Add change note + fix qldoc

Author: joefarebrother

ruby/ql/lib/change-notes/2024-03-14-actiondispatch-uploadedfile.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Modeled instances of `ActionDispatch::Http::UploadedFile` that can be obtained from element reads of `ActionController::Parameters`, with calls to `original_filename`, `content_type`, and `read` now propagating taint from their receiver. 

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -597,7 +597,7 @@ private module ParamsSummaries {
     /** Flow summary for various string attributes of `UploadedFile`, including `original_filename`, `content_type`, and `headers`. */
     private class UploadedFileStringAttributeSummary extends SummarizedCallable {
       UploadedFileStringAttributeSummary() {
-        this = "ActionDispatch::Http::UploadedFile::[original_filename,content_type,headers]"
+        this = "ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers]"
       }
 
       override MethodCall getACall() {
@@ -615,11 +615,11 @@ private module ParamsSummaries {
     }
 
     /**
-     * Flow summary for `ActiveDispatch::Http::UploadedFile.original_filename`,
-     * which propagates taint from the receiver to the return value or to the second (buffer) argument
+     * Flow summary for `ActiveDispatch::Http::UploadedFile#read`,
+     * which propagates taint from the receiver to the return value or to the second (out string) argument
      */
     private class UploadedFileReadSummary extends SummarizedCallable {
-      UploadedFileReadSummary() { this = "ActionDispatch::Http::UploadedFile::read" }
+      UploadedFileReadSummary() { this = "ActionDispatch::Http::UploadedFile#read" }
 
       override MethodCall getACall() {
         result = paramsFieldType().getAMethodCall("read").asExpr().getExpr() and

ruby/ql/test/library-tests/dataflow/local/TaintStep.expected

@@ -2835,9 +2835,9 @@
 | file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionController::Parameters#merge |
 | file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge! | file://:0:0:0:0 | [summary] to write: Argument[self] in ActionController::Parameters#merge! |
 | file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge! | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionController::Parameters#merge! |
-| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile::[original_filename,content_type,headers] | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile::[original_filename,content_type,headers] |
-| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile::read | file://:0:0:0:0 | [summary] to write: Argument[1] in ActionDispatch::Http::UploadedFile::read |
-| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile::read | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile::read |
+| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers] | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers] |
+| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#read | file://:0:0:0:0 | [summary] to write: Argument[1] in ActionDispatch::Http::UploadedFile#read |
+| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#read | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile#read |
 | file://:0:0:0:0 | [summary param] self in ActiveSupportStringTransform | file://:0:0:0:0 | [summary] to write: ReturnValue in ActiveSupportStringTransform |
 | file://:0:0:0:0 | [summary param] self in [] | file://:0:0:0:0 | [summary] to write: ReturnValue in [] |
 | file://:0:0:0:0 | [summary param] self in \| | file://:0:0:0:0 | [summary] read: Argument[self].Element[any] in \| |