Merge pull request github#11166 from github/nickrolfe/active_support_flow_summaries

nickrolfe · web-flow · commit 2f9f1f73b75b · 2022-11-10T10:11:48.000Z
Ruby: generalise summaries for ActiveSupport Hash extensions
diff --git a/ruby/ql/lib/change-notes/2022-11-08-activesupport-hash-extensions.md b/ruby/ql/lib/change-notes/2022-11-08-activesupport-hash-extensions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Taint flow through the `ActiveSupport` extensions `Hash#reverse_merge` and `Hash:reverse_merge!`, and their aliases, is now modeled more generally, where previously it was only modeled in the context of `ActionController` parameters.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -636,13 +636,14 @@ private module ParamsSummaries {
    * Returns current ActionController::Parameters instance with current hash merged into other_hash.
    * `#reverse_merge!`
    * `#with_defaults!`
+   * `#reverse_update`
    * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
    */
   private class MergeBangSummary extends SummarizedCallable {
     MergeBangSummary() { this = "ActionController::Parameters#merge!" }
 
     override MethodCall getACall() {
-      result.getMethodName() = ["merge!", "reverse_merge!", "with_defaults!"] and
+      result.getMethodName() = ["merge!", "reverse_merge!", "with_defaults!", "reverse_update"] and
       paramsInstance().getALocalUse().asExpr().getExpr() =
         [result.getReceiver(), result.getArgument(0)]
     }
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
@@ -120,6 +120,32 @@ module ActiveSupport {
         }
       }
 
+      /**
+       * Flow summary for `reverse_merge`, and its alias `with_defaults`.
+       */
+      private class ReverseMergeSummary extends SimpleSummarizedCallable {
+        ReverseMergeSummary() { this = ["reverse_merge", "with_defaults"] }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self,0].WithElement[any]" and
+          output = "ReturnValue" and
+          preservesValue = true
+        }
+      }
+
+      /**
+       * Flow summary for `reverse_merge!`, and its aliases `with_defaults!` and `reverse_update`.
+       */
+      private class ReverseMergeBangSummary extends SimpleSummarizedCallable {
+        ReverseMergeBangSummary() { this = ["reverse_merge!", "with_defaults!", "reverse_update"] }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self,0].WithElement[any]" and
+          output = ["ReturnValue", "Argument[self]"] and
+          preservesValue = true
+        }
+      }
+
       private class TransformSummary extends SimpleSummarizedCallable {
         TransformSummary() {
           this =
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected b/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb b/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb
@@ -842,3 +842,125 @@ def m48()
 end
 
 m48()
+
+def m49()
+    hash1 = {
+        a: taint(49.1),
+        b: 1,
+        c: taint(49.2)
+    }
+    hash2 = {
+        d: taint(49.3),
+        e: 1,
+        f: taint(49.4)
+    }
+
+    hash3 = hash1.reverse_merge(hash2)
+    sink (hash3[:a]) # $ hasValueFlow=49.1
+    sink (hash3[:b])
+    sink (hash3[:c]) # $ hasValueFlow=49.2
+    sink (hash3[:d]) # $ hasValueFlow=49.3
+    sink (hash3[:e])
+    sink (hash3[:f]) # $ hasValueFlow=49.4
+
+    # alias for reverse_merge
+    hash4 = hash1.with_defaults(hash2)
+    sink (hash4[:a]) # $ hasValueFlow=49.1
+    sink (hash4[:b])
+    sink (hash4[:c]) # $ hasValueFlow=49.2
+    sink (hash4[:d]) # $ hasValueFlow=49.3
+    sink (hash4[:e])
+    sink (hash4[:f]) # $ hasValueFlow=49.4
+end
+
+m49()
+
+def m50()
+    hash1 = {
+        a: taint(50.1),
+        b: 1,
+        c: taint(50.2)
+    }
