Ruby: Flow through hash-splat expressions

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -179,6 +179,7 @@ private class Argument extends CfgNodes::ExprCfgNode {
       this = call.getArgument(i) and
       not this.getExpr() instanceof BlockArgument and
       not this.getExpr().(Pair).getKey().getConstantValue().isSymbol(_) and
+      not this.getExpr() instanceof HashSplatExpr and
       arg.isPositional(i)
     )
     or
@@ -189,6 +190,10 @@ private class Argument extends CfgNodes::ExprCfgNode {
     )
     or
     this = call.getReceiver() and arg.isSelf()
+    or
+    this = call.getAnArgument() and
+    this.getExpr() instanceof HashSplatExpr and
+    arg.isHashSplat()
   }
 
   /** Holds if this expression is the `i`th argument of `c`. */

ruby/ql/lib/codeql/ruby/frameworks/Core.qll

@@ -73,3 +73,15 @@ private class SplatSummary extends SummarizedCallable {
     preservesValue = true
   }
 }
+
+private class HashSplatSummary extends SummarizedCallable {
+  HashSplatSummary() { this = "**(hash-splat)" }
+
+  override HashSplatExpr getACall() { any() }
+
+  override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+    input = "Argument[self].WithElement[any]" and
+    output = "ReturnValue" and
+    preservesValue = true
+  }
+}

ruby/ql/test/library-tests/dataflow/params/params-flow.expected

@@ -22,6 +22,10 @@ edges
 | params_flow.rb:33:12:33:19 | call to taint :  | params_flow.rb:25:12:25:13 | p1 :  |
 | params_flow.rb:33:26:33:34 | call to taint :  | params_flow.rb:25:17:25:24 | **kwargs [element :p2] :  |
 | params_flow.rb:33:41:33:49 | call to taint :  | params_flow.rb:25:17:25:24 | **kwargs [element :p3] :  |
+| params_flow.rb:34:14:34:22 | call to taint :  | params_flow.rb:35:25:35:28 | args [element :p3] :  |
+| params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:25:12:25:13 | p1 :  |
+| params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | params_flow.rb:25:17:25:24 | **kwargs [element :p3] :  |
+| params_flow.rb:35:25:35:28 | args [element :p3] :  | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  |
 nodes
 | params_flow.rb:9:16:9:17 | p1 :  | semmle.label | p1 :  |
 | params_flow.rb:9:20:9:21 | p2 :  | semmle.label | p2 :  |
@@ -52,6 +56,10 @@ nodes
 | params_flow.rb:33:12:33:19 | call to taint :  | semmle.label | call to taint :  |
 | params_flow.rb:33:26:33:34 | call to taint :  | semmle.label | call to taint :  |
 | params_flow.rb:33:41:33:49 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:34:14:34:22 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:35:12:35:20 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | semmle.label | ** ... [element :p3] :  |
+| params_flow.rb:35:25:35:28 | args [element :p3] :  | semmle.label | args [element :p3] :  |
 subpaths
 #select
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint :  | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint :  | call to taint :  |
@@ -63,5 +71,7 @@ subpaths
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:22:13:22:20 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:22:13:22:20 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:23:16:23:23 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:23:16:23:23 | call to taint :  | call to taint :  |
 | params_flow.rb:26:10:26:11 | p1 | params_flow.rb:33:12:33:19 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:33:12:33:19 | call to taint :  | call to taint :  |
+| params_flow.rb:26:10:26:11 | p1 | params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:35:12:35:20 | call to taint :  | call to taint :  |
 | params_flow.rb:28:10:28:22 | ( ... ) | params_flow.rb:33:26:33:34 | call to taint :  | params_flow.rb:28:10:28:22 | ( ... ) | $@ | params_flow.rb:33:26:33:34 | call to taint :  | call to taint :  |
 | params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:33:41:33:49 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:33:41:33:49 | call to taint :  | call to taint :  |
+| params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:34:14:34:22 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:34:14:34:22 | call to taint :  | call to taint :  |

ruby/ql/test/library-tests/dataflow/params/params_flow.rb

@@ -23,11 +23,13 @@ def keyword(p1:, p2:)
 keyword(:p2 => taint(7), :p1 => taint(8))
 
 def kwargs(p1:, **kwargs)
-    sink p1 # $ hasValueFlow=9
+    sink p1 # $ hasValueFlow=9 $ hasValueFlow=13
     sink (kwargs[:p1])
     sink (kwargs[:p2]) # $ hasValueFlow=10
-    sink (kwargs[:p3]) # $ hasValueFlow=11
+    sink (kwargs[:p3]) # $ hasValueFlow=11 $ hasValueFlow=12
     sink (kwargs[:p4])
 end
 
 kwargs(p1: taint(9), p2: taint(10), p3: taint(11), p4: "")
+args = { p3: taint(12), p4: "" }
+kwargs(p1: taint(13), **args)