Ruby: Make most of ActionDispatch private

hmac · hmac · commit dead7a805907 · 2022-02-02T16:26:20.000+13:00
Any classes/predicates not used externally or in tests are now private.
Also fix some typos.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionDispatch.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionDispatch.qll
@@ -64,7 +64,7 @@ module ActionDispatch {
    * the route defined by the call to `get` has the full path `/admin/dashboard`.
    * We track these contributions via `getPathComponent` and `getControllerComponent`.
    */
-  abstract class RouteBlock extends TRouteBlock {
+  abstract private class RouteBlock extends TRouteBlock {
     /**
      * Gets the name of a primary CodeQL class to which this route block belongs.
      */
@@ -228,7 +228,7 @@ module ActionDispatch {
    * ```
    * https://api.rubyonrails.org/classes/ActionDispatch/Routing/Mapper/Resources.html#method-i-resources
    */
-  class ResourcesRouteBlock extends NestedRouteBlock, TResourcesRouteBlock {
+  private class ResourcesRouteBlock extends NestedRouteBlock, TResourcesRouteBlock {
     private MethodCall call;
     private Block block;
 
@@ -267,7 +267,7 @@ module ActionDispatch {
    * We ignore the condition and analyze both branches to obtain as
    * much routing information as possible.
    */
-  class ConditionalRouteBlock extends NestedRouteBlock, TConditionalRouteBlock {
+  private class ConditionalRouteBlock extends NestedRouteBlock, TConditionalRouteBlock {
     private ConditionalExpr e;
 
     ConditionalRouteBlock() { this = TConditionalRouteBlock(parent, e) }
@@ -294,7 +294,7 @@ module ActionDispatch {
    * ```
    * https://api.rubyonrails.org/classes/ActionDispatch/Routing/Mapper/Scoping.html#method-i-namespace
    */
-  class NamespaceRouteBlock extends NestedRouteBlock, TNamespaceRouteBlock {
+  private class NamespaceRouteBlock extends NestedRouteBlock, TNamespaceRouteBlock {
     private MethodCall call;
     private Block block;
 
@@ -494,7 +494,7 @@ module ActionDispatch {
    * put "/photos/:id", to: "photos#update"
    * ```
    */
-  class ExplicitRoute extends Route, TExplicitRoute {
+  private class ExplicitRoute extends Route, TExplicitRoute {
     RouteBlock parentBlock;
 
     ExplicitRoute() { this = TExplicitRoute(parentBlock, method) }
@@ -593,7 +593,7 @@ module ActionDispatch {
    * get "/photos/:photo_id/foo", to: "photos#foo"
    * ```
    */
-  class ResourcesRoute extends Route, TResourcesRoute {
+  private class ResourcesRoute extends Route, TResourcesRoute {
     RouteBlock parent;
     string resource;
     string action;
@@ -628,7 +628,7 @@ module ActionDispatch {
    * resource :account
    * ```
    */
-  class SingularResourceRoute extends Route, TResourceRoute {
+  private class SingularResourceRoute extends Route, TResourceRoute {
     RouteBlock parent;
     string resource;
     string action;
@@ -666,7 +666,7 @@ module ActionDispatch {
    * match 'photos/:id', controller: 'photos', action: 'show', via: :get
    * ```
    */
-  class MatchRoute extends Route, TMatchRoute {
+  private class MatchRoute extends Route, TMatchRoute {
     private RouteBlock parent;
 
