Ruby: instantiate NetHttpRequest even if body is not accessed

Author: asgerf

ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll

@@ -21,8 +21,8 @@ private import codeql.ruby.dataflow.internal.DataFlowImplForHttpClientLibraries
  */
 class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
   private DataFlow::CallNode request;
-  private DataFlow::Node responseBody;
   private API::Node requestNode;
+  private boolean returnsResponseBody;
 
   NetHttpRequest() {
     exists(string method |
@@ -32,20 +32,20 @@ class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
       // Net::HTTP.get(...)
       method = "get" and
       requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
-      responseBody = request
+      returnsResponseBody = true
       or
       // Net::HTTP.post(...).body
       method in ["post", "post_form"] and
       requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
-      responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
+      returnsResponseBody = false
       or
       // Net::HTTP.new(..).get(..).body
       method in [
           "get", "get2", "request_get", "head", "head2", "request_head", "delete", "put", "patch",
           "post", "post2", "request_post", "request"
         ] and
       requestNode = API::getTopLevelMember("Net").getMember("HTTP").getInstance().getReturn(method) and
-      responseBody = requestNode.getAMethodCall(["body", "read_body", "entity"])
+      returnsResponseBody = false
     )
   }
 
@@ -64,7 +64,11 @@ class NetHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
     )
   }
 
-  override DataFlow::Node getResponseBody() { result = responseBody }
+  override DataFlow::Node getResponseBody() {
+    if returnsResponseBody = true
+    then result = this
+    else result = requestNode.getAMethodCall(["body", "read_body", "entity"])
+  }
 
   /** Gets the value that controls certificate validation, if any. */
   DataFlow::Node getCertificateValidationControllingValue() {

ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected

@@ -43,7 +43,9 @@ httpRequests
 | NetHttp.rb:13:6:13:17 | call to get |
 | NetHttp.rb:14:6:14:18 | call to post |
 | NetHttp.rb:15:6:15:17 | call to put |
+| NetHttp.rb:16:6:16:19 | call to patch |
 | NetHttp.rb:24:3:24:33 | call to get |
+| NetHttp.rb:29:1:29:32 | call to post |
 | OpenURI.rb:3:9:3:41 | call to open |
 | OpenURI.rb:6:9:6:34 | call to open |
 | OpenURI.rb:9:9:9:38 | call to open |
@@ -110,7 +112,9 @@ getFramework
 | NetHttp.rb:13:6:13:17 | call to get | Net::HTTP |
 | NetHttp.rb:14:6:14:18 | call to post | Net::HTTP |
 | NetHttp.rb:15:6:15:17 | call to put | Net::HTTP |
+| NetHttp.rb:16:6:16:19 | call to patch | Net::HTTP |
 | NetHttp.rb:24:3:24:33 | call to get | Net::HTTP |
+| NetHttp.rb:29:1:29:32 | call to post | Net::HTTP |
 | OpenURI.rb:3:9:3:41 | call to open | OpenURI |
 | OpenURI.rb:6:9:6:34 | call to open | OpenURI |
 | OpenURI.rb:9:9:9:38 | call to open | OpenURI |
@@ -259,8 +263,11 @@ getAUrlPart
 | NetHttp.rb:14:6:14:18 | call to post | NetHttp.rb:14:15:14:17 | "/" |
 | NetHttp.rb:15:6:15:17 | call to put | NetHttp.rb:11:21:11:41 | "https://example.com" |
 | NetHttp.rb:15:6:15:17 | call to put | NetHttp.rb:15:14:15:16 | "/" |
+| NetHttp.rb:16:6:16:19 | call to patch | NetHttp.rb:11:21:11:41 | "https://example.com" |
+| NetHttp.rb:16:6:16:19 | call to patch | NetHttp.rb:16:16:16:18 | "/" |
 | NetHttp.rb:24:3:24:33 | call to get | NetHttp.rb:24:17:24:22 | domain |
 | NetHttp.rb:24:3:24:33 | call to get | NetHttp.rb:24:29:24:32 | path |
+| NetHttp.rb:29:1:29:32 | call to post | NetHttp.rb:29:16:29:18 | uri |
 | OpenURI.rb:3:9:3:41 | call to open | OpenURI.rb:3:21:3:40 | "http://example.com" |
 | OpenURI.rb:6:9:6:34 | call to open | OpenURI.rb:6:14:6:33 | "http://example.com" |
 | OpenURI.rb:9:9:9:38 | call to open | OpenURI.rb:9:18:9:37 | "http://example.com" |