Ruby: Implement ContentSet

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll

@@ -32,7 +32,9 @@ module SummaryComponent {
   SummaryComponent block() { result = argument(any(ParameterPosition pos | pos.isBlock())) }
 
   /** Gets a summary component that represents an element in an array at an unknown index. */
-  SummaryComponent arrayElementUnknown() { result = SC::content(TUnknownArrayElementContent()) }
+  SummaryComponent arrayElementUnknown() {
+    result = SC::content(TSingletonContent(TUnknownArrayElementContent()))
+  }
 
   /**
    * Gets a summary component that represents an element in an array at a known index.
@@ -42,7 +44,7 @@ module SummaryComponent {
    */
   bindingset[i]
   SummaryComponent arrayElementKnown(int i) {
-    result = SC::content(TKnownArrayElementContent(i))
+    result = SC::content(TSingletonContent(TKnownArrayElementContent(i)))
     or
     // `i` may be out of range
     i >= 0 and
@@ -134,7 +136,7 @@ abstract class SummarizedCallable extends LibraryCallable {
    * arguments at position `pos` to this callable.
    */
   pragma[nomagic]
-  predicate clearsContent(ParameterPosition pos, DataFlow::Content content) { none() }
+  predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) { none() }
 }
 
 /**
@@ -161,7 +163,7 @@ private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable
     sc.propagatesFlow(input, output, preservesValue)
   }
 
-  final override predicate clearsContent(ParameterPosition pos, DataFlow::Content content) {
+  final override predicate clearsContent(ParameterPosition pos, DataFlow::ContentSet content) {
     sc.clearsContent(pos, content)
   }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -316,11 +316,15 @@ private module Cached {
     entrySsaDefinition(n)
   }
 
+  cached
+  newtype TContentSet =
+    TSingletonContent(Content c) or
+    TAnyArrayElementContent()
+
   cached
   newtype TContent =
     TKnownArrayElementContent(int i) { i in [0 .. 10] } or
-    TUnknownArrayElementContent() or
-    TAnyArrayElementContent()
+    TUnknownArrayElementContent()
 
   /**
    * Holds if `e` is an `ExprNode` that may be returned by a call to `c`.
@@ -776,26 +780,20 @@ predicate jumpStep(Node pred, Node succ) {
   succ.asExpr().getExpr().(ConstantReadAccess).getValue() = pred.asExpr().getExpr()
 }
 
-predicate storeStep(Node node1, Content c, Node node2) {
+predicate storeStep(Node node1, ContentSet c, Node node2) {
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
 }
 
-predicate readStep(Node node1, Content c, Node node2) {
-  exists(Content c0 | FlowSummaryImpl::Private::Steps::summaryReadStep(node1, c0, node2) |
-    if c0 = TAnyArrayElementContent()
-    then
-      c instanceof TUnknownArrayElementContent or
-      c instanceof TKnownArrayElementContent
-    else c = c0
-  )
+predicate readStep(Node node1, ContentSet c, Node node2) {
+  FlowSummaryImpl::Private::Steps::summaryReadStep(node1, c, node2)
 }
 
 /**
  * Holds if values stored inside content `c` are cleared at node `n`. For example,
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
  * in `x.f = newValue`.
  */
-predicate clearsContent(Node n, Content c) {
+predicate clearsContent(Node n, ContentSet c) {
   FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
 }
 
@@ -875,7 +873,7 @@ int accessPathLimit() { result = 5 }
  * Holds if access paths with `c` at their head always should be tracked at high
  * precision. This disables adaptive access path precision for such access paths.
  */
-predicate forceHighPrecision(Content c) { none() }
+predicate forceHighPrecision(Content c) { c instanceof Content::ArrayElementContent }
 
 /** The unit type. */
 private newtype TUnit = TMkUnit()

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -194,14 +194,46 @@ module Content {
   class UnknownArrayElementContent extends ArrayElementContent, TUnknownArrayElementContent {
     override string toString() { result = "array element" }
   }
+}
 
-  /**
-   * Used internally only, to represent the union of `KnownArrayElementContent`
-   * and `UnknownArrayElementContent`, to avoid combinatorial explosions in
-   * `SummaryComponentStack`s in flow summaries.
-   */
-  private class AnyArrayElementContent extends Content, TAnyArrayElementContent {
-    override string toString() { result = "any array element" }
+/**
+ * An entity that represents a set of `Content`s.
+ *
+ * The set may be interpreted differently depending on whether it is
+ * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+ */
+class ContentSet extends TContentSet {
+  /** Holds if this content set is the singleton `{c}`. */
+  predicate isSingleton(Content c) { this = TSingletonContent(c) }
+
+  /** Holds if this content set represent all `ArrayElementContent`s. */
+  predicate isAnyArrayElement() { this = TAnyArrayElementContent() }
+
+  /** Gets a textual representation of this content set. */
+  string toString() {
+    exists(Content c |
+      this.isSingleton(c) and
+      result = c.toString()
+    )
+    or
+    this.isAnyArrayElement() and
+    result = "any array element"
+  }
+
+  /** Gets a content that may be stored into when storing into this set. */
+  Content getAStoreContent() {
+    this.isSingleton(result)
+    or
+    this.isAnyArrayElement() and
+    result = TUnknownArrayElementContent()
+  }
+
+  /** Gets a content that may be read from when reading from this set. */
+  Content getAReadContent() {
+    this.isSingleton(result)
+    or
+    this.isAnyArrayElement() and
+    result instanceof Content::ArrayElementContent
   }
 }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -21,7 +21,7 @@ Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = TSumma
 SummaryCall summaryDataFlowCall(Node receiver) { receiver = result.getReceiver() }
 
 /** Gets the type of content `c`. */
-DataFlowType getContentType(Content c) { any() }
+DataFlowType getContentType(ContentSet c) { any() }
 
 /** Gets the return type of kind `rk` for callable `c`. */
 bindingset[c, rk]

ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll

@@ -22,7 +22,7 @@ predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
 
 private CfgNodes::ExprNodes::VariableWriteAccessCfgNode variablesInPattern(
   CfgNodes::ExprNodes::CasePatternCfgNode p
@@ -95,10 +95,14 @@ private module Cached {
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, false)
     or
-    // Although flow through arrays is modelled precisely using stores/reads, we still
-    // allow flow out of a _tainted_ array. This is needed in order to support taint-
-    // tracking configurations where the source is an array.
-    readStep(nodeFrom, any(DataFlow::Content::ArrayElementContent c), nodeTo)
+    // Although flow through collections is modelled precisely using stores/reads, we still
+    // allow flow out of a _tainted_ collection. This is needed in order to support taint-
+    // tracking configurations where the source is a collection.
+    exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
+      c.isSingleton(any(DataFlow::Content::ArrayElementContent aec))
+      or
+      c.isAnyArrayElement()
+    )
   }
 
   /**