+    hash2 = {
+        d: taint(50.3),
+        e: 1,
+        f: taint(50.4)
+    }
+
+    hash = hash1.reverse_merge!(hash2)
+    sink (hash[:a]) # $ hasValueFlow=50.1
+    sink (hash[:b])
+    sink (hash[:c]) # $ hasValueFlow=50.2
+    sink (hash[:d]) # $ hasValueFlow=50.3
+    sink (hash[:e])
+    sink (hash[:f]) # $ hasValueFlow=50.4
+
+    sink (hash1[:a]) # $ hasValueFlow=50.1
+    sink (hash1[:b])
+    sink (hash1[:c]) # $ hasValueFlow=50.2
+    sink (hash1[:d]) # $ hasValueFlow=50.3
+    sink (hash1[:e])
+    sink (hash1[:f]) # $ hasValueFlow=50.4
+end
+
+m50()
+
+def m51()
+    hash1 = {
+        a: taint(51.1),
+        b: 1,
+        c: taint(51.2)
+    }
+    hash2 = {
+        d: taint(51.3),
+        e: 1,
+        f: taint(51.4)
+    }
+
+    hash = hash1.with_defaults!(hash2)
+    sink (hash[:a]) # $ hasValueFlow=51.1
+    sink (hash[:b])
+    sink (hash[:c]) # $ hasValueFlow=51.2
+    sink (hash[:d]) # $ hasValueFlow=51.3
+    sink (hash[:e])
+    sink (hash[:f]) # $ hasValueFlow=51.4
+
+    sink (hash1[:a]) # $ hasValueFlow=51.1
+    sink (hash1[:b])
+    sink (hash1[:c]) # $ hasValueFlow=51.2
+    sink (hash1[:d]) # $ hasValueFlow=51.3
+    sink (hash1[:e])
+    sink (hash1[:f]) # $ hasValueFlow=51.4
+end
+
+m51()
+
+def m52()
+    hash1 = {
+        a: taint(52.1),
+        b: 1,
+        c: taint(52.2)
+    }
+    hash2 = {
+        d: taint(52.3),
+        e: 1,
+        f: taint(52.4)
+    }
+
+    hash = hash1.with_defaults!(hash2)
+    sink (hash[:a]) # $ hasValueFlow=52.1
+    sink (hash[:b])
+    sink (hash[:c]) # $ hasValueFlow=52.2
+    sink (hash[:d]) # $ hasValueFlow=52.3
+    sink (hash[:e])
+    sink (hash[:f]) # $ hasValueFlow=52.4
+
+    sink (hash1[:a]) # $ hasValueFlow=52.1
+    sink (hash1[:b])
+    sink (hash1[:c]) # $ hasValueFlow=52.2
+    sink (hash1[:d]) # $ hasValueFlow=52.3
+    sink (hash1[:e])
+    sink (hash1[:f]) # $ hasValueFlow=52.4
+end
+
+m52()
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/type-tracking-hash-flow.expected b/ruby/ql/test/library-tests/dataflow/hash-flow/type-tracking-hash-flow.expected
@@ -31,3 +31,9 @@
 | hash_flow.rb:782:10:782:17 | ...[...] | Unexpected result: hasValueFlow=46.3 |
 | hash_flow.rb:839:22:839:42 | # $ hasValueFlow=48.3 | Missing result:hasValueFlow=48.3 |
 | hash_flow.rb:841:22:841:42 | # $ hasValueFlow=48.4 | Missing result:hasValueFlow=48.4 |
+| hash_flow.rb:901:22:901:42 | # $ hasValueFlow=50.3 | Missing result:hasValueFlow=50.3 |
+| hash_flow.rb:903:22:903:42 | # $ hasValueFlow=50.4 | Missing result:hasValueFlow=50.4 |
+| hash_flow.rb:931:22:931:42 | # $ hasValueFlow=51.3 | Missing result:hasValueFlow=51.3 |
+| hash_flow.rb:933:22:933:42 | # $ hasValueFlow=51.4 | Missing result:hasValueFlow=51.4 |
+| hash_flow.rb:961:22:961:42 | # $ hasValueFlow=52.3 | Missing result:hasValueFlow=52.3 |
+| hash_flow.rb:963:22:963:42 | # $ hasValueFlow=52.4 | Missing result:hasValueFlow=52.4 |
diff --git a/ruby/ql/test/library-tests/frameworks/ActionController.expected b/ruby/ql/test/library-tests/frameworks/ActionController.expected
@@ -1,7 +1,7 @@
 actionControllerControllerClasses
 | action_controller/input_access.rb:1:1:50:3 | UsersController |
-| action_controller/params_flow.rb:1:1:153:3 | MyController |
-| action_controller/params_flow.rb:161:1:169:3 | Subclass |
+| action_controller/params_flow.rb:1:1:162:3 | MyController |
+| action_controller/params_flow.rb:170:1:178:3 | Subclass |
 | active_record/ActiveRecord.rb:23:1:39:3 | FooController |
 | active_record/ActiveRecord.rb:41:1:64:3 | BarController |
 | active_record/ActiveRecord.rb:66:1:98:3 | BazController |
@@ -48,8 +48,9 @@ actionControllerActionMethods
 | action_controller/params_flow.rb:125:3:132:5 | m30 |
