Model the Typhoeus http client

Author: hmac

ql/lib/codeql/ruby/frameworks/HTTPClients.qll

@@ -9,3 +9,4 @@ private import codeql.ruby.frameworks.http_clients.RestClient
 private import codeql.ruby.frameworks.http_clients.HTTParty
 private import codeql.ruby.frameworks.http_clients.HTTPClient
 private import codeql.ruby.frameworks.http_clients.OpenURI
+private import codeql.ruby.frameworks.http_clients.Typhoeus

ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll

@@ -0,0 +1,28 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+
+/**
+ * A call that makes an HTTP request using `Typhoeus`.
+ * ```ruby
+ * Typhoeus.get("http://example.com").body
+ * ```
+ */
+class TyphoeusHTTPRequest extends HTTP::Client::Request::Range {
+  DataFlow::Node request;
+  DataFlow::CallNode responseBody;
+
+  TyphoeusHTTPRequest() {
+    exists(API::Node requestNode | request = requestNode.getAnImmediateUse() |
+      requestNode =
+        API::getTopLevelMember("Typhoeus")
+            .getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
+      responseBody = requestNode.getAMethodCall("body") and
+      this = request.asExpr().getExpr()
+    )
+  }
+
+  override DataFlow::Node getResponseBody() { result = responseBody }
+
+  override string getFramework() { result = "Typhoeus" }
+}

ql/test/library-tests/frameworks/http_clients/Typhoeus.expected

@@ -0,0 +1,7 @@
+| Typhoeus.rb:3:9:3:43 | call to get | Typhoeus.rb:4:1:4:10 | call to body |
+| Typhoeus.rb:6:9:6:63 | call to post | Typhoeus.rb:7:1:7:10 | call to body |
+| Typhoeus.rb:9:9:9:62 | call to put | Typhoeus.rb:10:1:10:10 | call to body |
+| Typhoeus.rb:12:9:12:64 | call to patch | Typhoeus.rb:13:1:13:10 | call to body |
+| Typhoeus.rb:15:9:15:46 | call to delete | Typhoeus.rb:16:1:16:10 | call to body |
+| Typhoeus.rb:18:9:18:44 | call to head | Typhoeus.rb:19:1:19:10 | call to body |
+| Typhoeus.rb:21:9:21:47 | call to options | Typhoeus.rb:22:1:22:10 | call to body |

ql/test/library-tests/frameworks/http_clients/Typhoeus.ql

@@ -0,0 +1,4 @@
+import codeql.ruby.frameworks.http_clients.Typhoeus
+import codeql.ruby.DataFlow
+
+query DataFlow::Node typhoeusHTTPRequests(TyphoeusHTTPRequest e) { result = e.getResponseBody() }

ql/test/library-tests/frameworks/http_clients/Typhoeus.rb

@@ -0,0 +1,22 @@
+require "typhoeus"
+
+resp1 = Typhoeus.get("http://example.com/")
+resp1.body
+
+resp2 = Typhoeus.post("http://example.com/", body: "some_data")
+resp2.body
+
+resp3 = Typhoeus.put("http://example.com/", body: "some_data")
+resp3.body
+
+resp4 = Typhoeus.patch("http://example.com/", body: "some_data")
+resp4.body
+
+resp5 = Typhoeus.delete("http://example.com/")
+resp5.body
+
+resp6 = Typhoeus.head("http://example.com/")
+resp6.body
+
+resp7 = Typhoeus.options("http://example.com/")
+resp7.body