Merge pull request #312 from github/rb/stored-xss-1

Implement `rb/stored-xss` query

Author: alexrford

ql/lib/codeql/ruby/Concepts.qll

@@ -538,3 +538,32 @@ module XmlParserCall {
     abstract predicate externalEntitiesEnabled();
   }
 }
+
+/**
+ * A data-flow node that may represent a database object in an ORM system.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `OrmInstantiation::Range` instead.
+ */
+class OrmInstantiation extends DataFlow::Node instanceof OrmInstantiation::Range {
+  /** Holds if a call to `methodName` on this instance may return a field of this ORM object. */
+  bindingset[methodName]
+  predicate methodCallMayAccessField(string methodName) {
+    super.methodCallMayAccessField(methodName)
+  }
+}
+
+/** Provides a class for modeling new ORM object instantiation APIs. */
+module OrmInstantiation {
+  /**
+   * A data-flow node that may represent a database object in an ORM system.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `OrmInstantiation` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Holds if a call to `methodName` on this instance may return a field of this ORM object. */
+    bindingset[methodName]
+    abstract predicate methodCallMayAccessField(string methodName);
+  }
+}

ql/lib/codeql/ruby/DataFlow2.qll

@@ -0,0 +1,7 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow2 {
+  import codeql.ruby.dataflow.internal.DataFlowImpl2
+}

ql/lib/codeql/ruby/ast/Constant.qll

@@ -166,6 +166,35 @@ class ConstantWriteAccess extends ConstantAccess {
   }
 
   override string getAPrimaryQlClass() { result = "ConstantWriteAccess" }
+
+  /**
+   * Gets the fully qualified name for this constant, based on the context in
+   * which it is defined.
+   *
+   *  For example, given
+   *  ```rb
+   *  module Foo
+   *    module Bar
+   *      class Baz
+   *      end
+   *    end
+   *    CONST_A = "a"
+   *  end
+   *  ```
+   *
+   * the constant `Baz` has the fully qualified name `Foo::Bar::Baz`, and
+   * `CONST_A` has the fully qualified name `Foo::CONST_A`.
+   */
+  string getQualifiedName() {
+    /* get the qualified name for the parent module, then append w */
+    exists(ConstantWriteAccess parent | parent = this.getEnclosingModule() |
+      result = parent.getQualifiedName() + "::" + this.getName()
+    )
+    or
+    /* base case - there's no parent module */
+    not exists(ConstantWriteAccess parent | parent = this.getEnclosingModule()) and
+    result = this.getName()
+  }
 }
 
 /**