Ruby: Handle GraphQL array types

hmac · hmac · commit 18dac9ab8a8c · 2023-09-18T16:00:56.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/GraphQL.qll b/ruby/ql/lib/codeql/ruby/frameworks/GraphQL.qll
@@ -327,6 +327,16 @@ private class GraphqlFieldArgumentDefinitionMethodCall extends GraphqlSchemaObje
 
   /** Gets the type of this argument */
   GraphqlType getArgumentType() { result = this.getArgument(1) }
+
+  /**
+   * Gets the element type of this argument, if it is an array.
+   * For example if the argument type is `[String]`, this predicate yields `String`.
+   */
+  GraphqlType getArgumentElementType() {
+    result =
+      any(ArrayLiteral lit | lit = this.getArgument(1) and lit.getNumberOfElements() = 1)
+          .getElement(0)
+  }
 }
 
 private class GraphqlType extends ConstantAccess {
@@ -446,7 +456,8 @@ class GraphqlFieldResolutionMethod extends Method, Http::Server::RequestHandler:
   override Parameter getARoutedParameter() {
     result = this.getAParameter() and
     exists(GraphqlFieldArgumentDefinitionMethodCall argDefn |
-      argDefn = this.getDefinition().getAnArgumentCall()
+      argDefn = this.getDefinition().getAnArgumentCall() and
+      [argDefn.getArgumentType(), argDefn.getArgumentElementType()].isScalar()
     |
       result.(KeywordParameter).hasName(argDefn.getArgumentName())
     )
@@ -474,7 +485,7 @@ private DataFlow::CallNode parameterAccess(
     def = method.getDefinition().getAnArgumentCall() and
     (
       // Direct access to the params hash
-      def.getArgumentType() = type and
+      [def.getArgumentType(), def.getArgumentElementType()] = type and
       def.getArgumentName() = key and
       exists(DataFlow::Node paramRead |
         paramRead.asExpr().getExpr() = param.getVariable().getAnAccess().(VariableReadAccess) and
diff --git a/ruby/ql/test/library-tests/frameworks/graphql/GraphQL.expected b/ruby/ql/test/library-tests/frameworks/graphql/GraphQL.expected
@@ -2,20 +2,21 @@ graphqlSchemaObjectClass
 | app/graphql/types/base_object.rb:2:3:4:5 | BaseObject |
 | app/graphql/types/mutation_type.rb:2:3:4:5 | MutationType |
 | app/graphql/types/post.rb:1:1:6:5 | Post |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType |
 graphqlSchemaObjectFieldDefinition
 | app/graphql/types/mutation_type.rb:2:3:4:5 | MutationType | app/graphql/types/mutation_type.rb:3:5:3:44 | call to field |
 | app/graphql/types/post.rb:1:1:6:5 | Post | app/graphql/types/post.rb:2:5:2:24 | call to field |
 | app/graphql/types/post.rb:1:1:6:5 | Post | app/graphql/types/post.rb:3:5:3:36 | call to field |
 | app/graphql/types/post.rb:1:1:6:5 | Post | app/graphql/types/post.rb:4:5:4:60 | call to field |
 | app/graphql/types/post.rb:1:1:6:5 | Post | app/graphql/types/post.rb:5:5:5:51 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:3:5:5:40 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:7:5:9:7 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:15:5:17:7 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:24:5:26:7 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:32:5:35:7 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:46:5:49:7 | call to field |
-| app/graphql/types/query_type.rb:2:3:64:5 | QueryType | app/graphql/types/query_type.rb:55:5:57:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:3:5:5:40 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:7:5:9:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:15:5:17:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:24:5:26:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:32:5:35:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:46:5:49:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:55:5:57:7 | call to field |
