Ruby: Data flow for keyword arguments/parameters

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll

@@ -23,10 +23,10 @@ module SummaryComponent {
   predicate content = SC::content/1;
 
   /** Gets a summary component that represents a qualifier. */
-  SummaryComponent qualifier() { result = argument(-1) }
+  SummaryComponent qualifier() { result = argument(any(ParameterPosition pos | pos.isSelf())) }
 
   /** Gets a summary component that represents a block argument. */
-  SummaryComponent block() { result = argument(-2) }
+  SummaryComponent block() { result = argument(any(ParameterPosition pos | pos.isBlock())) }
 
   /** Gets a summary component that represents the return value of a call. */
   SummaryComponent return() { result = SC::return(any(NormalReturnKind rk)) }
@@ -102,10 +102,10 @@ abstract class SummarizedCallable extends LibraryCallable {
 
   /**
    * Holds if values stored inside `content` are cleared on objects passed as
-   * the `i`th argument to this callable.
+   * arguments at position `pos` to this callable.
    */
   pragma[nomagic]
-  predicate clearsContent(int i, DataFlow::Content content) { none() }
+  predicate clearsContent(ParameterPosition pos, DataFlow::Content content) { none() }
 }
 
 private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable {
@@ -119,8 +119,8 @@ private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable
     sc.propagatesFlow(input, output, preservesValue)
   }
 
-  final override predicate clearsContent(ParameterPosition i, DataFlow::Content content) {
-    sc.clearsContent(i, content)
+  final override predicate clearsContent(ParameterPosition pos, DataFlow::Content content) {
+    sc.clearsContent(pos, content)
   }
 }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -4,6 +4,7 @@ private import DataFlowPrivate
 private import codeql.ruby.typetracking.TypeTracker
 private import codeql.ruby.ast.internal.Module
 private import FlowSummaryImpl as FlowSummaryImpl
+private import FlowSummaryImplSpecific as FlowSummaryImplSpecific
 private import codeql.ruby.dataflow.FlowSummary
 
 newtype TReturnKind =
@@ -230,6 +231,30 @@ private module Cached {
       result = yieldCall(call)
     )
   }
+
+  cached
+  newtype TArgumentPosition =
+    TSelfArgumentPosition() or
+    TBlockArgumentPosition() or
+    TPositionalArgumentPosition(int pos) {
+      exists(Call c | exists(c.getArgument(pos)))
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedParameterPosition(_, pos)
+    } or
+    TKeywordArgumentPosition(string name) { name = any(KeywordParameter kp).getName() }
+
+  cached
+  newtype TParameterPosition =
+    TSelfParameterPosition() or
+    TBlockParameterPosition() or
+    TPositionalParameterPosition(int pos) {
+      pos = any(Parameter p).getPosition()
+      or
+      exists(Call c | exists(c.getArgument(pos))) // TODO: remove once `Argument[_]` summaries are replaced with `Argument[i..]`
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedArgumentPosition(_, pos)
+    } or
+    TKeywordParameterPosition(string name) { name = any(KeywordParameter kp).getName() }
 }
 
 import Cached
@@ -458,18 +483,66 @@ predicate exprNodeReturnedFrom(DataFlow::ExprNode e, Callable c) {
   )
 }
 
-private int parameterPosition() { result in [-2 .. max([any(Parameter p).getPosition(), 10])] }
+/** A parameter position. */
+class ParameterPosition extends TParameterPosition {
+  /** Holds if this position represents a `self` parameter. */
+  predicate isSelf() { this = TSelfParameterPosition() }
 
-/** A parameter position represented by an integer. */
-class ParameterPosition extends int {
-  ParameterPosition() { this = parameterPosition() }
+  /** Holds if this position represents a block parameter. */
+  predicate isBlock() { this = TBlockParameterPosition() }
+
+  /** Holds if this position represents a positional parameter at position `pos`. */
+  predicate isPositional(int pos) { this = TPositionalParameterPosition(pos) }
+
+  /** Holds if this position represents a keyword parameter named `name`. */
+  predicate isKeyword(string name) { this = TKeywordParameterPosition(name) }
+
+  /** Gets a textual representation of this position. */
+  string toString() {
+    this.isSelf() and result = "self"
+    or
+    this.isBlock() and result = "block"
+    or
+    exists(int pos | this.isPositional(pos) and result = "position " + pos)
+    or
+    exists(string name | this.isKeyword(name) and result = "keyword " + name)
+  }
 }
 