     MatchRoute() { this = TMatchRoute(parent, method) }
@@ -704,7 +704,7 @@ module ActionDispatch {
    * - `except:` removes the given actions from the set.
    */
   bindingset[action]
-  predicate applyActionFilters(MethodCall m, string action) {
+  private predicate applyActionFilters(MethodCall m, string action) {
     // Respect the `only` keyword argument, which restricts the set of actions.
     (
       not exists(m.getKeywordArgument("only"))
@@ -727,7 +727,9 @@ module ActionDispatch {
    * Holds if the (resource, method, path, action) combination would be generated by a call to `resources :<resource>`.
    */
   bindingset[resource]
-  predicate isDefaultResourceRoute(string resource, string method, string path, string action) {
+  private predicate isDefaultResourceRoute(
+    string resource, string method, string path, string action
+  ) {
     action = "create" and
     (method = "post" and path = "/" + resource)
     or
@@ -754,7 +756,7 @@ module ActionDispatch {
    * Holds if the (resource, method, path, action) combination would be generated by a call to `resource :<resource>`.
    */
   bindingset[resource]
-  predicate isDefaultSingularResourceRoute(
+  private predicate isDefaultSingularResourceRoute(
     string resource, string method, string path, string action
   ) {
     action = "create" and
@@ -780,17 +782,18 @@ module ActionDispatch {
    * Extract the controller from a Rails routing string
    * ```
    * extractController("posts#show") = "posts"
+   * ```
    */
   bindingset[input]
-  string extractController(string input) { result = input.regexpCapture("([^#]+)#.+", 1) }
+  private string extractController(string input) { result = input.regexpCapture("([^#]+)#.+", 1) }
 
   /**
    * Extract the action from a Rails routing string
    * ```
    * extractController("posts#show") = "show"
    */
   bindingset[input]
-  string extractAction(string input) { result = input.regexpCapture("[^#]+#(.+)", 1) }
+  private string extractAction(string input) { result = input.regexpCapture("[^#]+#(.+)", 1) }
 
   /**
    * A basic pluralizer for English strings.
@@ -799,7 +802,7 @@ module ActionDispatch {
    * TODO: remove?
    */
   bindingset[input]
-  string pluralize(string input) {
+  private string pluralize(string input) {
     exists(string prefix | prefix = input.regexpCapture("(.*)y", 1) | result = prefix + "ies")
     or
     not input.regexpMatch(".*y") and
@@ -813,7 +816,7 @@ module ActionDispatch {
    * not_plural => not_plural
    */
   bindingset[input]
-  string singularize(string input) {
+  private string singularize(string input) {
     exists(string prefix | prefix = input.regexpCapture("(.*)ies", 1) | result = prefix + "y")
     or
     not input.regexpMatch(".*ies") and
@@ -890,13 +893,15 @@ module ActionDispatch {
    * Convert the first character of the string to lowercase.
    */
   bindingset[input]
-  string decapitalize(string input) { result = input.charAt(0).toLowerCase() + input.suffix(1) }
+  private string decapitalize(string input) {
+    result = input.charAt(0).toLowerCase() + input.suffix(1)
+  }
 
   /**
    * Strip leading and trailing forward slashes from the string.
    */
   bindingset[input]
-  string stripSlashes(string input) {
+  private string stripSlashes(string input) {
     result = input.regexpReplaceAll("^/+(.+)$", "$1").regexpReplaceAll("^(.*[^/])/+$", "$1")
   }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -62,7 +62,7 @@ module UrlRedirect {
         // redirection as browsers will not initiate them from clicking a link.
         method = this.asExpr().getExpr().getEnclosingMethod() and
         (
-          // If there's a Rails GET route to this handler, we can be certain that it is a candiate.
+          // If there's a Rails GET route to this handler, we can be certain that it is a candidate.
           method.(ActionControllerActionMethod).getARoute().getHTTPMethod() = "get"
           or
           // Otherwise, we have to rely on a heuristic to filter out invulnerable handlers.

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ module UrlRedirect {`
`62`	`62`	`// redirection as browsers will not initiate them from clicking a link.`
`63`	`63`	`method = this.asExpr().getExpr().getEnclosingMethod() and`
`64`	`64`	`(`
`65`		`- // If there's a Rails GET route to this handler, we can be certain that it is a candiate.`
	`65`	`+ // If there's a Rails GET route to this handler, we can be certain that it is a candidate.`
`66`	`66`	`method.(ActionControllerActionMethod).getARoute().getHTTPMethod() = "get"`
`67`	`67`	`or`
`68`	`68`	`// Otherwise, we have to rely on a heuristic to filter out invulnerable handlers.`