Ruby: Desugar hash literals

```rb
{ a: 1, **splat, b: 2 }
```

becomes

```rb
::Hash.[](a: 1, **splat, b: 2)
```

Author: hvitved

ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll

@@ -794,14 +794,15 @@ private module ArrayLiteralDesugar {
     exists(ArrayLiteral al |
       parent = al and
       i = -1 and
-      child = SynthChild(MethodCallKind("[]", false, al.getNumberOfElements() + 1))
+      child = SynthChild(MethodCallKind("[]", false, al.getNumberOfElements()))
       or
-      exists(AstNode mc | mc = TMethodCallSynth(al, -1, _, _, _) |
-        parent = mc and
+      exists(AstNode mc |
+        mc = TMethodCallSynth(al, -1, _, _, _) and
+        parent = mc
+      |
         i = 0 and
         child = SynthChild(ConstantReadAccessKind("::Array"))
         or
-        parent = mc and
         child = childRef(al.getElement(i - 1))
       )
     )
@@ -825,13 +826,58 @@ private module ArrayLiteralDesugar {
     final override predicate methodCall(string name, boolean setter, int arity) {
       name = "[]" and
       setter = false and
-      arity = any(ArrayLiteral al).getNumberOfElements() + 1
+      arity = any(ArrayLiteral al).getNumberOfElements()
     }
 
     final override predicate constantReadAccess(string name) { name = "::Array" }
   }
 }
 