-/** An argument position represented by an integer. */
-class ArgumentPosition extends int {
-  ArgumentPosition() { this = parameterPosition() }
+/** An argument position. */
+class ArgumentPosition extends TArgumentPosition {
+  /** Holds if this position represents a `self` argument. */
+  predicate isSelf() { this = TSelfArgumentPosition() }
+
+  /** Holds if this position represents a block argument. */
+  predicate isBlock() { this = TBlockArgumentPosition() }
+
+  /** Holds if this position represents a positional argument at position `pos`. */
+  predicate isPositional(int pos) { this = TPositionalArgumentPosition(pos) }
+
+  /** Holds if this position represents a keyword argument named `name`. */
+  predicate isKeyword(string name) { this = TKeywordArgumentPosition(name) }
+
+  /** Gets a textual representation of this position. */
+  string toString() {
+    this.isSelf() and result = "self"
+    or
+    this.isBlock() and result = "block"
+    or
+    exists(int pos | this.isPositional(pos) and result = "position " + pos)
+    or
+    exists(string name | this.isKeyword(name) and result = "keyword " + name)
+  }
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
-predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
+  ppos.isSelf() and apos.isSelf()
+  or
+  ppos.isBlock() and apos.isBlock()
+  or
+  exists(int pos | ppos.isPositional(pos) and apos.isPositional(pos))
+  or
+  exists(string name | ppos.isKeyword(name) and apos.isKeyword(name))
+}

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -152,17 +152,29 @@ module LocalFlow {
 /** An argument of a call (including qualifier arguments, excluding block arguments). */
 private class Argument extends CfgNodes::ExprCfgNode {
   private CfgNodes::ExprNodes::CallCfgNode call;
-  private int arg;
+  private ArgumentPosition arg;
 
   Argument() {
-    this = call.getArgument(arg) and
-    not this.getExpr() instanceof BlockArgument
+    exists(int i |
+      this = call.getArgument(i) and
+      not this.getExpr() instanceof BlockArgument and
+      not exists(this.getExpr().(Pair).getKey().getValueText()) and
+      arg.isPositional(i)
+    )
+    or
+    exists(CfgNodes::ExprNodes::PairCfgNode p |
+      p = call.getArgument(_) and
+      this = p.getValue() and
+      arg.isKeyword(p.getKey().getValueText())
+    )
     or
-    this = call.getReceiver() and arg = -1
+    this = call.getReceiver() and arg.isSelf()
   }
 
   /** Holds if this expression is the `i`th argument of `c`. */
-  predicate isArgumentOf(CfgNodes::ExprNodes::CallCfgNode c, int i) { c = call and i = arg }
+  predicate isArgumentOf(CfgNodes::ExprNodes::CallCfgNode c, ArgumentPosition pos) {
+    c = call and pos = arg
+  }
 }
 
 /** A collection of cached types and predicates to be evaluated in the same stage. */
@@ -179,7 +191,11 @@ private module Cached {
       )
     } or
     TSsaDefinitionNode(Ssa::Definition def) or
-    TNormalParameterNode(Parameter p) { not p instanceof BlockParameter } or
+    TNormalParameterNode(Parameter p) {
+      p instanceof SimpleParameter or
+      p instanceof OptionalParameter or
+      p instanceof KeywordParameter
+    } or
     TSelfParameterNode(MethodBase m) or
     TBlockParameterNode(MethodBase m) or
     TExprPostUpdateNode(CfgNodes::ExprCfgNode n) { n instanceof Argument } or
@@ -189,8 +205,8 @@ private module Cached {
     ) {
       FlowSummaryImpl::Private::summaryNodeRange(c, state)
     } or
-    TSummaryParameterNode(FlowSummaryImpl::Public::SummarizedCallable c, int i) {
-      FlowSummaryImpl::Private::summaryParameterNodeRange(c, i)
+    TSummaryParameterNode(FlowSummaryImpl::Public::SummarizedCallable c, ParameterPosition pos) {
+      FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
     }
 
   class TParameterNode =
@@ -331,10 +347,10 @@ private module ParameterNodes {
   abstract class ParameterNodeImpl extends NodeImpl {
     abstract Parameter getParameter();
 
-    abstract predicate isSourceParameterOf(Callable c, int i);
+    abstract predicate isSourceParameterOf(Callable c, ParameterPosition pos);
 
-    predicate isParameterOf(DataFlowCallable c, int i) {
-      this.isSourceParameterOf(c.asCallable(), i)
+    predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      this.isSourceParameterOf(c.asCallable(), pos)
     }
   }
 
