Merge pull request github#7663 from github/hmac/api-graph-subclass

Ruby: Add basic subclassing support to API Graphs

Author: hmac

cpp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -123,6 +123,15 @@ abstract class InlineExpectationsTest extends string {
    */
   abstract predicate hasActualResult(Location location, string element, string tag, string value);
 
+  /**
+   * Like `hasActualResult`, but returns results that do not require a matching annotation.
+   * A failure will still arise if there is an annotation that does not match any results, but not vice versa.
+   * Override this predicate to specify optional results.
+   */
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    none()
+  }
+
   final predicate hasFailureMessage(FailureLocatable element, string message) {
     exists(ActualResult actualResult |
       actualResult.getTest() = this and
@@ -134,7 +143,8 @@ abstract class InlineExpectationsTest extends string {
         )
         or
         not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
-        message = "Unexpected result: " + actualResult.getExpectationText()
+        message = "Unexpected result: " + actualResult.getExpectationText() and
+        not actualResult.isOptional()
       )
     )
     or
@@ -243,9 +253,13 @@ private string expectationPattern() {
 
 private newtype TFailureLocatable =
   TActualResult(
-    InlineExpectationsTest test, Location location, string element, string tag, string value
+    InlineExpectationsTest test, Location location, string element, string tag, string value,
+    boolean optional
   ) {
-    test.hasActualResult(location, element, tag, value)
+    test.hasActualResult(location, element, tag, value) and
+    optional = false
+    or
+    test.hasOptionalResult(location, element, tag, value) and optional = true
   } or
   TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
     exists(TColumn column, string tags |
@@ -277,8 +291,9 @@ class ActualResult extends FailureLocatable, TActualResult {
   string element;
   string tag;
   string value;
+  boolean optional;
 
-  ActualResult() { this = TActualResult(test, location, element, tag, value) }
+  ActualResult() { this = TActualResult(test, location, element, tag, value, optional) }
 
   override string toString() { result = element }
 
@@ -289,6 +304,8 @@ class ActualResult extends FailureLocatable, TActualResult {
   override string getTag() { result = tag }
 
   override string getValue() { result = value }
+
+  predicate isOptional() { optional = true }
 }
 
 abstract private class Expectation extends FailureLocatable {

csharp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -123,6 +123,15 @@ abstract class InlineExpectationsTest extends string {
    */
   abstract predicate hasActualResult(Location location, string element, string tag, string value);
 
+  /**
+   * Like `hasActualResult`, but returns results that do not require a matching annotation.
+   * A failure will still arise if there is an annotation that does not match any results, but not vice versa.
+   * Override this predicate to specify optional results.
+   */
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    none()
+  }
+
   final predicate hasFailureMessage(FailureLocatable element, string message) {
     exists(ActualResult actualResult |
       actualResult.getTest() = this and
@@ -134,7 +143,8 @@ abstract class InlineExpectationsTest extends string {
         )
         or
         not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
-        message = "Unexpected result: " + actualResult.getExpectationText()
+        message = "Unexpected result: " + actualResult.getExpectationText() and
+        not actualResult.isOptional()
       )
     )
     or
@@ -243,9 +253,13 @@ private string expectationPattern() {
 
 private newtype TFailureLocatable =
   TActualResult(
-    InlineExpectationsTest test, Location location, string element, string tag, string value
+    InlineExpectationsTest test, Location location, string element, string tag, string value,
+    boolean optional
   ) {
-    test.hasActualResult(location, element, tag, value)
+    test.hasActualResult(location, element, tag, value) and
+    optional = false
+    or
+    test.hasOptionalResult(location, element, tag, value) and optional = true
   } or
   TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
     exists(TColumn column, string tags |
@@ -277,8 +291,9 @@ class ActualResult extends FailureLocatable, TActualResult {
   string element;
   string tag;
   string value;
+  boolean optional;
 
-  ActualResult() { this = TActualResult(test, location, element, tag, value) }
+  ActualResult() { this = TActualResult(test, location, element, tag, value, optional) }
 
   override string toString() { result = element }
 
@@ -289,6 +304,8 @@ class ActualResult extends FailureLocatable, TActualResult {
   override string getTag() { result = tag }
 
   override string getValue() { result = value }
+
+  predicate isOptional() { optional = true }
 }
 
 abstract private class Expectation extends FailureLocatable {

java/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -123,6 +123,15 @@ abstract class InlineExpectationsTest extends string {
    */
   abstract predicate hasActualResult(Location location, string element, string tag, string value);
 
