Ruby: Add flow summary for Hash#except!

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll

@@ -244,18 +244,20 @@ module Hash {
   }
 
   private string getExceptComponent(MethodCall mc, int i) {
-    mc.getMethodName() = "except" and
+    mc.getMethodName() = ["except", "except!"] and
     result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
   }
 
   private class ExceptSummary extends SummarizedCallable {
     MethodCall mc;
 
     ExceptSummary() {
-      mc.getMethodName() = "except" and
+      // except! is an ActiveSupport extension
+      // https://api.rubyonrails.org/classes/Hash.html#method-i-except-21
+      mc.getMethodName() = ["except", "except!"] and
       this =
-        "except(" + concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) +
-          ")"
+        mc.getMethodName() + "(" +
+          concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) + ")"
     }
 
     final override MethodCall getACallSimple() { result = mc }
@@ -268,7 +270,11 @@ module Hash {
           |
             ".WithoutElement[" + s + "!]" order by i
           ) + ".WithElement[any]" and
-      output = "ReturnValue" and
+      (
+        if mc.getMethodName() = "except!"
+        then output = ["ReturnValue", "Argument[self]"]
+        else output = "ReturnValue"
+      ) and
       preservesValue = true
     }
   }

ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected

@@ -523,6 +523,19 @@ edges
 | hash_flow.rb:750:10:750:13 | hash [element :d] :  | hash_flow.rb:750:10:750:17 | ...[...] |
 | hash_flow.rb:752:10:752:13 | hash [element :f] :  | hash_flow.rb:752:10:752:17 | ...[...] |
 | hash_flow.rb:753:10:753:13 | hash [element :g] :  | hash_flow.rb:753:10:753:17 | ...[...] |
+| hash_flow.rb:761:15:761:25 | call to taint :  | hash_flow.rb:767:10:767:13 | hash [element :a] :  |
+| hash_flow.rb:763:15:763:25 | call to taint :  | hash_flow.rb:769:10:769:13 | hash [element :c] :  |
+| hash_flow.rb:763:15:763:25 | call to taint :  | hash_flow.rb:772:9:772:12 | hash [element :c] :  |
+| hash_flow.rb:764:15:764:25 | call to taint :  | hash_flow.rb:770:10:770:13 | hash [element :d] :  |
+| hash_flow.rb:767:10:767:13 | hash [element :a] :  | hash_flow.rb:767:10:767:17 | ...[...] |
+| hash_flow.rb:769:10:769:13 | hash [element :c] :  | hash_flow.rb:769:10:769:17 | ...[...] |
+| hash_flow.rb:770:10:770:13 | hash [element :d] :  | hash_flow.rb:770:10:770:17 | ...[...] |
+| hash_flow.rb:772:9:772:12 | [post] hash [element :c] :  | hash_flow.rb:781:10:781:13 | hash [element :c] :  |
+| hash_flow.rb:772:9:772:12 | hash [element :c] :  | hash_flow.rb:772:9:772:12 | [post] hash [element :c] :  |
+| hash_flow.rb:772:9:772:12 | hash [element :c] :  | hash_flow.rb:772:9:772:31 | call to except! [element :c] :  |
+| hash_flow.rb:772:9:772:31 | call to except! [element :c] :  | hash_flow.rb:776:10:776:10 | x [element :c] :  |
+| hash_flow.rb:776:10:776:10 | x [element :c] :  | hash_flow.rb:776:10:776:14 | ...[...] |
+| hash_flow.rb:781:10:781:13 | hash [element :c] :  | hash_flow.rb:781:10:781:17 | ...[...] |
 nodes
 | hash_flow.rb:11:15:11:24 | call to taint :  | semmle.label | call to taint :  |
 | hash_flow.rb:13:12:13:21 | call to taint :  | semmle.label | call to taint :  |
@@ -1105,6 +1118,22 @@ nodes
 | hash_flow.rb:752:10:752:17 | ...[...] | semmle.label | ...[...] |
 | hash_flow.rb:753:10:753:13 | hash [element :g] :  | semmle.label | hash [element :g] :  |
 | hash_flow.rb:753:10:753:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:761:15:761:25 | call to taint :  | semmle.label | call to taint :  |
+| hash_flow.rb:763:15:763:25 | call to taint :  | semmle.label | call to taint :  |
