Ruby: Add tests for hash flow

hmac · hmac · commit 32b80f8cb182 · 2024-03-19T08:38:14.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll
@@ -1855,6 +1855,7 @@ module Enumerable {
 
     override predicate propagatesFlow(string input, string output, boolean preservesValue) {
       input = "Argument[self].Element[any]" and
+      // For `Hash#map`, the value flows to parameter 1
       output = "Argument[block].Parameter[0, 1]" and
       preservesValue = true
       or
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
@@ -524,6 +524,8 @@ private class ValuesSummary extends SimpleSummarizedCallable {
   }
 }
 
+// We don't (yet) track data flow through hash keys, but this is still useful in cases where a
+// whole hash(like) object is tainted, such as `ActionController#params`.
 private class KeysSummary extends SimpleSummarizedCallable {
   KeysSummary() { this = "keys" }
 
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected b/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
@@ -1089,6 +1089,19 @@ edges
 | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:994:14:994:47 | ...[...] [element :b] | provenance |  |
 | hash_flow.rb:996:14:996:15 | h2 [element :b] | hash_flow.rb:996:14:996:19 | ...[...] | provenance |  |
 | hash_flow.rb:998:14:998:15 | h2 [element :b] | hash_flow.rb:998:14:998:18 | ...[...] | provenance |  |
+| hash_flow.rb:1006:5:1006:5 | [post] h [element] | hash_flow.rb:1007:12:1007:12 | h [element] | provenance |  |
+| hash_flow.rb:1006:14:1006:24 | call to taint | hash_flow.rb:1006:5:1006:5 | [post] h [element] | provenance |  |
+| hash_flow.rb:1007:5:1007:8 | keys [element] | hash_flow.rb:1008:10:1008:13 | keys [element] | provenance |  |
+| hash_flow.rb:1007:12:1007:12 | h [element] | hash_flow.rb:1007:12:1007:17 | call to keys [element] | provenance |  |
+| hash_flow.rb:1007:12:1007:17 | call to keys [element] | hash_flow.rb:1007:5:1007:8 | keys [element] | provenance |  |
+| hash_flow.rb:1008:10:1008:13 | keys [element] | hash_flow.rb:1008:10:1008:17 | ...[...] | provenance |  |
+| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1013:5:1013:5 | h [element :a] | provenance |  |
+| hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | hash_flow.rb:1012:5:1012:5 | h [element :a] | provenance |  |
+| hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | provenance |  |
+| hash_flow.rb:1013:5:1013:5 | h [element :a] | hash_flow.rb:1013:15:1013:15 | k | provenance |  |
+| hash_flow.rb:1013:5:1013:5 | h [element :a] | hash_flow.rb:1013:18:1013:18 | v | provenance |  |
+| hash_flow.rb:1013:15:1013:15 | k | hash_flow.rb:1015:14:1015:14 | k | provenance |  |
+| hash_flow.rb:1013:18:1013:18 | v | hash_flow.rb:1014:14:1014:14 | v | provenance |  |
 nodes
 | hash_flow.rb:10:5:10:8 | hash [element 0] | semmle.label | hash [element 0] |
 | hash_flow.rb:10:5:10:8 | hash [element :a] | semmle.label | hash [element :a] |
@@ -2251,6 +2264,21 @@ nodes
 | hash_flow.rb:996:14:996:19 | ...[...] | semmle.label | ...[...] |
 | hash_flow.rb:998:14:998:15 | h2 [element :b] | semmle.label | h2 [element :b] |
 | hash_flow.rb:998:14:998:18 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:1006:5:1006:5 | [post] h [element] | semmle.label | [post] h [element] |
+| hash_flow.rb:1006:14:1006:24 | call to taint | semmle.label | call to taint |
+| hash_flow.rb:1007:5:1007:8 | keys [element] | semmle.label | keys [element] |
+| hash_flow.rb:1007:12:1007:12 | h [element] | semmle.label | h [element] |
+| hash_flow.rb:1007:12:1007:17 | call to keys [element] | semmle.label | call to keys [element] |