+  /**
+   * Like `hasActualResult`, but returns results that do not require a matching annotation.
+   * A failure will still arise if there is an annotation that does not match any results, but not vice versa.
+   * Override this predicate to specify optional results.
+   */
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    none()
+  }
+
   final predicate hasFailureMessage(FailureLocatable element, string message) {
     exists(ActualResult actualResult |
       actualResult.getTest() = this and
@@ -134,7 +143,8 @@ abstract class InlineExpectationsTest extends string {
         )
         or
         not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
-        message = "Unexpected result: " + actualResult.getExpectationText()
+        message = "Unexpected result: " + actualResult.getExpectationText() and
+        not actualResult.isOptional()
       )
     )
     or
@@ -243,9 +253,13 @@ private string expectationPattern() {
 
 private newtype TFailureLocatable =
   TActualResult(
-    InlineExpectationsTest test, Location location, string element, string tag, string value
+    InlineExpectationsTest test, Location location, string element, string tag, string value,
+    boolean optional
   ) {
-    test.hasActualResult(location, element, tag, value)
+    test.hasActualResult(location, element, tag, value) and
+    optional = false
+    or
+    test.hasOptionalResult(location, element, tag, value) and optional = true
   } or
   TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
     exists(TColumn column, string tags |
@@ -277,8 +291,9 @@ class ActualResult extends FailureLocatable, TActualResult {
   string element;
   string tag;
   string value;
+  boolean optional;
 
-  ActualResult() { this = TActualResult(test, location, element, tag, value) }
+  ActualResult() { this = TActualResult(test, location, element, tag, value, optional) }
 
   override string toString() { result = element }
 
@@ -289,6 +304,8 @@ class ActualResult extends FailureLocatable, TActualResult {
   override string getTag() { result = tag }
 
   override string getValue() { result = value }
+
+  predicate isOptional() { optional = true }
 }
 
 abstract private class Expectation extends FailureLocatable {

python/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -123,6 +123,15 @@ abstract class InlineExpectationsTest extends string {
    */
   abstract predicate hasActualResult(Location location, string element, string tag, string value);
 
+  /**
+   * Like `hasActualResult`, but returns results that do not require a matching annotation.
+   * A failure will still arise if there is an annotation that does not match any results, but not vice versa.
+   * Override this predicate to specify optional results.
+   */
+  predicate hasOptionalResult(Location location, string element, string tag, string value) {
+    none()
+  }
+
   final predicate hasFailureMessage(FailureLocatable element, string message) {
     exists(ActualResult actualResult |
       actualResult.getTest() = this and
@@ -134,7 +143,8 @@ abstract class InlineExpectationsTest extends string {
         )
         or
         not exists(ValidExpectation expectation | expectation.matchesActualResult(actualResult)) and
-        message = "Unexpected result: " + actualResult.getExpectationText()
+        message = "Unexpected result: " + actualResult.getExpectationText() and
+        not actualResult.isOptional()
       )
     )
     or
@@ -243,9 +253,13 @@ private string expectationPattern() {
 
 private newtype TFailureLocatable =
   TActualResult(
-    InlineExpectationsTest test, Location location, string element, string tag, string value
+    InlineExpectationsTest test, Location location, string element, string tag, string value,
+    boolean optional
   ) {
-    test.hasActualResult(location, element, tag, value)
+    test.hasActualResult(location, element, tag, value) and
+    optional = false
+    or
+    test.hasOptionalResult(location, element, tag, value) and optional = true
   } or
   TValidExpectation(ExpectationComment comment, string tag, string value, string knownFailure) {
     exists(TColumn column, string tags |
@@ -277,8 +291,9 @@ class ActualResult extends FailureLocatable, TActualResult {
   string element;
   string tag;
   string value;
+  boolean optional;
 
-  ActualResult() { this = TActualResult(test, location, element, tag, value) }
+  ActualResult() { this = TActualResult(test, location, element, tag, value, optional) }
 
   override string toString() { result = element }
 
@@ -289,6 +304,8 @@ class ActualResult extends FailureLocatable, TActualResult {
   override string getTag() { result = tag }
 
   override string getValue() { result = value }
+
+  predicate isOptional() { optional = true }
 }
 
 abstract private class Expectation extends FailureLocatable {

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -88,22 +88,41 @@ module API {
      * This predicate may have multiple results when there are multiple constructor calls invoking this API component.
      * Consider using `getAnInstantiation()` if there is a need to distinguish between individual constructor calls.
      */
-    Node getInstance() { result = this.getASuccessor(Label::instance()) }
+    Node getInstance() { result = this.getASubclass().getASuccessor(Label::instance()) }
 
     /**
      * Gets a node representing the result of calling a method on the receiver represented by this node.
      */
-    Node getReturn(string method) { result = this.getASuccessor(Label::return(method)) }
+    Node getReturn(string method) {
+      result = this.getASubclass().getASuccessor(Label::return(method))
+    }
 
     /**
      * Gets a `new` call to the function represented by this API component.
      */
     DataFlow::ExprNode getAnInstantiation() { result = this.getInstance().getAnImmediateUse() }
 