 | action_controller/params_flow.rb:134:3:141:5 | m31 |
 | action_controller/params_flow.rb:143:3:150:5 | m32 |
-| action_controller/params_flow.rb:156:3:158:5 | m33 |
-| action_controller/params_flow.rb:162:3:164:5 | m34 |
+| action_controller/params_flow.rb:152:3:159:5 | m33 |
+| action_controller/params_flow.rb:165:3:167:5 | m34 |
+| action_controller/params_flow.rb:171:3:173:5 | m35 |
 | active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
 | active_record/ActiveRecord.rb:42:3:47:5 | some_other_request_handler |
 | active_record/ActiveRecord.rb:49:3:63:5 | safe_paths |
@@ -120,9 +121,12 @@ paramsCalls
 | action_controller/params_flow.rb:144:10:144:15 | call to params |
 | action_controller/params_flow.rb:145:32:145:37 | call to params |
 | action_controller/params_flow.rb:148:22:148:27 | call to params |
-| action_controller/params_flow.rb:157:10:157:15 | call to params |
-| action_controller/params_flow.rb:163:10:163:15 | call to params |
-| action_controller/params_flow.rb:167:10:167:15 | call to params |
+| action_controller/params_flow.rb:153:10:153:15 | call to params |
+| action_controller/params_flow.rb:154:32:154:37 | call to params |
+| action_controller/params_flow.rb:157:22:157:27 | call to params |
+| action_controller/params_flow.rb:166:10:166:15 | call to params |
+| action_controller/params_flow.rb:172:10:172:15 | call to params |
+| action_controller/params_flow.rb:176:10:176:15 | call to params |
 | action_mailer/mailer.rb:3:10:3:15 | call to params |
 | active_record/ActiveRecord.rb:28:30:28:35 | call to params |
 | active_record/ActiveRecord.rb:29:29:29:34 | call to params |
@@ -198,9 +202,12 @@ paramsSources
 | action_controller/params_flow.rb:144:10:144:15 | call to params |
 | action_controller/params_flow.rb:145:32:145:37 | call to params |
 | action_controller/params_flow.rb:148:22:148:27 | call to params |
-| action_controller/params_flow.rb:157:10:157:15 | call to params |
-| action_controller/params_flow.rb:163:10:163:15 | call to params |
-| action_controller/params_flow.rb:167:10:167:15 | call to params |
+| action_controller/params_flow.rb:153:10:153:15 | call to params |
+| action_controller/params_flow.rb:154:32:154:37 | call to params |
+| action_controller/params_flow.rb:157:22:157:27 | call to params |
+| action_controller/params_flow.rb:166:10:166:15 | call to params |
+| action_controller/params_flow.rb:172:10:172:15 | call to params |
+| action_controller/params_flow.rb:176:10:176:15 | call to params |
 | action_mailer/mailer.rb:3:10:3:15 | call to params |
 | active_record/ActiveRecord.rb:28:30:28:35 | call to params |
 | active_record/ActiveRecord.rb:29:29:29:34 | call to params |
@@ -315,9 +322,12 @@ httpInputAccesses
 | action_controller/params_flow.rb:144:10:144:15 | call to params | ActionController::Metal#params |
 | action_controller/params_flow.rb:145:32:145:37 | call to params | ActionController::Metal#params |
 | action_controller/params_flow.rb:148:22:148:27 | call to params | ActionController::Metal#params |
-| action_controller/params_flow.rb:157:10:157:15 | call to params | ActionController::Metal#params |
-| action_controller/params_flow.rb:163:10:163:15 | call to params | ActionController::Metal#params |
-| action_controller/params_flow.rb:167:10:167:15 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:153:10:153:15 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:154:32:154:37 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:157:22:157:27 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:166:10:166:15 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:172:10:172:15 | call to params | ActionController::Metal#params |
