Ruby: Recognize custom self.new methods that return self.allocate

hvitved · hvitved · commit accf4ca36410 · 2022-12-16T09:23:36.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -473,9 +473,12 @@ private DataFlow::LocalSourceNode trackModuleAccess(Module m) {
 }
 
 pragma[nomagic]
-private predicate hasUserDefinedSelf(Module m) {
-  // cannot use `lookupSingletonMethod` due to negative recursion
-  singletonMethodOnModule(_, "new", m.getSuperClass*()) // not `getAnAncestor` because singleton methods cannot be included
+private predicate hasUserDefinedNew(Module m) {
+  exists(DataFlow::MethodNode method |
+    // not `getAnAncestor` because singleton methods cannot be included
+    singletonMethodOnModule(method.asCallableAstNode(), "new", m.getSuperClass*()) and
+    not method.getSelfParameter().getAMethodCall("allocate").flowsTo(method.getAReturningNode())
+  )
 }
 
 /** Holds if `n` is an instance of type `tp`. */
@@ -536,7 +539,7 @@ private predicate isInstance(DataFlow::Node n, Module tp, boolean exact) {
     flowsToMethodCallReceiver(call, sourceNode, "new") and
     n.asExpr() = call and
     // `tp` should not have a user-defined `self.new` method
-    not hasUserDefinedSelf(tp)
+    not hasUserDefinedNew(tp)
   |
     // `C.new`
     sourceNode = trackModuleAccess(tp) and
diff --git a/ruby/ql/test/library-tests/modules/callgraph.expected b/ruby/ql/test/library-tests/modules/callgraph.expected
@@ -244,6 +244,7 @@ getTarget
 | calls.rb:647:9:647:34 | call to puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:651:1:651:14 | call to new | calls.rb:117:5:117:16 | new |
 | calls.rb:651:1:651:14 | call to new | calls.rb:642:5:644:7 | new |
+| calls.rb:651:1:651:23 | call to instance | calls.rb:646:5:648:7 | instance |
 | hello.rb:12:5:12:24 | call to include | calls.rb:108:5:110:7 | include |
 | hello.rb:14:16:14:20 | call to hello | hello.rb:2:5:4:7 | hello |
 | hello.rb:20:16:20:20 | call to super | hello.rb:13:5:15:7 | message |
@@ -369,7 +370,6 @@ unresolvedCall
 | calls.rb:562:1:562:39 | call to each |
 | calls.rb:570:5:570:14 | call to singleton2 |
 | calls.rb:643:9:643:21 | call to allocate |
-| calls.rb:651:1:651:23 | call to instance |
 | hello.rb:20:16:20:26 | ... + ... |
 | hello.rb:20:16:20:34 | ... + ... |
 | hello.rb:20:16:20:40 | ... + ... |
