Ruby: Restrict regexp taint flow to String summaries

hvitved · hvitved · commit 6c2eee3eb840 · 2022-10-10T20:58:41.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -735,6 +735,9 @@ class SummaryNode extends NodeImpl, TSummaryNode {
 
   SummaryNode() { this = TSummaryNode(c, state) }
 
+  /** Gets the summarized callable that this node belongs to. */
+  FlowSummaryImpl::Public::SummarizedCallable getSummarizedCallable() { result = c }
+
   override CfgScope getCfgScope() { none() }
 
   override DataFlowCallable getEnclosingCallable() { result.asLibraryCallable() = c }
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll
@@ -3,7 +3,7 @@
 private import codeql.ruby.AST
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.DataFlow
-private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.dataflow.FlowSummary as FlowSummary
 private import codeql.ruby.dataflow.internal.DataFlowDispatch
 private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.Regexp as RE
@@ -107,6 +107,18 @@ module String {
     preservesValue = false
   }
 
+  /** A `String` callable with a flow summary. */
+  abstract class SummarizedCallable extends FlowSummary::SummarizedCallable {
+    bindingset[this]
+    SummarizedCallable() { any() }
+  }
+
+  abstract private class SimpleSummarizedCallable extends SummarizedCallable,
+    FlowSummary::SimpleSummarizedCallable {
+    bindingset[this]
+    SimpleSummarizedCallable() { any() }
+  }
+
   private class NewSummary extends SummarizedCallable {
     NewSummary() { this = "String.new" }
 
diff --git a/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll b/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
@@ -5,6 +5,10 @@ private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.dataflow.internal.tainttrackingforregexp.TaintTrackingImpl
 private import codeql.ruby.typetracking.TypeTracker
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import codeql.ruby.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import codeql.ruby.dataflow.FlowSummary as FlowSummary
+private import codeql.ruby.frameworks.core.String
 
 class RegExpConfiguration extends Configuration {
   RegExpConfiguration() { this = "RegExpConfiguration" }
@@ -30,6 +34,11 @@ class RegExpConfiguration extends Configuration {
       node = mce.getArgument(0) and
       mce.getReceiver() = trackRegexpType()
     )
+    or
+    // only include taint flow through `String` summaries
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(_, node, false) and
+    not node.(DataFlowPrivate::SummaryNode).getSummarizedCallable() instanceof
+      String::SummarizedCallable
   }
 }
 