+| action_controller/params_flow.rb:176:10:176:15 | call to params | ActionController::Metal#params |
 | action_mailer/mailer.rb:3:10:3:15 | call to params | ActionController::Metal#params |
 | active_record/ActiveRecord.rb:28:30:28:35 | call to params | ActionController::Metal#params |
 | active_record/ActiveRecord.rb:29:29:29:34 | call to params | ActionController::Metal#params |
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected b/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
@@ -44,9 +44,13 @@ edges
 | params_flow.rb:145:32:145:37 | call to params :  | params_flow.rb:145:10:145:38 | call to with_defaults! |
 | params_flow.rb:148:5:148:5 | [post] p :  | params_flow.rb:149:10:149:10 | p |
 | params_flow.rb:148:22:148:27 | call to params :  | params_flow.rb:148:5:148:5 | [post] p :  |
-| params_flow.rb:157:10:157:15 | call to params :  | params_flow.rb:157:10:157:19 | ...[...] |
-| params_flow.rb:163:10:163:15 | call to params :  | params_flow.rb:163:10:163:19 | ...[...] |
-| params_flow.rb:167:10:167:15 | call to params :  | params_flow.rb:167:10:167:19 | ...[...] |
+| params_flow.rb:153:10:153:15 | call to params :  | params_flow.rb:153:10:153:44 | call to reverse_update |
+| params_flow.rb:154:32:154:37 | call to params :  | params_flow.rb:154:10:154:38 | call to reverse_update |
+| params_flow.rb:157:5:157:5 | [post] p :  | params_flow.rb:158:10:158:10 | p |
+| params_flow.rb:157:22:157:27 | call to params :  | params_flow.rb:157:5:157:5 | [post] p :  |
+| params_flow.rb:166:10:166:15 | call to params :  | params_flow.rb:166:10:166:19 | ...[...] |
+| params_flow.rb:172:10:172:15 | call to params :  | params_flow.rb:172:10:172:19 | ...[...] |
+| params_flow.rb:176:10:176:15 | call to params :  | params_flow.rb:176:10:176:19 | ...[...] |
 nodes
 | params_flow.rb:3:10:3:15 | call to params :  | semmle.label | call to params :  |
 | params_flow.rb:3:10:3:19 | ...[...] | semmle.label | ...[...] |
@@ -133,12 +137,19 @@ nodes
 | params_flow.rb:148:5:148:5 | [post] p :  | semmle.label | [post] p :  |
 | params_flow.rb:148:22:148:27 | call to params :  | semmle.label | call to params :  |
 | params_flow.rb:149:10:149:10 | p | semmle.label | p |
-| params_flow.rb:157:10:157:15 | call to params :  | semmle.label | call to params :  |
-| params_flow.rb:157:10:157:19 | ...[...] | semmle.label | ...[...] |
-| params_flow.rb:163:10:163:15 | call to params :  | semmle.label | call to params :  |
-| params_flow.rb:163:10:163:19 | ...[...] | semmle.label | ...[...] |
-| params_flow.rb:167:10:167:15 | call to params :  | semmle.label | call to params :  |
-| params_flow.rb:167:10:167:19 | ...[...] | semmle.label | ...[...] |
+| params_flow.rb:153:10:153:15 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:153:10:153:44 | call to reverse_update | semmle.label | call to reverse_update |
+| params_flow.rb:154:10:154:38 | call to reverse_update | semmle.label | call to reverse_update |
+| params_flow.rb:154:32:154:37 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:157:5:157:5 | [post] p :  | semmle.label | [post] p :  |
+| params_flow.rb:157:22:157:27 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:158:10:158:10 | p | semmle.label | p |
+| params_flow.rb:166:10:166:15 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:166:10:166:19 | ...[...] | semmle.label | ...[...] |
+| params_flow.rb:172:10:172:15 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:172:10:172:19 | ...[...] | semmle.label | ...[...] |
+| params_flow.rb:176:10:176:15 | call to params :  | semmle.label | call to params :  |
+| params_flow.rb:176:10:176:19 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