+private module HashLiteralDesugar {
+  pragma[nomagic]
+  private predicate hashLiteralSynthesis(AstNode parent, int i, Child child) {
+    exists(HashLiteral hl |
+      parent = hl and
+      i = -1 and
+      child = SynthChild(MethodCallKind("[]", false, hl.getNumberOfElements()))
+      or
+      exists(AstNode mc |
+        mc = TMethodCallSynth(hl, -1, _, _, _) and
+        parent = mc
+      |
+        i = 0 and
+        child = SynthChild(ConstantReadAccessKind("::Hash"))
+        or
+        child = childRef(hl.getElement(i - 1))
+      )
+    )
+  }
+
+  /**
+   * ```rb
+   * { a: 1, **splat, b: 2 }
+   * ```
+   * desugars to
+   *
+   * ```rb
+   * ::Hash.[](a: 1, **splat, b: 2)
+   * ```
+   */
+  private class HashLiteralSynthesis extends Synthesis {
+    final override predicate child(AstNode parent, int i, Child child) {
+      hashLiteralSynthesis(parent, i, child)
+    }
+
+    final override predicate methodCall(string name, boolean setter, int arity) {
+      name = "[]" and
+      setter = false and
+      arity = any(HashLiteral hl).getNumberOfElements()
+    }
+
+    final override predicate constantReadAccess(string name) { name = "::Hash" }
+  }
+}
+
 /**
  * ```rb
  * for x in xs

ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll

@@ -484,6 +484,9 @@ module ExprNodes {
     /** Gets the `n`th argument of this call. */
     final ExprCfgNode getArgument(int n) { e.hasCfgChild(e.getArgument(n), this, result) }
 
+    /** Gets an argument of this call. */
+    final ExprCfgNode getAnArgument() { result = this.getArgument(_) }
+
     /** Gets the the keyword argument whose key is `keyword` of this call. */
     final ExprCfgNode getKeywordArgument(string keyword) {
       exists(PairCfgNode n |
@@ -940,4 +943,39 @@ module ExprNodes {
 
     final override ElementReference getExpr() { result = super.getExpr() }
   }
+
+  /**
+   * A control-flow node that wraps an array literal. Array literals are desugared
+   * into calls to `Array.[]`, so this includes both desugared calls as well as
+   * explicit calls.
+   */
+  class ArrayLiteralCfgNode extends MethodCallCfgNode {
+    ArrayLiteralCfgNode() {
+      exists(ConstantReadAccess array |
+        array = this.getReceiver().getExpr() and
+        e.(MethodCall).getMethodName() = "[]" and
+        array.getName() = "Array" and
+        array.hasGlobalScope()
+      )
+    }
+  }
+
+  /**
+   * A control-flow node that wraps a hash literal. Hash literals are desugared
+   * into calls to `Hash.[]`, so this includes both desugared calls as well as
+   * explicit calls.
+   */
+  class HashLiteralCfgNode extends MethodCallCfgNode {
+    HashLiteralCfgNode() {
+      exists(ConstantReadAccess array |
+        array = this.getReceiver().getExpr() and
+        e.(MethodCall).getMethodName() = "[]" and
+        array.getName() = "Hash" and
+        array.hasGlobalScope()
+      )
+    }
+
+    /** Gets a pair of this hash literal. */
+    PairCfgNode getAKeyValuePair() { result = this.getAnArgument() }
+  }
 }

ruby/ql/lib/codeql/ruby/controlflow/internal/ControlFlowGraphImpl.qll

@@ -986,10 +986,6 @@ module Trees {
 
   private class GlobalVariableTree extends LeafTree, GlobalVariableAccess { }
 
-  private class HashLiteralTree extends StandardPostOrderTree, HashLiteral {
-    final override ControlFlowTree getChildElement(int i) { result = this.getElement(i) }
-  }
-
   private class HashSplatNilParameterTree extends LeafTree, HashSplatNilParameter { }
 
   private class HashSplatParameterTree extends NonDefaultValueParameterTree, HashSplatParameter { }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -278,16 +278,9 @@ private DataFlow::LocalSourceNode trackInstance(Module tp, TypeTracker t) {
     or
     result.asExpr().getExpr() instanceof StringlikeLiteral and tp = TResolved("String")
     or
-    exists(ConstantReadAccess array, MethodCall mc |
-      result.asExpr().getExpr() = mc and
-      mc.getMethodName() = "[]" and
-      mc.getReceiver() = array and
-      array.getName() = "Array" and
-      array.hasGlobalScope() and
-      tp = TResolved("Array")
-    )
+    result.asExpr() instanceof CfgNodes::ExprNodes::ArrayLiteralCfgNode and tp = TResolved("Array")
     or
-    result.asExpr().getExpr() instanceof HashLiteral and tp = TResolved("Hash")
+    result.asExpr() instanceof CfgNodes::ExprNodes::HashLiteralCfgNode and tp = TResolved("Hash")
     or
     result.asExpr().getExpr() instanceof MethodBase and tp = TResolved("Symbol")
     or

ruby/ql/lib/codeql/ruby/frameworks/XmlParsing.qll

@@ -52,14 +52,15 @@ private class LibXmlRubyXmlParserCall extends XmlParserCall::Range, DataFlow::Ca
   override DataFlow::Node getInput() { result = this.getArgument(0) }
 
   override predicate externalEntitiesEnabled() {
-    exists(Pair pair |
-      pair = this.getArgument(1).asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+    exists(CfgNodes::ExprNodes::PairCfgNode pair |
+      pair =
+        this.getArgument(1).asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
       pair.getKey().getConstantValue().isStringOrSymbol("options") and
       pair.getValue() =
         [
           trackEnableFeature(TNOENT()), trackEnableFeature(TDTDLOAD()),
           trackDisableFeature(TNONET())
-        ].asExpr().getExpr()
+        ].asExpr()
     )
   }
 }

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll

@@ -1,4 +1,5 @@
 private import ruby
+private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 
@@ -91,16 +92,16 @@ class ExconHttpRequest extends HTTP::Client::Request::Range {
 predicate argSetsVerifyPeer(DataFlow::Node arg, boolean value, DataFlow::Node kvNode) {
   // Either passed as an individual key:value argument, e.g.:
   // Excon.get(..., ssl_verify_peer: false)
-  isSslVerifyPeerPair(arg.asExpr().getExpr(), value) and
+  isSslVerifyPeerPair(arg.asExpr(), value) and
   kvNode = arg
   or
   // Or as a single hash argument, e.g.:
   // Excon.get(..., { ssl_verify_peer: false, ... })
-  exists(DataFlow::LocalSourceNode optionsNode, Pair p |
-    p = optionsNode.asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+  exists(DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p |
+    p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
     isSslVerifyPeerPair(p, value) and
     optionsNode.flowsTo(arg) and
