Model more of the RestClient API

We now handle this form:

    RestClient::Request.execute(url: "http://example.com")

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll

@@ -6,6 +6,8 @@ private import codeql.ruby.ApiGraphs
  * A call that makes an HTTP request using `RestClient`.
  * ```ruby
  * RestClient.get("http://example.com").body
+ * RestClient::Resource.new("http://example.com").get.body
+ * RestClient::Request.execute(url: "http://example.com").body
  * ```
  */
 class RestClientHttpRequest extends HTTP::Client::Request::Range {
@@ -14,18 +16,29 @@ class RestClientHttpRequest extends HTTP::Client::Request::Range {
   API::Node connectionNode;
 
   RestClientHttpRequest() {
-    connectionNode =
-      [
-        API::getTopLevelMember("RestClient"),
-        API::getTopLevelMember("RestClient").getMember("Resource").getInstance()
-      ] and
-    requestNode =
-      connectionNode.getReturn(["get", "head", "delete", "options", "post", "put", "patch"]) and
     requestUse = requestNode.getAnImmediateUse() and
-    this = requestUse.asExpr().getExpr()
+    this = requestUse.asExpr().getExpr() and
+    (
+      connectionNode =
+        [
+          API::getTopLevelMember("RestClient"),
+          API::getTopLevelMember("RestClient").getMember("Resource").getInstance()
+        ] and
+      requestNode =
+        connectionNode.getReturn(["get", "head", "delete", "options", "post", "put", "patch"])
+      or
+      connectionNode = API::getTopLevelMember("RestClient").getMember("Request") and
+      requestNode = connectionNode.getReturn("execute")
+    )
   }
 
-  override DataFlow::Node getURL() { result = requestUse.getArgument(0) }
+  override DataFlow::Node getURL() {
+    result = requestUse.getKeywordArgument("url")
+    or
+    result = requestUse.getArgument(0) and
+    // this rules out the alternative above
+    not result.asExpr().getExpr() instanceof Pair
+  }
 
   override DataFlow::Node getResponseBody() { result = requestNode.getAMethodCall("body") }
 

ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected

@@ -62,6 +62,7 @@
 | RestClient.rb:15:9:15:47 | call to delete | RestClient | RestClient.rb:15:27:15:46 | "http://example.com" | RestClient.rb:16:1:16:10 | call to body |
 | RestClient.rb:18:9:18:45 | call to head | RestClient | RestClient.rb:18:25:18:44 | "http://example.com" | RestClient.rb:19:1:19:10 | call to body |
 | RestClient.rb:21:9:21:48 | call to options | RestClient | RestClient.rb:21:28:21:47 | "http://example.com" | RestClient.rb:22:1:22:10 | call to body |
+| RestClient.rb:28:9:28:85 | call to execute | RestClient | RestClient.rb:28:56:28:84 | "http://example.com/resource" | RestClient.rb:29:1:29:10 | call to body |
 | Typhoeus.rb:3:9:3:43 | call to get | Typhoeus | Typhoeus.rb:3:22:3:42 | "http://example.com/" | Typhoeus.rb:4:1:4:10 | call to body |
 | Typhoeus.rb:6:9:6:63 | call to post | Typhoeus | Typhoeus.rb:6:23:6:43 | "http://example.com/" | Typhoeus.rb:7:1:7:10 | call to body |
 | Typhoeus.rb:9:9:9:62 | call to put | Typhoeus | Typhoeus.rb:9:22:9:42 | "http://example.com/" | Typhoeus.rb:10:1:10:10 | call to body |

ruby/ql/test/library-tests/frameworks/http_clients/RestClient.rb

@@ -23,4 +23,7 @@
 
 resource8 = RestClient::Resource.new "http://example.com"
 resp8 = resource8.get
-resp8.body
+resp8.body
+
+resp9 = RestClient::Request.execute(method: :get, url: 'http://example.com/resource')
+resp9.body