@@ -349,10 +365,22 @@ private module ParameterNodes {
 
     override Parameter getParameter() { result = parameter }
 
-    override predicate isSourceParameterOf(Callable c, int i) { c.getParameter(i) = parameter }
+    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
+      exists(int i | pos.isPositional(i) and c.getParameter(i) = parameter |
+        parameter instanceof SimpleParameter
+        or
+        parameter instanceof OptionalParameter
+      )
+      or
+      parameter =
+        any(KeywordParameter kp |
+          c.getAParameter() = kp and
+          pos.isKeyword(kp.getName())
+        )
+    }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) {
-      this.isSourceParameterOf(c.asCallable(), i)
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      this.isSourceParameterOf(c.asCallable(), pos)
     }
 
     override CfgScope getCfgScope() { result = parameter.getCallable() }
@@ -375,10 +403,12 @@ private module ParameterNodes {
 
     override Parameter getParameter() { none() }
 
-    override predicate isSourceParameterOf(Callable c, int i) { method = c and i = -1 }
+    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
+      method = c and pos.isSelf()
+    }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) {
-      this.isSourceParameterOf(c.asCallable(), i)
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      this.isSourceParameterOf(c.asCallable(), pos)
     }
 
     override CfgScope getCfgScope() { result = method }
@@ -403,10 +433,12 @@ private module ParameterNodes {
       result = method.getAParameter() and result instanceof BlockParameter
     }
 
-    override predicate isSourceParameterOf(Callable c, int i) { c = method and i = -2 }
+    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
+      c = method and pos.isBlock()
+    }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) {
-      this.isSourceParameterOf(c.asCallable(), i)
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      this.isSourceParameterOf(c.asCallable(), pos)
     }
 
     override CfgScope getCfgScope() { result = method }
@@ -427,23 +459,25 @@ private module ParameterNodes {
   /** A parameter for a library callable with a flow summary. */
   class SummaryParameterNode extends ParameterNodeImpl, TSummaryParameterNode {
     private FlowSummaryImpl::Public::SummarizedCallable sc;
-    private int pos;
+    private ParameterPosition pos_;
 
-    SummaryParameterNode() { this = TSummaryParameterNode(sc, pos) }
+    SummaryParameterNode() { this = TSummaryParameterNode(sc, pos_) }
 
     override Parameter getParameter() { none() }
 
-    override predicate isSourceParameterOf(Callable c, int i) { none() }
+    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) { none() }
 
-    override predicate isParameterOf(DataFlowCallable c, int i) { sc = c and i = pos }
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      sc = c and pos = pos_
+    }
 
     override CfgScope getCfgScope() { none() }
 
     override DataFlowCallable getEnclosingCallable() { result = sc }
 
     override EmptyLocation getLocationImpl() { any() }
 
-    override string toStringImpl() { result = "parameter " + pos + " of " + sc }
+    override string toStringImpl() { result = "parameter " + pos_ + " of " + sc }
   }
 }
 
@@ -468,9 +502,9 @@ class SummaryNode extends NodeImpl, TSummaryNode {
 /** A data-flow node that represents a call argument. */
 abstract class ArgumentNode extends Node {
   /** Holds if this argument occurs at the given position in the given call. */
-  abstract predicate argumentOf(DataFlowCall call, int pos);
+  abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
 
-  abstract predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos);
+  abstract predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos);
 
   /** Gets the call in which this node is an argument. */
   final DataFlowCall getCall() { this.argumentOf(result, _) }
@@ -483,18 +517,18 @@ private module ArgumentNodes {
 
     ExplicitArgumentNode() { this.asExpr() = arg }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       this.sourceArgumentOf(call.asCall(), pos)
     }
 
-    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos) {
+    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
       arg.isArgumentOf(call, pos)
     }
   }
 
   /** A data-flow node that represents the `self` argument of a call. */
   class SelfArgumentNode extends ExplicitArgumentNode {
-    SelfArgumentNode() { arg.isArgumentOf(_, -1) }
+    SelfArgumentNode() { arg.isArgumentOf(_, any(ArgumentPosition pos | pos.isSelf())) }
   }
 
   /** A data-flow node that represents a block argument. */
@@ -504,12 +538,12 @@ private module ArgumentNodes {
       exists(CfgNodes::ExprNodes::CallCfgNode c | c.getBlock() = this.asExpr())
     }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       this.sourceArgumentOf(call.asCall(), pos)
     }
 
-    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos) {
-      pos = -2 and
+    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
+      pos.isBlock() and
       (
         this.asExpr() = call.getBlock()
         or
@@ -525,9 +559,11 @@ private module ArgumentNodes {
   private class SummaryArgumentNode extends SummaryNode, ArgumentNode {
     SummaryArgumentNode() { FlowSummaryImpl::Private::summaryArgumentNode(_, this, _) }
 
-    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, int pos) { none() }
+    override predicate sourceArgumentOf(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition pos) {
+      none()
+    }
 
-    override predicate argumentOf(DataFlowCall call, int pos) {
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       FlowSummaryImpl::Private::summaryArgumentNode(call, this, pos)
     }
   }
@@ -838,7 +874,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
     )
   or
   receiver = call.(SummaryCall).getReceiver() and
-  if receiver.(ParameterNodeImpl).isParameterOf(_, -2)
+  if receiver.(ParameterNodeImpl).isParameterOf(_, any(ParameterPosition pos | pos.isBlock()))
   then kind = TYieldCallKind()
   else kind = TLambdaCallKind()
 }