Ruby: Add SensitiveDataSource abstract class

Author: alexrford

ruby/ql/lib/codeql/ruby/security/SensitiveActions.qll

@@ -224,3 +224,79 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
     )
   }
 }
+
+/**
+ * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SensitiveDataSource::Range` instead.
+ */
+class SensitiveDataSource extends DataFlow::Node instanceof SensitiveDataSource::Range {
+  /**
+   * Gets the classification of the sensitive data.
+   */
+  SensitiveDataClassification getClassification() { result = super.getClassification() }
+}
+
+/** Provides a class for modeling new sources of sensitive data, such as secrets, certificates, or passwords. */
+module SensitiveDataSource {
+  /**
+   * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SensitiveDataSource` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the classification of the sensitive data.
+     */
+    abstract SensitiveDataClassification getClassification();
+  }
+}
+
+/**
+ * A call to a method that may return sensitive data.
+ */
+class SensitiveMethodCall extends SensitiveDataSource::Range, DataFlow::CallNode instanceof SensitiveNode
+{
+  SensitiveDataMethodName methodName;
+
+  SensitiveMethodCall() { methodName = this.getMethodName() }
+
+  override SensitiveDataClassification getClassification() {
+    result = methodName.getClassification()
+  }
+}
+
+/**
+ * An assignment to a variable that may contain sensitive data.
+ */
+class SensitiveVariableAssignment extends SensitiveDataSource::Range instanceof BasicSensitiveWrite {
+  override SensitiveDataClassification getClassification() {
+    result = BasicSensitiveWrite.super.getClassification()
+  }
+}
+
+/**
+ * A read from a hash value that may return sensitive data.
+ */
+class SensitiveHashValueAccess extends SensitiveDataSource::Range instanceof BasicSensitiveVariableAccess
+{
+  SensitiveHashValueAccess() {
+    this.asExpr() instanceof CfgNodes::ExprNodes::ElementReferenceCfgNode
+  }
+
+  override SensitiveDataClassification getClassification() {
+    result = BasicSensitiveVariableAccess.super.getClassification()
+  }
+}
+
+/**
+ * A parameter node that may contain sensitive data.
+ */
+class SensitiveParameter extends SensitiveDataSource::Range, DataFlow::ParameterNode instanceof SensitiveNode
+{
+  override SensitiveDataClassification getClassification() {
+    result = SensitiveNode.super.getClassification()
+  }
+}

ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingCustomizations.qll

@@ -49,9 +49,9 @@ module NormalHashFunction {
   /**
    * A source of sensitive data, considered as a flow source.
    */
-  class SensitiveNodeSourceAsSource extends Source instanceof SensitiveNode {
+  class SensitiveDataSourceAsSource extends Source instanceof SensitiveDataSource {
     override SensitiveDataClassification getClassification() {
-      result = SensitiveNode.super.getClassification()
+      result = SensitiveDataSource.super.getClassification()
     }
   }
 
@@ -118,13 +118,13 @@ module ComputationallyExpensiveHashFunction {
   /**
    * A source of passwords, considered as a flow source.
    */
-  class PasswordSourceAsSource extends Source instanceof SensitiveNode {
+  class PasswordSourceAsSource extends Source instanceof SensitiveDataSource {
     PasswordSourceAsSource() {
-      this.(SensitiveNode).getClassification() = SensitiveDataClassification::password()
+      this.(SensitiveDataSource).getClassification() = SensitiveDataClassification::password()
     }
 
     override SensitiveDataClassification getClassification() {
-      result = SensitiveNode.super.getClassification()
+      result = SensitiveDataSource.super.getClassification()
     }
   }