+| app/graphql/types/query_type.rb:2:3:71:5 | QueryType | app/graphql/types/query_type.rb:65:5:67:7 | call to field |
 graphqlResolveMethod
 | app/graphql/mutations/dummy.rb:9:5:12:7 | resolve |
 | app/graphql/resolvers/dummy_resolver.rb:10:5:13:7 | resolve |
@@ -41,24 +42,28 @@ graphqlFieldDefinitionMethodCall
 | app/graphql/types/query_type.rb:32:5:35:7 | call to field |
 | app/graphql/types/query_type.rb:46:5:49:7 | call to field |
 | app/graphql/types/query_type.rb:55:5:57:7 | call to field |
+| app/graphql/types/query_type.rb:65:5:67:7 | call to field |
 graphqlFieldResolutionMethod
 | app/graphql/types/query_type.rb:10:5:13:7 | with_arg |
 | app/graphql/types/query_type.rb:18:5:22:7 | custom_method |
 | app/graphql/types/query_type.rb:27:5:30:7 | with_splat |
 | app/graphql/types/query_type.rb:36:5:40:7 | with_splat_and_named_arg |
 | app/graphql/types/query_type.rb:50:5:53:7 | with_enum |
 | app/graphql/types/query_type.rb:58:5:63:7 | with_nested_enum |
+| app/graphql/types/query_type.rb:68:5:70:7 | with_array |
 graphqlFieldResolutionRoutedParameter
 | app/graphql/types/query_type.rb:10:5:13:7 | with_arg | app/graphql/types/query_type.rb:10:18:10:23 | number |
 | app/graphql/types/query_type.rb:18:5:22:7 | custom_method | app/graphql/types/query_type.rb:18:23:18:33 | blah_number |
 | app/graphql/types/query_type.rb:36:5:40:7 | with_splat_and_named_arg | app/graphql/types/query_type.rb:36:34:36:37 | arg1 |
+| app/graphql/types/query_type.rb:68:5:70:7 | with_array | app/graphql/types/query_type.rb:68:20:68:23 | list |
 graphqlFieldResolutionDefinition
 | app/graphql/types/query_type.rb:10:5:13:7 | with_arg | app/graphql/types/query_type.rb:7:5:9:7 | call to field |
 | app/graphql/types/query_type.rb:18:5:22:7 | custom_method | app/graphql/types/query_type.rb:15:5:17:7 | call to field |
 | app/graphql/types/query_type.rb:27:5:30:7 | with_splat | app/graphql/types/query_type.rb:24:5:26:7 | call to field |
 | app/graphql/types/query_type.rb:36:5:40:7 | with_splat_and_named_arg | app/graphql/types/query_type.rb:32:5:35:7 | call to field |
 | app/graphql/types/query_type.rb:50:5:53:7 | with_enum | app/graphql/types/query_type.rb:46:5:49:7 | call to field |
 | app/graphql/types/query_type.rb:58:5:63:7 | with_nested_enum | app/graphql/types/query_type.rb:55:5:57:7 | call to field |
+| app/graphql/types/query_type.rb:68:5:70:7 | with_array | app/graphql/types/query_type.rb:65:5:67:7 | call to field |
 graphqlRemoteFlowSources
 | app/graphql/mutations/dummy.rb:5:24:5:25 | id |
 | app/graphql/mutations/dummy.rb:9:17:9:25 | something |
@@ -72,3 +77,4 @@ graphqlRemoteFlowSources
 | app/graphql/types/query_type.rb:38:22:38:32 | ...[...] |
 | app/graphql/types/query_type.rb:52:22:52:32 | ...[...] |
 | app/graphql/types/query_type.rb:60:22:60:41 | ...[...] |
+| app/graphql/types/query_type.rb:68:20:68:23 | list |
diff --git a/ruby/ql/test/library-tests/frameworks/graphql/app/graphql/types/query_type.rb b/ruby/ql/test/library-tests/frameworks/graphql/app/graphql/types/query_type.rb
@@ -61,5 +61,12 @@ def with_nested_enum(**args)
       system("echo #{args[:inner][:media_category]}")
       system("echo #{args[:inner][:direction]}")
     end
+
+    field :with_array, String do
+      argument :list, [String], "Names"
+    end
+    def with_array(list:)
+      system("echo #{list[0]}")
+    end
   end
 end
