Ruby: handle routes with path/action pairs

Author: alexrford

ruby/ql/lib/codeql/ruby/frameworks/actiondispatch/internal/Routing.qll

@@ -177,6 +177,28 @@ module Routing {
     }
   }
 
+  private Expr getActionFromMethodCall(MethodCall methodCall) {
+    result =
+      [
+        // e.g. `get "/comments", to: "comments#index"
+        methodCall.getKeywordArgument("to"),
+        // e.g. `get "/comments" => "comments#index"
+        methodCall.getArgument(0).(Pair).getValue()
+      ]
+  }
+
+  /**
+   * Gets a string representation of the controller-action pair that is routed
+   * to by this method call.
+   */
+  private string getActionStringFromMethodCall(MethodCall methodCall) {
+    getActionFromMethodCall(methodCall).getConstantValue().isStringlikeValue(result)
+    or
+    // TODO: use the redirect call argument to resolve the redirect target
+    getActionFromMethodCall(methodCall).(MethodCall).getMethodName() = "redirect" and
+    result = "<redirect>#<redirect>"
+  }
+
   /**
    * A route block defined by a call to `resources`.
    * ```rb
@@ -512,12 +534,7 @@ module Routing {
       )
     }
 
-    private string getActionString() {
-      methodCall.getKeywordArgument("to").getConstantValue().isStringlikeValue(result)
-      or
-      methodCall.getKeywordArgument("to").(MethodCall).getMethodName() = "redirect" and
-      result = "<redirect>#<redirect>"
-    }
+    private string getActionString() { result = getActionStringFromMethodCall(methodCall) }
 
     override string getAction() {
       // get "/photos", action: "index"
@@ -670,11 +687,7 @@ module Routing {
     }
 
     override string getLastControllerComponent() {
-      result =
-        extractController(methodCall
-              .getKeywordArgument("to")
-              .getConstantValue()
-              .getStringlikeValue()) or
+      result = extractController(getActionStringFromMethodCall(methodCall)) or
       methodCall.getKeywordArgument("controller").getConstantValue().isStringlikeValue(result) or
       result =
         extractController(methodCall
@@ -704,8 +717,7 @@ module Routing {
     }
 
     override string getAction() {
-      result =
-        extractAction(methodCall.getKeywordArgument("to").getConstantValue().getStringlikeValue()) or
+      result = extractAction(getActionStringFromMethodCall(methodCall)) or
       methodCall.getKeywordArgument("action").getConstantValue().isStringlikeValue(result) or
       result =
         extractAction(methodCall

ruby/ql/test/library-tests/frameworks/action_dispatch/ActionDispatch.expected

@@ -12,6 +12,7 @@ actionDispatchRoutes
 | app/config/routes.rb:4:7:4:41 | call to resources | post | posts/:post_id/comments/:comment_id/replies | replies | create |
 | app/config/routes.rb:5:7:5:28 | call to post | post | posts/:post_id/comments/:comment_id/flag | comments | flag |
 | app/config/routes.rb:7:5:7:37 | call to post | post | posts/:post_id/upvote | posts | upvote |
+| app/config/routes.rb:8:5:8:39 | call to post | post | posts/:post_id | posts | downvote |
 | app/config/routes.rb:12:5:12:54 | call to post | post | destroy_all_posts | posts | destroy_alll |
 | app/config/routes.rb:16:5:16:46 | call to get | get | numbers/:number | numbers | show |
 | app/config/routes.rb:20:5:20:44 | call to get | get | admin/jobs | background_jobs | index |
@@ -39,6 +40,7 @@ actionDispatchControllerMethods
 | app/config/routes.rb:3:5:6:7 | call to resources | app/controllers/comments_controller.rb:2:3:39:5 | index |
 | app/config/routes.rb:3:5:6:7 | call to resources | app/controllers/comments_controller.rb:41:3:42:5 | show |
 | app/config/routes.rb:7:5:7:37 | call to post | app/controllers/posts_controller.rb:8:3:9:5 | upvote |
+| app/config/routes.rb:8:5:8:39 | call to post | app/controllers/posts_controller.rb:11:3:12:5 | downvote |
 | app/config/routes.rb:28:3:28:48 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
 | app/config/routes.rb:29:3:29:50 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |
 | app/config/routes.rb:30:3:30:69 | call to match | app/controllers/photos_controller.rb:2:3:3:5 | show |