rewrite the taint-step for join() to a flowsummary

erik-krogh · erik-krogh · commit 17f7ba2a8f12 · 2023-02-15T12:34:59.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll
@@ -1186,6 +1186,16 @@ module Array {
     }
   }
 
+  private class JoinSummary extends SimpleSummarizedCallable {
+    JoinSummary() { this = ["join"] }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self].Element[any]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
   private class PushSummary extends SimpleSummarizedCallable {
     // `append` is an alias for `push`
     PushSummary() { this = ["push", "append"] }
@@ -1816,6 +1826,8 @@ module Array {
     }
   }
 
+  private import codeql.ruby.frameworks.core.Kernel
+
   /**
    * Holds if there an array element `pred` might taint the array defined by `succ`.
    * This is used for queries where we consider an entire array to be tainted if any of its elements are tainted.
@@ -1829,20 +1841,13 @@ module Array {
     )
     or
     exists(DataFlow::CallNode call |
-      call.getMethodName() = "[]" and
+      call.asExpr().getExpr() = getAStaticArrayCall("[]")
+      or
+      call.(Kernel::KernelMethodCall).getMethodName() = "Array"
+    |
       succ = call and
       pred = call.getArgument(_)
     )
-    or
-    exists(DataFlow::CallNode call | call.getMethodName() = "join" |
-      pred = call.getReceiver() and
-      succ = call
-    )
-    or
-    exists(DataFlow::CallNode call | call.getMethodName() = "Array" |
-      pred = call.getArgument(_) and
-      succ = call
-    )
   }
 }
 
diff --git a/ruby/ql/test/library-tests/frameworks/pathname/Pathname.expected b/ruby/ql/test/library-tests/frameworks/pathname/Pathname.expected
@@ -65,6 +65,7 @@ pathnameInstances
 | file://:0:0:0:0 | parameter self of Pathname;Method[relative_path_from] |
 | file://:0:0:0:0 | parameter self of Pathname;Method[sub_ext] |
 | file://:0:0:0:0 | parameter self of Pathname;Method[to_path] |
+| file://:0:0:0:0 | parameter self of join |
 | file://:0:0:0:0 | parameter self of sub |
 | file://:0:0:0:0 | parameter self of to_s |
 fileSystemAccesses
@@ -141,6 +142,7 @@ fileNameSources
 | file://:0:0:0:0 | parameter self of Pathname;Method[relative_path_from] |
 | file://:0:0:0:0 | parameter self of Pathname;Method[sub_ext] |
 | file://:0:0:0:0 | parameter self of Pathname;Method[to_path] |
+| file://:0:0:0:0 | parameter self of join |
 | file://:0:0:0:0 | parameter self of sub |
 | file://:0:0:0:0 | parameter self of to_s |
 fileSystemReadAccesses
