Ruby: improve coverage of GlobalID::Identification modelling

alexrford · alexrford · commit 2af5925f389b · 2022-12-14T15:21:19.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/GlobalId.qll b/ruby/ql/lib/codeql/ruby/frameworks/GlobalId.qll
@@ -70,26 +70,40 @@ module GlobalId {
     }
   }
 
-  // TODO: methods in this module are available to any class that includes it, not just ActiveRecord models
   /** `GlobalID::Identification` */
   module Identification {
+    /** A `DataFlow::CallNode` against an instance of a class that includes the `GlobalID::Identification` module */
+    private class IdentificationInstanceCall extends DataFlow::CallNode {
+      IdentificationInstanceCall() {
+        this =
+          DataFlow::getConstant("GlobalID")
+              .getConstant("Identification")
+              .getADescendentModule()
+              .getAnImmediateReference()
+              .getAMethodCall(["new", "find"])
+              .getAMethodCall()
+        or
+        this instanceof ActiveRecordInstanceMethodCall
+      }
+    }
+
     /** A call to `GlobalID::Identification.to_global_id` */
-    class ToGlobalIdCall extends ActiveRecordInstanceMethodCall {
+    class ToGlobalIdCall extends IdentificationInstanceCall {
       ToGlobalIdCall() { this.getMethodName() = ["to_global_id", "to_gid"] }
     }
 
     /** A call to `GlobalID::Identification.to_gid_param` */
-    class ToGidParamCall extends ActiveRecordInstanceMethodCall {
+    class ToGidParamCall extends DataFlow::CallNode {
       ToGidParamCall() { this.getMethodName() = "to_gid_param" }
     }
 
     /** A call to `GlobalID::Identification.to_signed_global_id` */
-    class ToSignedGlobalIdCall extends ActiveRecordInstanceMethodCall {
+    class ToSignedGlobalIdCall extends DataFlow::CallNode {
       ToSignedGlobalIdCall() { this.getMethodName() = ["to_signed_global_id", "to_sgid"] }
     }
 
     /** A call to `GlobalID::Identification.to_sgid_param` */
-    class ToSgidParamCall extends ActiveRecordInstanceMethodCall {
+    class ToSgidParamCall extends DataFlow::CallNode {
       ToSgidParamCall() { this.getMethodName() = "to_sgid_param" }
     }
   }
diff --git a/ruby/ql/test/library-tests/frameworks/globalid/GlobalId.expected b/ruby/ql/test/library-tests/frameworks/globalid/GlobalId.expected
@@ -1,24 +1,38 @@
 locateCalls
 | globalid.rb:6:3:6:30 | call to locate |
 | globalid.rb:11:3:11:30 | call to locate |
+| globalid.rb:70:3:70:30 | call to locate |
 locateSignedCalls
 | globalid.rb:16:3:16:38 | call to locate_signed |
 | globalid.rb:21:3:21:38 | call to locate_signed |
+| globalid.rb:89:3:89:38 | call to locate_signed |
 toGlobalIdCalls
 | globalid.rb:5:9:5:33 | call to to_global_id |
 | globalid.rb:10:9:10:27 | call to to_gid |
+| globalid.rb:56:9:56:16 | call to to_gid |
+| globalid.rb:62:9:62:22 | call to to_global_id |
 toGidParamCalls
 | globalid.rb:35:10:35:34 | call to to_gid_param |
+| globalid.rb:68:10:68:23 | call to to_gid_param |
 toSignedGlobalIdCalls
 | globalid.rb:15:10:15:41 | call to to_signed_global_id |
 | globalid.rb:20:10:20:29 | call to to_sgid |
+| globalid.rb:75:10:75:18 | call to to_sgid |
+| globalid.rb:81:10:81:30 | call to to_signed_global_id |
 toSgidParamCalls
 | globalid.rb:41:11:41:36 | call to to_sgid_param |
+| globalid.rb:87:11:87:25 | call to to_sgid_param |
 globalIdParseCalls
 | globalid.rb:36:9:36:27 | call to parse |
+| globalid.rb:69:9:69:27 | call to parse |
 globalIdFindCalls
 | globalid.rb:37:3:37:19 | call to find |
+| globalid.rb:57:3:57:19 | call to find |
+| globalid.rb:63:3:63:19 | call to find |
 signedGlobalIdParseCalls
 | globalid.rb:42:10:42:35 | call to parse |
+| globalid.rb:88:10:88:35 | call to parse |
 signedGlobalIdFindCalls
 | globalid.rb:43:3:43:26 | call to find |
+| globalid.rb:76:3:76:26 | call to find |
+| globalid.rb:82:3:82:26 | call to find |
diff --git a/ruby/ql/test/library-tests/frameworks/globalid/globalid.rb b/ruby/ql/test/library-tests/frameworks/globalid/globalid.rb
@@ -42,3 +42,49 @@ def m8
   sgid = SignedGlobalID.parse sgidp
   SignedGlobalID.find sgid
 end
+
+class Person
+  include GlobalID::Identification
+
+  def self.find(id)
+    # implementation goes here
+  end
+end
+
+def m9
+  p = Person.find(1)
+  gid = p.to_gid
+  GlobalID.find gid
+end
+
+def m10
+  p = Person.find(1)
+  gid = p.to_global_id
+  GlobalID.find gid
+end
+
+def m11
+  p = Person.find(1)
+  gidp = p.to_gid_param
+  gid = GlobalID.parse gidp
+  GlobalID::Locator.locate gid
+end
+
+def m12
+  p = Person.find(1)
+  sgid = p.to_sgid
+  SignedGlobalID.find sgid
+end
+
+def m10
+  p = Person.find(1)
+  sgid = p.to_signed_global_id
+  SignedGlobalID.find sgid
+end
+
+def m11
+  p = Person.find(1)
+  sgidp = p.to_sgid_param
+  sgid = SignedGlobalID.parse sgidp
+  GlobalID::Locator.locate_signed sgid
+end
