified, and we're in a `resources` route block, use the controller of that route.
+        // If controller is not specified, and we're in a `resources` route block, use the controller of that route.
         // For example, in
         //
         // resources :posts do
@@ -671,6 +671,7 @@ module ActionDispatch {
    * ```ruby
    * match 'photos/:id' => 'photos#show', via: :get
    * match 'photos/:id', to: 'photos#show', via: :get
+   * match 'photos/:id', to 'photos#show', via: [:get, :post]
    * match 'photos/:id', controller: 'photos', action: 'show', via: :get
    * ```
    */
@@ -702,7 +703,14 @@ module ActionDispatch {
     }
 
     override string getHTTPMethod() {
-      result = method.getKeywordArgument("via").getConstantValue().getStringOrSymbol() or
+      exists(string via |
+        via = method.getKeywordArgument("via").getConstantValue().getStringOrSymbol()
+      |
+        via = "all" and result = anyHttpMethod()
+        or
+        via != "all" and result = "via"
+      )
+      or
       result =
         method
             .getKeywordArgument("via")
@@ -816,11 +824,16 @@ module ActionDispatch {
   /**
    * Extract the action from a Rails routing string
    * ```
-   * extractController("posts#show") = "show"
+   * extractAction("posts#show") = "show"
    */
   bindingset[input]
   private string extractAction(string input) { result = input.regexpCapture("[^#]+#(.+)", 1) }
 
+  /**
+   * Returns the lowercase name of every HTTP method we support.
+   */
+  private string anyHttpMethod() { result = ["get", "post", "put", "patch", "delete"] }
+
   /**
    * The inverse of `pluralize`
    * photos => photo
diff --git a/ruby/ql/test/library-tests/frameworks/ActionDispatch.expected b/ruby/ql/test/library-tests/frameworks/ActionDispatch.expected
@@ -17,17 +17,22 @@ actionDispatchRoutes
 | app/config/routes.rb:19:5:19:44 | call to get | get | admin/jobs | background_jobs | index |
 | app/config/routes.rb:23:5:23:64 | call to get | get | admin/secrets | secrets | view_secrets |
 | app/config/routes.rb:24:5:24:42 | call to delete | delete | admin/:user_id | users | destroy |
-| app/config/routes.rb:27:3:27:48 | call to match | get | photos/:id | photos | show |
-| app/config/routes.rb:28:3:28:50 | call to match | get | photos/:id | photos | show |
-| app/config/routes.rb:29:3:29:69 | call to match | get | photos/:id | photos | show |
-| app/config/routes.rb:32:5:32:43 | call to post | post | upgrade | users | start_upgrade |
-| app/config/routes.rb:36:5:36:31 | call to get | get | current_billing_cycle | billing/enterprise | current_billing_cycle |
-| app/config/routes.rb:39:3:39:40 | call to resource | get | global_config | global_config | show |
-| app/config/routes.rb:42:5:44:7 | call to resources | get | foo/bar | foo/bar | index |
-| app/config/routes.rb:42:5:44:7 | call to resources | get | foo/bar/:id | foo/bar | show |
-| app/config/routes.rb:43:7:43:39 | call to get | get | foo/bar/:bar_id/show_debug | foo/bar | show_debug |
-| app/config/routes.rb:48:5:48:95 | call to delete | delete | users/:user/notifications | users/notifications | destroy |
-| app/config/routes.rb:49:5:49:94 | call to post | post | users/:user/notifications/:notification_id/mark_as_read | users/notifications | mark_as_read |
+| app/config/routes.rb:27:3:27:48 | call to match | via | photos/:id | photos | show |
+| app/config/routes.rb:28:3:28:50 | call to match | via | photos/:id | photos | show |
+| app/config/routes.rb:29:3:29:69 | call to match | via | photos/:id | photos | show |
+| app/config/routes.rb:30:3:30:50 | call to match | delete | photos/:id | photos | show |
+| app/config/routes.rb:30:3:30:50 | call to match | get | photos/:id | photos | show |
+| app/config/routes.rb:30:3:30:50 | call to match | patch | photos/:id | photos | show |
+| app/config/routes.rb:30:3:30:50 | call to match | post | photos/:id | photos | show |
+| app/config/routes.rb:30:3:30:50 | call to match | put | photos/:id | photos | show |
+| app/config/routes.rb:33:5:33:43 | call to post | post | upgrade | users | start_upgrade |
+| app/config/routes.rb:37:5:37:31 | call to get | get | current_billing_cycle | billing/enterprise | current_billing_cycle |
+| app/config/routes.rb:40:3:40:40 | call to resource | get | global_config | global_config | show |
+| app/config/routes.rb:43:5:45:7 | call to resources | get | foo/bar | foo/bar | index |
+| app/config/routes.rb:43:5:45:7 | call to resources | get | foo/bar/:id | foo/bar | show |
+| app/config/routes.rb:44:7:44:39 | call to get | get | foo/bar/:bar_id/show_debug | foo/bar | show_debug |
+| app/config/routes.rb:49:5:49:95 | call to delete | delete | users/:user/notifications | users/notifications | destroy |
+| app/config/routes.rb:50:5:50:94 | call to post | post | users/:user/notifications/:notification_id/mark_as_read | users/notifications | mark_as_read |
 actionDispatchControllerMethods
 | app/config/routes.rb:2:3:8:5 | call to resources | app/controllers/posts_controller.rb:2:3:3:5 | index |
 | app/config/routes.rb:2:3:8:5 | call to resources | app/controllers/posts_controller.rb:5:3:6:5 | show |
@@ -37,7 +42,8 @@ actionDispatchControllerMethods
 | app/config/routes.rb:27:3:27:48 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
 | app/config/routes.rb:28:3:28:50 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
 | app/config/routes.rb:29:3:29:69 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
-| app/config/routes.rb:49:5:49:94 | call to post | app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
+| app/config/routes.rb:30:3:30:50 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
+| app/config/routes.rb:50:5:50:94 | call to post | app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
 underscore
 | Foo | foo |
 | Foo::Bar | foo/bar |
diff --git a/ruby/ql/test/library-tests/frameworks/app/config/routes.rb b/ruby/ql/test/library-tests/frameworks/app/config/routes.rb
@@ -27,6 +27,7 @@
   match "photos/:id" => "photos#show", via: :get
   match "photos/:id", to: "photos#show", via: :get
   match "photos/:id", controller: "photos", action: "show", via: :get
+  match "photos/:id", to: "photos#show", via: :all
 
   scope controller: "users" do
     post "upgrade", action: "start_upgrade"
