Model the HTTParty http client

We currently model direct calls like

    HTTParty.get("http://example.com")

but we don't yet handle calls on other classes that have included the
`HTTParty` module, like

    class MyClient
      include HTTParty
    end
    MyClient.get("http://example.com")

Author: hmac

ql/lib/codeql/ruby/frameworks/HTTPClients.qll

@@ -6,3 +6,4 @@ private import codeql.ruby.frameworks.http_clients.NetHTTP
 private import codeql.ruby.frameworks.http_clients.Excon
 private import codeql.ruby.frameworks.http_clients.Faraday
 private import codeql.ruby.frameworks.http_clients.RestClient
+private import codeql.ruby.frameworks.http_clients.HTTParty

ql/lib/codeql/ruby/frameworks/http_clients/HTTParty.qll

@@ -0,0 +1,46 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `HTTParty`.
+ * ```ruby
+ * # one-off request - returns the response body
+ * HTTParty.get("http://example.com")
+ *
+ * # TODO: module inclusion
+ * class MyClass
+ *  include HTTParty
+ * end
+ *
+ * MyClass.new("http://example.com")
+ * ```
+ */
+class HTTPartyRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  HTTPartyRequest() {
+    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
+      requestNode =
+        API::getTopLevelMember("HTTParty")
+            .getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
+      (
+        // If HTTParty can recognise the response type, it will parse and return it
+        // directly from the request call. Otherwise, it will return a `HTTParty::Response`
+        // object that has a `#body` method.
+        // So if there's a call to `#body` on the response, treat that as the response body.
+        exists(DataFlow::Node r | r = requestNode.getAMethodCall("body") | responseBody = r)
+        or
+        // Otherwise, treat the response as the response body.
+        not exists(DataFlow::Node r | r = requestNode.getAMethodCall("body")) and
+        responseBody = request
+      ) and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "HTTParty" }
+}

ql/test/library-tests/frameworks/http_clients/HTTParty.expected

@@ -0,0 +1,7 @@
+| HTTParty.rb:5:1:5:35 | call to get | HTTParty.rb:5:1:5:35 | call to get |
+| HTTParty.rb:7:1:7:55 | call to post | HTTParty.rb:7:1:7:55 | call to post |
+| HTTParty.rb:9:1:9:54 | call to put | HTTParty.rb:9:1:9:54 | call to put |
+| HTTParty.rb:11:1:11:56 | call to patch | HTTParty.rb:11:1:11:56 | call to patch |
+| HTTParty.rb:15:9:15:46 | call to delete | HTTParty.rb:16:1:16:10 | call to body |
+| HTTParty.rb:18:9:18:44 | call to head | HTTParty.rb:19:1:19:10 | call to body |
+| HTTParty.rb:21:9:21:47 | call to options | HTTParty.rb:22:1:22:10 | call to body |

ql/test/library-tests/frameworks/http_clients/HTTParty.ql

@@ -0,0 +1,4 @@
+import codeql.ruby.frameworks.http_clients.HTTParty
+import codeql.ruby.DataFlow
+
+query DataFlow::Node httpartyRequests(HTTPartyRequest e) { result = e.getResponseBody() }

ql/test/library-tests/frameworks/http_clients/HTTParty.rb

@@ -0,0 +1,31 @@
+require "httparty"
+
+# If the response body is not nil or an empty string, it will be parsed and returned directly.
+
+HTTParty.get("http://example.com/")
+
+HTTParty.post("http://example.com/", body: "some_data")
+
+HTTParty.put("http://example.com/", body: "some_data")
+
+HTTParty.patch("http://example.com/", body: "some_data")
+
+# Otherwise, `HTTParty::Response` will be returned, which has a `#body` method.
+
+resp5 = HTTParty.delete("http://example.com/")
+resp5.body
+
+resp6 = HTTParty.head("http://example.com/")
+resp6.body
+
+resp7 = HTTParty.options("http://example.com/")
+resp7.body
+
+# HTTParty methods can also be included in other classes.
+# This is not yet modelled.
+
+class MyClient
+  inlcude HTTParty
+end
+
+MyClient.get("http://example.com")