     /**
-     * Gets a node representing a subclass of the class represented by this node.
+     * Gets a node representing a (direct or indirect) subclass of the class represented by this node.
+     * ```rb
+     * class A; end
+     * class B < A; end
+     * class C < B; end
+     * ```
+     * In the example above, `getMember("A").getASubclass()` will return uses of `A`, `B` and `C`.
+     */
+    Node getASubclass() { result = this.getAnImmediateSubclass*() }
+
+    /**
+     * Gets a node representing a direct subclass of the class represented by this node.
+     * ```rb
+     * class A; end
+     * class B < A; end
+     * class C < B; end
+     * ```
+     * In the example above, `getMember("A").getAnImmediateSubclass()` will return uses of `B` only.
      */
-    Node getASubclass() { result = this.getASuccessor(Label::subclass()) }
+    Node getAnImmediateSubclass() { result = this.getASuccessor(Label::subclass()) }
 
     /**
      * Gets a string representation of the lexicographically least among all shortest access paths
@@ -254,10 +273,9 @@ module API {
      */
     pragma[nomagic]
     private predicate useRoot(string lbl, DataFlow::Node ref) {
-      exists(string name, ExprNodes::ConstantAccessCfgNode access, ConstantReadAccess read |
-        access = ref.asExpr() and
-        lbl = Label::member(read.getName()) and
-        read = access.getExpr()
+      exists(string name, ConstantReadAccess read |
+        read = ref.asExpr().getExpr() and
+        lbl = Label::member(read.getName())
       |
         name = resolveTopLevel(read)
         or
@@ -389,6 +407,17 @@ module API {
           useStep(lbl, node, ref)
         )
       )
+      or
+      // `pred` is a use of class A
+      // `succ` is a use of class B
+      // there exists a class declaration B < A
+      exists(ClassDeclaration c, DataFlow::Node a, DataFlow::Node b |
+        use(pred, a) and
+        use(succ, b) and
+        resolveConstant(b.asExpr().getExpr()) = resolveConstantWriteAccess(c) and
+        c.getSuperclassExpr() = a.asExpr().getExpr() and
+        lbl = Label::subclass()
+      )
     }
 
     /**

ruby/ql/lib/codeql/ruby/ast/internal/Module.qll

@@ -233,12 +233,17 @@ private module ResolveImpl {
 
   pragma[nomagic]
   private string resolveConstantReadAccessNonRec(ConstantReadAccess c, int priority) {
+    // ::B
     c.hasGlobalScope() and result = c.getName() and priority = 0
     or
+    // A::B
     exists(string name, string s | result = isDefinedConstantNonRec(s, name) |
       s = resolveConstantReadAccessScopeNonRec(c, priority, name)
     )
     or
+    // module A
+    //   B
+    // end
     exists(string name |
       exists(Namespace n, string qname |
         n = constantReadAccessEnclosingNameSpace(c, priority, name) and

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -4,22 +4,9 @@ private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.ast.internal.Module
+private import codeql.ruby.ApiGraphs
 private import ActionView
 
-private class ActionControllerBaseAccess extends ConstantReadAccess {
-  ActionControllerBaseAccess() {
-    this.getName() = "Base" and
-    this.getScopeExpr().(ConstantAccess).getName() = "ActionController"
-  }
-}
-
-// ApplicationController extends ActionController::Base, but we
-// treat it separately in case the ApplicationController definition
-// is not in the database
-private class ApplicationControllerAccess extends ConstantReadAccess {
-  ApplicationControllerAccess() { this.getName() = "ApplicationController" }
-}
-
 /**
  * A `ClassDeclaration` for a class that extends `ActionController::Base`.
  * For example,
@@ -35,16 +22,13 @@ private class ApplicationControllerAccess extends ConstantReadAccess {
  */
 class ActionControllerControllerClass extends ClassDeclaration {
   ActionControllerControllerClass() {
-    // class FooController < ActionController::Base
-    this.getSuperclassExpr() instanceof ActionControllerBaseAccess
-    or
-    // class FooController < ApplicationController
-    this.getSuperclassExpr() instanceof ApplicationControllerAccess
-    or
-    // class BarController < FooController
-    exists(ActionControllerControllerClass other |
-      other.getModule() = resolveConstantReadAccess(this.getSuperclassExpr())
-    )
+    this.getSuperclassExpr() =
+      [
+        API::getTopLevelMember("ActionController").getMember("Base"),
+        // In Rails applications `ApplicationController` typically extends `ActionController::Base`, but we
+        // treat it separately in case the `ApplicationController` definition is not in the database.
+        API::getTopLevelMember("ApplicationController")
+      ].getASubclass().getAUse().asExpr().getExpr()
   }
 
   /**