Ruby: Deprecate models-as-data CSV interface

Author: hvitved

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -26,7 +26,6 @@ private import codeql.ruby.frameworks.XmlParsing
 private import codeql.ruby.frameworks.ActionDispatch
 private import codeql.ruby.frameworks.PosixSpawn
 private import codeql.ruby.frameworks.StringFormatters
-private import codeql.ruby.frameworks.Json
 private import codeql.ruby.frameworks.Erb
 private import codeql.ruby.frameworks.Slim
 private import codeql.ruby.frameworks.Sinatra

ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.model.yml

@@ -0,0 +1,22 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      - ['ActiveStorage::Filename!', 'Method[new]', 'Argument[0]', 'ReturnValue', 'taint']
+      - ['ActiveStorage::Filename', 'Method[sanitized]', 'Argument[self]', 'ReturnValue', 'taint']
+
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: typeModel
+    data:
+      # ActiveStorage::Blob.compose(blobs : [Blob]) : Blob
+      - ['ActiveStorage::Blob', 'ActiveStorage::Blob!', 'Method[compose].ReturnValue']
+      # ActiveStorage::Blob.create_and_upload! : Blob
+      - ['ActiveStorage::Blob', 'ActiveStorage::Blob!', 'Method[create_and_upload!].ReturnValue']
+      # ActiveStorage::Blob.create_before_direct_upload! : Blob
+      - ['ActiveStorage::Blob', 'ActiveStorage::Blob!', 'Method[create_before_direct_upload!].ReturnValue']
+      # ActiveStorage::Blob.find_signed(!) : Blob
+      - ['ActiveStorage::Blob', 'ActiveStorage::Blob!', 'Method[find_signed,find_signed!].ReturnValue']
+      # gives error: Invalid name 'Element' in access path
+      # - ['ActiveStorage::Blob', 'ActiveStorage::Blob!', 'Method[compose].Argument[0].Element[any]']

ruby/ql/lib/codeql/ruby/frameworks/ActiveStorage.qll

@@ -26,39 +26,6 @@ module ActiveStorage {
     }
   }
 
-  /** Taint related to `ActiveStorage::Filename`. */
-  private class FilenameSummaries extends ModelInput::SummaryModelCsv {
-    override predicate row(string row) {
-      row =
-        [
-          "ActiveStorage::Filename!;Method[new];Argument[0];ReturnValue;taint",
-          "ActiveStorage::Filename;Method[sanitized];Argument[self];ReturnValue;taint",
-        ]
-    }
-  }
-
-  /**
-   * `Blob` is an instance of `ActiveStorage::Blob`.
-   */
-  private class BlobTypeSummary extends ModelInput::TypeModelCsv {
-    override predicate row(string row) {
-      // package1;type1;package2;type2;path
-      row =
-        [
-          // ActiveStorage::Blob.create_and_upload! : Blob
-          "ActiveStorage::Blob;ActiveStorage::Blob!;Method[create_and_upload!].ReturnValue",
-          // ActiveStorage::Blob.create_before_direct_upload! : Blob
-          "ActiveStorage::Blob;ActiveStorage::Blob!;Method[create_before_direct_upload!].ReturnValue",
-          // ActiveStorage::Blob.compose(blobs : [Blob]) : Blob
-          "ActiveStorage::Blob;ActiveStorage::Blob!;Method[compose].ReturnValue",
-          // gives error: Invalid name 'Element' in access path
-          // "ActiveStorage::Blob;ActiveStorage::Blob!;Method[compose].Argument[0].Element[any]",
-          // ActiveStorage::Blob.find_signed(!) : Blob
-          "ActiveStorage::Blob;ActiveStorage::Blob!;Method[find_signed,find_signed!].ReturnValue",
-        ]
-    }
-  }
-
   private class BlobInstance extends DataFlow::Node {
     BlobInstance() {
       this = ModelOutput::getATypeNode("ActiveStorage::Blob").getAValueReachableFromSource()

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.model.yml

@@ -0,0 +1,30 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      # `ActiveSupport::SafeBuffer` wraps a string, providing HTML-safe methods
+      # for concatenation.
+      # It is possible to insert tainted data into `SafeBuffer` that won't get
+      # sanitized, and this taint is then propagated via most of the methods.
+      #
+      # TODO: SafeBuffer also reponds to all String methods.
+      # Can we model this without repeating all the existing summaries we have
+      # for String?
+
+      # SafeBuffer.new(x) does not sanitize x
+      - ['ActionView::SafeBuffer!', 'Method[new]', 'Argument[0]', 'ReturnValue', 'taint']
+      # These methods preserve taint in self
+      - ['ActionView::SafeBuffer', 'Method[concat,insert,prepend,to_s,to_param]', 'Argument[self]', 'ReturnValue', 'taint']
+      # SafeBuffer#safe_concat(x) does not sanitize x
+      - ['ActionView::SafeBuffer', 'Method[safe_concat]', 'Argument[0]', 'Argument[self]', 'taint']
+      - ['ActionView::SafeBuffer', 'Method[safe_concat]', 'Argument[0]', 'ReturnValue', 'taint']
+      - ['ActiveSupport::JSON!', 'Method[decode,load]', 'Argument[0]', 'ReturnValue', 'taint']
+      - ['ActiveSupport::JSON!', 'Method[encode,dump]', 'Argument[0]', 'ReturnValue', 'taint']
+      - ['Pathname', 'Method[existence]', 'Argument[self]', 'ReturnValue', 'taint']
+
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: typeModel
+    data:
+      - ['Pathname', 'Pathname', 'Method[existence].ReturnValue']

