Merge pull request github#11024 from asgerf/rb/data-flow-layer-capture2

Ruby: expand DataFlow API

Author: asgerf

ruby/ql/lib/codeql/ruby/AST.qll

@@ -36,6 +36,13 @@ private module Cached {
     not s instanceof ModuleBase and
     result = getEnclosingMethod(s.getOuterScope())
   }
+
+  cached
+  Toplevel getEnclosingToplevel(Scope s) {
+    result = s
+    or
+    result = getEnclosingToplevel(s.getOuterScope())
+  }
 }
 
 private import Cached
@@ -66,6 +73,9 @@ class AstNode extends TAstNode {
   /** Gets the enclosing method, if any. */
   final MethodBase getEnclosingMethod() { result = getEnclosingMethod(scopeOfInclSynth(this)) }
 
+  /** Gets the enclosing top-level. */
+  final Toplevel getEnclosingToplevel() { result = getEnclosingToplevel(scopeOfInclSynth(this)) }
+
   /** Gets a textual representation of this node. */
   cached
   string toString() { none() }

ruby/ql/lib/codeql/ruby/Concepts.qll

@@ -271,10 +271,7 @@ module Http {
 
         /** Gets the URL pattern for this route, if it can be statically determined. */
         string getUrlPattern() {
-          exists(CfgNodes::ExprNodes::StringlikeLiteralCfgNode strNode |
-            this.getUrlPatternArg().getALocalSource() = DataFlow::exprNode(strNode) and
-            result = strNode.getExpr().getConstantValue().getStringlikeValue()
-          )
+          result = this.getUrlPatternArg().getALocalSource().getConstantValue().getStringlikeValue()
         }
 
         /**
@@ -538,10 +535,12 @@ module Http {
 
         /** Gets the mimetype of this HTTP response, if it can be statically determined. */
         string getMimetype() {
-          exists(CfgNodes::ExprNodes::StringlikeLiteralCfgNode strNode |
-            this.getMimetypeOrContentTypeArg().getALocalSource() = DataFlow::exprNode(strNode) and
-            result = strNode.getExpr().getConstantValue().getStringlikeValue().splitAt(";", 0)
-          )
+          result =
+            this.getMimetypeOrContentTypeArg()
+                .getALocalSource()
+                .getConstantValue()
+                .getStringlikeValue()
+                .splitAt(";", 0)
           or
           not exists(this.getMimetypeOrContentTypeArg()) and
           result = this.getMimetypeDefault()

ruby/ql/lib/codeql/ruby/ast/Constant.qll

@@ -170,6 +170,24 @@ module ConstantValue {
 
   /** A constant `nil` value. */
   class ConstantNilValue extends ConstantValue, TNil { }
+
+  /** Gets the integer constant `x`. */
+  ConstantValue fromInt(int x) { result.getInt() = x }
+
+  /** Gets the float constant `x`. */
+  ConstantValue fromFloat(float x) { result.getFloat() = x }
+
+  /** Gets the string constant `x`. */
+  ConstantValue fromString(string x) { result.getString() = x }
+
+  /** Gets the symbol constant `x`. */
+  ConstantValue fromSymbol(string x) { result.getSymbol() = x }
+
+  /** Gets the regexp constant `x`. */
+  ConstantValue fromRegExp(string x) { result.getRegExp() = x }
+
+  /** Gets the string, symbol, or regexp constant `x`. */
+  ConstantValue fromStringlikeValue(string x) { result.getStringlikeValue() = x }
 }
 
 /** An access to a constant. */

ruby/ql/lib/codeql/ruby/ast/Module.qll

@@ -3,6 +3,7 @@ private import codeql.ruby.CFG
 private import internal.AST
 private import internal.Module
 private import internal.TreeSitter
+private import internal.Scope
 
 /**
  * A representation of a run-time `module` or `class` value.
@@ -23,6 +24,22 @@ class Module extends TModule {
   /** Gets an `include`d module. */
   Module getAnIncludedModule() { result = getAnIncludedModule(this) }
 