-    kvNode.asExpr().getExpr() = p
+    kvNode.asExpr() = p
   )
 }
 
@@ -133,10 +134,10 @@ private predicate hasBooleanValue(DataFlow::Node node, boolean value) {
 }
 
 /** Holds if `p` is the pair `ssl_verify_peer: <value>`. */
-private predicate isSslVerifyPeerPair(Pair p, boolean value) {
+private predicate isSslVerifyPeerPair(CfgNodes::ExprNodes::PairCfgNode p, boolean value) {
   exists(DataFlow::Node key, DataFlow::Node valueNode |
-    key.asExpr().getExpr() = p.getKey() and valueNode.asExpr().getExpr() = p.getValue()
-  |
+    key.asExpr() = p.getKey() and
+    valueNode.asExpr() = p.getValue() and
     isSslVerifyPeerLiteral(key) and
     hasBooleanValue(valueNode, value)
   )

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll

@@ -1,4 +1,5 @@
 private import ruby
+private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 
@@ -56,16 +57,16 @@ class FaradayHttpRequest extends HTTP::Client::Request::Range {
     |
       // Either passed as an individual key:value argument, e.g.:
       // Faraday.new(..., ssl: {...})
-      isSslOptionsPairDisablingValidation(arg.asExpr().getExpr()) and
+      isSslOptionsPairDisablingValidation(arg.asExpr()) and
       disablingNode = arg
       or
       // Or as a single hash argument, e.g.:
       // Faraday.new(..., { ssl: {...} })
-      exists(DataFlow::LocalSourceNode optionsNode, Pair p |
-        p = optionsNode.asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+      exists(DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p |
+        p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
         isSslOptionsPairDisablingValidation(p) and
         optionsNode.flowsTo(arg) and
-        disablingNode.asExpr().getExpr() = p
+        disablingNode.asExpr() = p
       )
     )
   }
@@ -78,10 +79,10 @@ class FaradayHttpRequest extends HTTP::Client::Request::Range {
  * containing either `verify: false` or
  * `verify_mode: OpenSSL::SSL::VERIFY_NONE`.
  */
-private predicate isSslOptionsPairDisablingValidation(Pair p) {
+private predicate isSslOptionsPairDisablingValidation(CfgNodes::ExprNodes::PairCfgNode p) {
   exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
-  |
+    key.asExpr() = p.getKey() and
+    value.asExpr() = p.getValue() and
     isSymbolLiteral(key, "ssl") and
     (isHashWithVerifyFalse(value) or isHashWithVerifyModeNone(value))
   )
@@ -101,7 +102,7 @@ private predicate isSymbolLiteral(DataFlow::Node node, string valueText) {
  */
 private predicate isHashWithVerifyFalse(DataFlow::Node node) {
   exists(DataFlow::LocalSourceNode hash |
-    isVerifyFalsePair(hash.asExpr().getExpr().(HashLiteral).getAKeyValuePair()) and
+    isVerifyFalsePair(hash.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair()) and
     hash.flowsTo(node)
   )
 }
@@ -112,7 +113,7 @@ private predicate isHashWithVerifyFalse(DataFlow::Node node) {
  */
 private predicate isHashWithVerifyModeNone(DataFlow::Node node) {
   exists(DataFlow::LocalSourceNode hash |
-    isVerifyModeNonePair(hash.asExpr().getExpr().(HashLiteral).getAKeyValuePair()) and
+    isVerifyModeNonePair(hash.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair()) and
     hash.flowsTo(node)
   )
 }
@@ -121,10 +122,10 @@ private predicate isHashWithVerifyModeNone(DataFlow::Node node) {
  * Holds if the pair `p` has the key `:verify_mode` and the value
  * `OpenSSL::SSL::VERIFY_NONE`.
  */
-private predicate isVerifyModeNonePair(Pair p) {
+private predicate isVerifyModeNonePair(CfgNodes::ExprNodes::PairCfgNode p) {
   exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
-  |
+    key.asExpr() = p.getKey() and
+    value.asExpr() = p.getValue() and
     isSymbolLiteral(key, "verify_mode") and
     value = API::getTopLevelMember("OpenSSL").getMember("SSL").getMember("VERIFY_NONE").getAUse()
   )
@@ -133,10 +134,10 @@ private predicate isVerifyModeNonePair(Pair p) {
 /**
  * Holds if the pair `p` has the key `:verify` and the value `false`.
  */
-private predicate isVerifyFalsePair(Pair p) {
+private predicate isVerifyFalsePair(CfgNodes::ExprNodes::PairCfgNode p) {
   exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
-  |
+    key.asExpr() = p.getKey() and
+    value.asExpr() = p.getValue() and
     isSymbolLiteral(key, "verify") and
     isFalse(value)
   )

ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll

@@ -1,4 +1,5 @@
 private import ruby
+private import codeql.ruby.CFG
 private import codeql.ruby.Concepts
 private import codeql.ruby.ApiGraphs
 
@@ -48,20 +49,21 @@ class HttpartyRequest extends HTTP::Client::Request::Range {
     // argument, and we're looking for `{ verify: false }` or
     // `{ verify_peer: false }`.
     exists(DataFlow::Node arg, int i |
-      i > 0 and arg.asExpr().getExpr() = requestUse.asExpr().getExpr().(MethodCall).getArgument(i)
+      i > 0 and
+      arg.asExpr() = requestUse.asExpr().(CfgNodes::ExprNodes::MethodCallCfgNode).getArgument(i)
     |
       // Either passed as an individual key:value argument, e.g.:
       // HTTParty.get(..., verify: false)
-      isVerifyFalsePair(arg.asExpr().getExpr()) and
+      isVerifyFalsePair(arg.asExpr()) and
       disablingNode = arg
       or
       // Or as a single hash argument, e.g.:
       // HTTParty.get(..., { verify: false, ... })
-      exists(DataFlow::LocalSourceNode optionsNode, Pair p |
-        p = optionsNode.asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+      exists(DataFlow::LocalSourceNode optionsNode, CfgNodes::ExprNodes::PairCfgNode p |
+        p = optionsNode.asExpr().(CfgNodes::ExprNodes::HashLiteralCfgNode).getAKeyValuePair() and
         isVerifyFalsePair(p) and
         optionsNode.flowsTo(arg) and
-        disablingNode.asExpr().getExpr() = p
+        disablingNode.asExpr() = p
       )
     )
   }
@@ -88,10 +90,10 @@ private predicate isFalse(DataFlow::Node node) {
 /**
  * Holds if `p` is the pair `verify: false` or `verify_peer: false`.
  */
-private predicate isVerifyFalsePair(Pair p) {
+private predicate isVerifyFalsePair(CfgNodes::ExprNodes::PairCfgNode p) {
   exists(DataFlow::Node key, DataFlow::Node value |
-    key.asExpr().getExpr() = p.getKey() and value.asExpr().getExpr() = p.getValue()
-  |
+    key.asExpr() = p.getKey() and
+    value.asExpr() = p.getValue() and
     isVerifyLiteral(key) and
     isFalse(value)
   )