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -478,60 +478,4 @@ module ActiveSupport {
       }
     }
   }
-
-  /**
-   * Type summaries for extensions to the `Pathname` module.
-   */
-  private class PathnameTypeSummary extends ModelInput::TypeModelCsv {
-    override predicate row(string row) {
-      // type1;type2;path
-      // Pathname#existence : Pathname
-      row = "Pathname;Pathname;Method[existence].ReturnValue"
-    }
-  }
-
-  /** Taint flow summaries for extensions to the `Pathname` module. */
-  private class PathnameTaintSummary extends ModelInput::SummaryModelCsv {
-    override predicate row(string row) {
-      // Pathname#existence
-      row = "Pathname;Method[existence];Argument[self];ReturnValue;taint"
-    }
-  }
-
-  /**
-   * `ActiveSupport::SafeBuffer` wraps a string, providing HTML-safe methods
-   * for concatenation.
-   * It is possible to insert tainted data into `SafeBuffer` that won't get
-   * sanitized, and this taint is then propagated via most of the methods.
-   */
-  private class SafeBufferSummary extends ModelInput::SummaryModelCsv {
-    // TODO: SafeBuffer also reponds to all String methods.
-    // Can we model this without repeating all the existing summaries we have
-    // for String?
-    override predicate row(string row) {
-      row =
-        [
-          // SafeBuffer.new(x) does not sanitize x
-          "ActionView::SafeBuffer!;Method[new];Argument[0];ReturnValue;taint",
-          // SafeBuffer#safe_concat(x) does not sanitize x
-          "ActionView::SafeBuffer;Method[safe_concat];Argument[0];ReturnValue;taint",
-          "ActionView::SafeBuffer;Method[safe_concat];Argument[0];Argument[self];taint",
-          // These methods preserve taint in self
-          "ActionView::SafeBuffer;Method[concat,insert,prepend,to_s,to_param];Argument[self];ReturnValue;taint",
-        ]
-    }
-  }
-
-  /** `ActiveSupport::JSON` */
-  module Json {
-    private class JsonSummary extends ModelInput::SummaryModelCsv {
-      override predicate row(string row) {
-        row =
-          [
-            "ActiveSupport::JSON!;Method[encode,dump];Argument[0];ReturnValue;taint",
-            "ActiveSupport::JSON!;Method[decode,load];Argument[0];ReturnValue;taint",
-          ]
-      }
-    }
-  }
 }

ruby/ql/lib/codeql/ruby/frameworks/Core.qll

@@ -13,7 +13,6 @@ import core.Module
 import core.Array
 import core.Hash
 import core.String
-import core.Regexp
 import core.IO
 import core.Digest
 import core.Base64

ruby/ql/lib/codeql/ruby/frameworks/Json.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      # Not all of these methods are strictly defined in the `json` gem.
+      # The `JSON` namespace is heavily overloaded by other JSON parsing gems such as `oj`, `json_pure`, `multi_json` etc.
+      # This summary covers common methods we've seen called on `JSON` in the wild.
+      - ['JSON!', 'Method[generate,fast_generate,pretty_generate,dump,unparse,fast_unparse]', 'Argument[0]', 'ReturnValue', 'taint']
+      - ['JSON!', 'Method[parse,parse!,load,restore]', 'Argument[0]', 'ReturnValue', 'taint']
+  

ruby/ql/lib/codeql/ruby/frameworks/Json.qll

@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: typeModel
+    data:
+      - ['Mime::Type', 'Mime!', 'Method[fetch].ReturnValue']
+      - ['Mime::Type', 'Mime::Type!', 'Method[lookup].ReturnValue']
+      - ['Mime::Type', 'Mime::Type!', 'Method[lookup_by_extension].ReturnValue']
+      - ['Mime::Type', 'Mime::Type!', 'Method[register].ReturnValue']
+      - ['Mime::Type', 'Mime::Type!', 'Method[register_alias].ReturnValue']

ruby/ql/lib/codeql/ruby/frameworks/actiondispatch/internal/Mime.model.yml

@@ -9,31 +9,6 @@ private import codeql.ruby.frameworks.data.ModelsAsData
  * Models MIME type handling using the `ActionDispatch` library, which is part of Rails.
  */
 module Mime {
-  /**
-   * Type summaries for the `Mime::Type` class, i.e. method calls that produce new
-   * `Mime::Type` instances.
-   */
-  private class MimeTypeTypeSummary extends ModelInput::TypeModelCsv {
-    override predicate row(string row) {
-      // type1;type2;path
-      row =
-        [
-          // Mime[type] : Mime::Type (omitted)
-          // Method names with brackets like [] cannot be represented in MaD.
-          // Mime.fetch(type) : Mime::Type
-          "Mime::Type;Mime!;Method[fetch].ReturnValue",
-          // Mime::Type.lookup(str) : Mime::Type
-          "Mime::Type;Mime::Type!;Method[lookup].ReturnValue",
-          // Mime::Type.lookup_by_extension(str) : Mime::Type
-          "Mime::Type;Mime::Type!;Method[lookup_by_extension].ReturnValue",
-          // Mime::Type.register(str) : Mime::Type
-          "Mime::Type;Mime::Type!;Method[register].ReturnValue",
-          // Mime::Type.register_alias(str) : Mime::Type
-          "Mime::Type;Mime::Type!;Method[register_alias].ReturnValue",
-        ]
-    }
-  }
-
   /**
    * An argument to `Mime::Type#match?`, which is converted to a RegExp via
    * `Regexp.new`.