+  /** Gets the super class or an included or prepended module. */
+  Module getAnImmediateAncestor() {
+    result = [this.getSuperClass(), this.getAPrependedModule(), this.getAnIncludedModule()]
+  }
+
+  /** Gets a direct subclass or module including or prepending this one. */
+  Module getAnImmediateDescendent() { this = result.getAnImmediateAncestor() }
+
+  /** Gets a module that is transitively subclassed, included, or prepended by this module. */
+  pragma[inline]
+  Module getAnAncestor() { result = this.getAnImmediateAncestor*() }
+
+  /** Gets a module that transitively subclasses, includes, or prepends this module. */
+  pragma[inline]
+  Module getADescendent() { result = this.getAnImmediateDescendent*() }
+
   /** Holds if this module is a class. */
   pragma[noinline]
   predicate isClass() {
@@ -63,6 +80,99 @@ class Module extends TModule {
           loc.getStartColumn()
       )
   }
+
+  /** Gets a constant or `self` access that refers to this module. */
+  private Expr getAnImmediateReferenceBase() {
+    resolveConstantReadAccess(result) = this
+    or
+    result.(SelfVariableAccess).getVariable() = this.getADeclaration().getModuleSelfVariable()
+  }
+
+  /** Gets a singleton class that augments this module object. */
+  SingletonClass getASingletonClass() { result.getValue() = this.getAnImmediateReferenceBase() }
+
+  /**
+   * Gets a singleton method on this module, either declared as a singleton method
+   * or an instance method on a singleton class.
+   *
+   * Does not take inheritance into account.
+   */
+  MethodBase getAnOwnSingletonMethod() {
+    result.(SingletonMethod).getObject() = this.getAnImmediateReferenceBase()
+    or
+    result = this.getASingletonClass().getAMethod().(Method)
+  }
+
+  /**
+   * Gets an instance method named `name` declared in this module.
+   *
+   * Does not take inheritance into account.
+   */
+  Method getOwnInstanceMethod(string name) { result = this.getADeclaration().getMethod(name) }
+
+  /**
+   * Gets an instance method declared in this module.
+   *
+   * Does not take inheritance into account.
+   */
+  Method getAnOwnInstanceMethod() { result = this.getADeclaration().getMethod(_) }
+
+  /**
+   * Gets the instance method named `name` available in this module, including methods inherited
+   * from ancestors.
+   */
+  Method getInstanceMethod(string name) { result = lookupMethod(this, name) }
+
+  /**
+   * Gets an instance method available in this module, including methods inherited
+   * from ancestors.
+   */
+  Method getAnInstanceMethod() { result = lookupMethod(this, _) }
+
+  /** Gets a constant or `self` access that refers to this module. */
+  Expr getAnImmediateReference() {
+    result = this.getAnImmediateReferenceBase()
+    or
+    result.(SelfVariableAccess).getVariable().getDeclaringScope() = this.getAnOwnSingletonMethod()
+  }
+
+  pragma[nomagic]
+  private string getEnclosingModuleName() {
+    exists(string qname |
+      qname = this.getQualifiedName() and
+      result = qname.regexpReplaceAll("::[^:]*$", "") and
+      qname != result
+    )
+  }
+
+  pragma[nomagic]
+  private string getOwnModuleName() {
+    result = this.getQualifiedName().regexpReplaceAll("^.*::", "")
+  }
+
+  /**
+   * Gets the enclosing module, as it appears in the qualified name of this module.
+   *
+   * For example, the parent module of `A::B` is `A`, and `A` itself has no parent module.
+   */
+  pragma[nomagic]
+  Module getParentModule() { result.getQualifiedName() = this.getEnclosingModuleName() }
+
+  /**
+   * Gets a module named `name` declared inside this one (not aliased), provided
+   * that such a module is defined or reopened in the current codebase.
+   *
+   * For example, for `A::B` the nested module named `C` would be `A::B::C`.
+   *
+   * Note that this is not the same as constant lookup. If `A::B::C` would resolve to a
+   * module whose qualified name is not `A::B::C`, then it will not be found by
+   * this predicate.
+   */
+  pragma[nomagic]
+  Module getNestedModule(string name) {
+    result.getParentModule() = this and
+    result.getOwnModuleName() = name
+  }
 }
 