 | params_flow.rb:3:10:3:19 | ...[...] | params_flow.rb:3:10:3:15 | call to params :  | params_flow.rb:3:10:3:19 | ...[...] | $@ | params_flow.rb:3:10:3:15 | call to params :  | call to params :  |
@@ -182,6 +193,9 @@ subpaths
 | params_flow.rb:144:10:144:44 | call to with_defaults! | params_flow.rb:144:10:144:15 | call to params :  | params_flow.rb:144:10:144:44 | call to with_defaults! | $@ | params_flow.rb:144:10:144:15 | call to params :  | call to params :  |
 | params_flow.rb:145:10:145:38 | call to with_defaults! | params_flow.rb:145:32:145:37 | call to params :  | params_flow.rb:145:10:145:38 | call to with_defaults! | $@ | params_flow.rb:145:32:145:37 | call to params :  | call to params :  |
 | params_flow.rb:149:10:149:10 | p | params_flow.rb:148:22:148:27 | call to params :  | params_flow.rb:149:10:149:10 | p | $@ | params_flow.rb:148:22:148:27 | call to params :  | call to params :  |
-| params_flow.rb:157:10:157:19 | ...[...] | params_flow.rb:157:10:157:15 | call to params :  | params_flow.rb:157:10:157:19 | ...[...] | $@ | params_flow.rb:157:10:157:15 | call to params :  | call to params :  |
-| params_flow.rb:163:10:163:19 | ...[...] | params_flow.rb:163:10:163:15 | call to params :  | params_flow.rb:163:10:163:19 | ...[...] | $@ | params_flow.rb:163:10:163:15 | call to params :  | call to params :  |
-| params_flow.rb:167:10:167:19 | ...[...] | params_flow.rb:167:10:167:15 | call to params :  | params_flow.rb:167:10:167:19 | ...[...] | $@ | params_flow.rb:167:10:167:15 | call to params :  | call to params :  |
+| params_flow.rb:153:10:153:44 | call to reverse_update | params_flow.rb:153:10:153:15 | call to params :  | params_flow.rb:153:10:153:44 | call to reverse_update | $@ | params_flow.rb:153:10:153:15 | call to params :  | call to params :  |
+| params_flow.rb:154:10:154:38 | call to reverse_update | params_flow.rb:154:32:154:37 | call to params :  | params_flow.rb:154:10:154:38 | call to reverse_update | $@ | params_flow.rb:154:32:154:37 | call to params :  | call to params :  |
+| params_flow.rb:158:10:158:10 | p | params_flow.rb:157:22:157:27 | call to params :  | params_flow.rb:158:10:158:10 | p | $@ | params_flow.rb:157:22:157:27 | call to params :  | call to params :  |
+| params_flow.rb:166:10:166:19 | ...[...] | params_flow.rb:166:10:166:15 | call to params :  | params_flow.rb:166:10:166:19 | ...[...] | $@ | params_flow.rb:166:10:166:15 | call to params :  | call to params :  |
+| params_flow.rb:172:10:172:19 | ...[...] | params_flow.rb:172:10:172:15 | call to params :  | params_flow.rb:172:10:172:19 | ...[...] | $@ | params_flow.rb:172:10:172:15 | call to params :  | call to params :  |
+| params_flow.rb:176:10:176:19 | ...[...] | params_flow.rb:176:10:176:15 | call to params :  | params_flow.rb:176:10:176:19 | ...[...] | $@ | params_flow.rb:176:10:176:15 | call to params :  | call to params :  |
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/params_flow.rb b/ruby/ql/test/library-tests/frameworks/action_controller/params_flow.rb
@@ -149,17 +149,26 @@ def m32
     sink p # $hasTaintFlow
   end
 
+  def m33
+    sink params.reverse_update({a: 1, b: 2}) # $hasTaintFlow
+    sink {a: 1}.reverse_update(params) # $hasTaintFlow
+
+    p = {a: 1}
+    p.reverse_update(params)
+    sink p # $hasTaintFlow
+  end
+  
   include Mixin
 end
 
 module Mixin
-  def m33
+  def m34
     sink params[:x] # $hasTaintFlow
   end
 end
 
 class Subclass < MyController
-  def m34
+  def m35
     sink params[:x] # $hasTaintFlow
   end
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Taint flow through the `ActiveSupport` extensions `Hash#reverse_merge` and `Hash:reverse_merge!`, and their aliases, is now modeled more generally, where previously it was only modeled in the context of `ActionController` parameters.