+| hash_flow.rb:764:15:764:25 | call to taint :  | semmle.label | call to taint :  |
+| hash_flow.rb:767:10:767:13 | hash [element :a] :  | semmle.label | hash [element :a] :  |
+| hash_flow.rb:767:10:767:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:769:10:769:13 | hash [element :c] :  | semmle.label | hash [element :c] :  |
+| hash_flow.rb:769:10:769:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:770:10:770:13 | hash [element :d] :  | semmle.label | hash [element :d] :  |
+| hash_flow.rb:770:10:770:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:772:9:772:12 | [post] hash [element :c] :  | semmle.label | [post] hash [element :c] :  |
+| hash_flow.rb:772:9:772:12 | hash [element :c] :  | semmle.label | hash [element :c] :  |
+| hash_flow.rb:772:9:772:31 | call to except! [element :c] :  | semmle.label | call to except! [element :c] :  |
+| hash_flow.rb:776:10:776:10 | x [element :c] :  | semmle.label | x [element :c] :  |
+| hash_flow.rb:776:10:776:14 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:781:10:781:13 | hash [element :c] :  | semmle.label | hash [element :c] :  |
+| hash_flow.rb:781:10:781:17 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
 | hash_flow.rb:22:10:22:17 | ...[...] | hash_flow.rb:11:15:11:24 | call to taint :  | hash_flow.rb:22:10:22:17 | ...[...] | $@ | hash_flow.rb:11:15:11:24 | call to taint :  | call to taint :  |
@@ -1279,3 +1308,8 @@ subpaths
 | hash_flow.rb:750:10:750:17 | ...[...] | hash_flow.rb:742:15:742:25 | call to taint :  | hash_flow.rb:750:10:750:17 | ...[...] | $@ | hash_flow.rb:742:15:742:25 | call to taint :  | call to taint :  |
 | hash_flow.rb:752:10:752:17 | ...[...] | hash_flow.rb:744:15:744:25 | call to taint :  | hash_flow.rb:752:10:752:17 | ...[...] | $@ | hash_flow.rb:744:15:744:25 | call to taint :  | call to taint :  |
 | hash_flow.rb:753:10:753:17 | ...[...] | hash_flow.rb:746:29:746:39 | call to taint :  | hash_flow.rb:753:10:753:17 | ...[...] | $@ | hash_flow.rb:746:29:746:39 | call to taint :  | call to taint :  |
+| hash_flow.rb:767:10:767:17 | ...[...] | hash_flow.rb:761:15:761:25 | call to taint :  | hash_flow.rb:767:10:767:17 | ...[...] | $@ | hash_flow.rb:761:15:761:25 | call to taint :  | call to taint :  |
+| hash_flow.rb:769:10:769:17 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint :  | hash_flow.rb:769:10:769:17 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint :  | call to taint :  |
+| hash_flow.rb:770:10:770:17 | ...[...] | hash_flow.rb:764:15:764:25 | call to taint :  | hash_flow.rb:770:10:770:17 | ...[...] | $@ | hash_flow.rb:764:15:764:25 | call to taint :  | call to taint :  |
+| hash_flow.rb:776:10:776:14 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint :  | hash_flow.rb:776:10:776:14 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint :  | call to taint :  |
+| hash_flow.rb:781:10:781:17 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint :  | hash_flow.rb:781:10:781:17 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint :  | call to taint :  |

ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb

@@ -754,4 +754,32 @@ def m45()
     sink(hash[:h])
 end
 
-m45()
+m45()
+
+def m46(x)
+    hash = {
+        :a => taint(46.1),
+        :b => 1,
+        :c => taint(46.2),
+        :d => taint(46.3)
+    }
+
+    sink(hash[:a]) # $ hasValueFlow=46.1
+    sink(hash[:b])
+    sink(hash[:c]) # $ hasValueFlow=46.2
+    sink(hash[:d]) # $ hasValueFlow=46.3
+
+    x = hash.except!(:a, x, :d)
+
+    sink(x[:a])
+    sink(x[:b])
+    sink(x[:c]) # $ hasValueFlow=46.2
+    sink(x[:d])
+
+    sink(hash[:a])
+    sink(hash[:b])
+    sink(hash[:c]) # $ hasValueFlow=46.2
+    sink(hash[:d])
+end
+
+m46(:c)