 /**
@@ -141,6 +251,46 @@ class ModuleBase extends BodyStmt, Scope, TModuleBase {
 
   /** Gets the representation of the run-time value of this module or class. */
   Module getModule() { none() }
+
+  /**
+   * Gets the `self` variable in the module-level scope.
+   *
+   * Does not include the `self` variable from any of the methods in the module.
+   */
+  SelfVariable getModuleSelfVariable() { result.getDeclaringScope() = this }
+
+  /** Gets the nearest enclosing `Namespace` or `Toplevel`, possibly this module itself. */
+  Namespace getNamespaceOrToplevel() {
+    result = this
+    or
+    not this instanceof Namespace and
+    result = this.getEnclosingModule().getNamespaceOrToplevel()
+  }
+
+  /**
+   * Gets an expression denoting the super class or an included or prepended module.
+   *
+   * For example, `C` is an ancestor expression of `M` in each of the following examples:
+   * ```rb
+   * class M < C
+   * end
+   *
+   * module M
+   *   include C
+   *   prepend C
+   * end
+   * ```
+   */
+  Expr getAnAncestorExpr() {
+    exists(MethodCall call |
+      call.getReceiver().(SelfVariableAccess).getVariable() = this.getModuleSelfVariable() and
+      call.getMethodName() = ["include", "prepend"] and
+      result = call.getArgument(0) and
+      scopeOfInclSynth(call) = this // only permit calls directly in the module scope, not in a block
+    )
+    or
+    result = this.(ClassDeclaration).getSuperclassExpr()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/dataflow/SSA.qll

@@ -289,7 +289,7 @@ module Ssa {
       )
     }
 
-    final override string toString() { result = "<captured>" }
+    final override string toString() { result = "<captured> " + this.getSourceVariable() }
 
     override Location getLocation() { result = this.getBasicBlock().getLocation() }
   }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -119,11 +119,27 @@ module LocalFlow {
    * Holds if `nodeFrom` is a parameter node, and `nodeTo` is a corresponding SSA node.
    */
   predicate localFlowSsaParamInput(Node nodeFrom, Node nodeTo) {
-    nodeTo = getParameterDefNode(nodeFrom.(ParameterNode).getParameter())
+    nodeTo = getParameterDefNode(nodeFrom.(ParameterNodeImpl).getParameter())
     or
     nodeTo = getSelfParameterDefNode(nodeFrom.(SelfParameterNode).getMethod())
   }
 
+  /**
+   * Holds if `nodeFrom -> nodeTo` is a step from a parameter to a capture entry node for
+   * that parameter.
+   *
+   * This is intended to recover from flow not currently recognised by ordinary capture flow.
+   */
+  predicate localFlowSsaParamCaptureInput(Node nodeFrom, Node nodeTo) {
+    exists(Ssa::CapturedEntryDefinition def |
+      nodeFrom.asParameter().(NamedParameter).getVariable() = def.getSourceVariable()
+      or
+      nodeFrom.(SelfParameterNode).getSelfVariable() = def.getSourceVariable()
+    |
+      nodeTo.(SsaDefinitionNode).getDefinition() = def
+    )
+  }
+
   /**
    * Holds if there is a local use-use flow step from `nodeFrom` to `nodeTo`
    * involving SSA definition `def`.
@@ -309,7 +325,7 @@ private module Cached {
   predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
     LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
     or
-    defaultValueFlow(nodeTo.(ParameterNode).getParameter(), nodeFrom)
+    defaultValueFlow(nodeTo.(ParameterNodeImpl).getParameter(), nodeFrom)
     or
     LocalFlow::localFlowSsaParamInput(nodeFrom, nodeTo)
     or
@@ -338,7 +354,7 @@ private module Cached {
   predicate localFlowStepImpl(Node nodeFrom, Node nodeTo) {
     LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
     or
-    defaultValueFlow(nodeTo.(ParameterNode).getParameter(), nodeFrom)
+    defaultValueFlow(nodeTo.(ParameterNodeImpl).getParameter(), nodeFrom)
     or
     LocalFlow::localFlowSsaParamInput(nodeFrom, nodeTo)
     or
@@ -349,7 +365,12 @@ private module Cached {
     FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
   }
 
-  /** This is the local flow predicate that is used in type tracking. */
+  /**
+   * This is the local flow predicate that is used in type tracking.
+   *
+   * This needs to exclude `localFlowSsaParamInput` due to a performance trick
+   * in type tracking, where such steps are treated as call steps.
+   */
   cached
   predicate localFlowStepTypeTracker(Node nodeFrom, Node nodeTo) {
     LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
@@ -396,7 +417,7 @@ private module Cached {
 
   cached
   predicate isLocalSourceNode(Node n) {
-    n instanceof ParameterNode
+    n instanceof TParameterNode
     or
     // Expressions that can't be reached from another entry definition or expression
     n instanceof ExprNode and
@@ -1272,7 +1293,7 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
     creation.asExpr() =
       any(CfgNodes::ExprNodes::MethodCallCfgNode mc |
         c.asCallable() = mc.getBlock().getExpr() and
-        mc.getExpr().getMethodName() = "lambda"
+        mc.getExpr().getMethodName() = ["lambda", "proc"]
       )
   )
 }