+| hash_flow.rb:1008:10:1008:13 | keys [element] | semmle.label | keys [element] |
+| hash_flow.rb:1008:10:1008:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:1012:5:1012:5 | h [element :a] | semmle.label | h [element :a] |
+| hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | semmle.label | call to [] [element :a] |
+| hash_flow.rb:1012:14:1012:24 | call to taint | semmle.label | call to taint |
+| hash_flow.rb:1013:5:1013:5 | h [element :a] | semmle.label | h [element :a] |
+| hash_flow.rb:1013:15:1013:15 | k | semmle.label | k |
+| hash_flow.rb:1013:18:1013:18 | v | semmle.label | v |
+| hash_flow.rb:1014:14:1014:14 | v | semmle.label | v |
+| hash_flow.rb:1015:14:1015:14 | k | semmle.label | k |
 subpaths
 hashLiteral
 | hash_flow.rb:10:12:21:5 | call to [] |
@@ -2324,6 +2352,8 @@ hashLiteral
 | hash_flow.rb:946:13:950:5 | call to [] |
 | hash_flow.rb:971:9:971:38 | ...[...] |
 | hash_flow.rb:994:14:994:47 | ...[...] |
+| hash_flow.rb:1005:9:1005:10 | call to [] |
+| hash_flow.rb:1012:9:1012:45 | call to [] |
 #select
 | hash_flow.rb:22:10:22:17 | ...[...] | hash_flow.rb:11:15:11:24 | call to taint | hash_flow.rb:22:10:22:17 | ...[...] | $@ | hash_flow.rb:11:15:11:24 | call to taint | call to taint |
 | hash_flow.rb:24:10:24:17 | ...[...] | hash_flow.rb:13:12:13:21 | call to taint | hash_flow.rb:24:10:24:17 | ...[...] | $@ | hash_flow.rb:13:12:13:21 | call to taint | call to taint |
@@ -2569,3 +2599,6 @@ hashLiteral
 | hash_flow.rb:975:10:975:13 | ...[...] | hash_flow.rb:971:23:971:31 | call to taint | hash_flow.rb:975:10:975:13 | ...[...] | $@ | hash_flow.rb:971:23:971:31 | call to taint | call to taint |
 | hash_flow.rb:996:14:996:19 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:996:14:996:19 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
 | hash_flow.rb:998:14:998:18 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:998:14:998:18 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
+| hash_flow.rb:1008:10:1008:17 | ...[...] | hash_flow.rb:1006:14:1006:24 | call to taint | hash_flow.rb:1008:10:1008:17 | ...[...] | $@ | hash_flow.rb:1006:14:1006:24 | call to taint | call to taint |
+| hash_flow.rb:1014:14:1014:14 | v | hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1014:14:1014:14 | v | $@ | hash_flow.rb:1012:14:1012:24 | call to taint | call to taint |
+| hash_flow.rb:1015:14:1015:14 | k | hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1015:14:1015:14 | k | $@ | hash_flow.rb:1012:14:1012:24 | call to taint | call to taint |
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb b/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb
@@ -1000,3 +1000,18 @@ def m54(i)
 end
 
 M54.new.m54(:b)
+
+def m55
+    h = {}
+    h[f()] = taint(55.1)
+    keys = h.keys
+    sink(keys[:a]) # $ hasValueFlow=55.1
+end
+
+def m56
+    h = { a: taint(56.1), taint(56.2) => :b }
+    h.map do |k, v|
+        sink(v) # $ hasValueFlow=56.1
+        sink(k) # $ MISSING: hasValueFlow=56.2 SPURIOUS: hasValueFlow=56.1
+    end
+end

Original file line number	Diff line number	Diff line change
`@@ -524,6 +524,8 @@ private class ValuesSummary extends SimpleSummarizedCallable {`
`524`	`524`	`}`
`525`	`525`	`}`
`526`	`526`
	`527`	`+// We don't (yet) track data flow through hash keys, but this is still useful in cases where a`
	`528`	+// whole hash(like) object is tainted, such as `ActionController#params`.
`527`	`529`	`private class KeysSummary extends SimpleSummarizedCallable {`
`528`	`530`	`KeysSummary() { this = "keys" }`
`529`	`531`