You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/analyzing-data-flow-in-ruby.rst
+22-22Lines changed: 22 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,15 +15,15 @@ For a more general introduction to modeling data flow, see ":ref:`About data flo
15
15
Local data flow
16
16
---------------
17
17
18
-
Local data flow is data flow within a single method or callable. Local data flow is easier, faster, and more precise than global data flow, and is sufficient for many queries.
18
+
Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.
19
19
20
20
Using local data flow
21
21
~~~~~~~~~~~~~~~~~~~~~
22
22
23
-
The local data flow library is in the module ``DataFlow`` and it defines the class ``Node``, representing any element through which data can flow.
23
+
You can use the local data flow library by importing the ``DataFlow`` module. The library uses the class ``Node`` to represent any element through which data can flow.
24
24
``Node``\ s are divided into expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``).
25
-
You can map between a data flow ``ParameterNode`` and its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate.
26
-
Meanwhile, the ``asExpr`` member predicate maps between a data flow ``ExprNode`` and its corresponding ``ExprCfgNode`` in the control-flow library.
25
+
You can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate.
26
+
Similarly, you can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library.
27
27
28
28
.. code-block:: ql
29
29
@@ -37,7 +37,7 @@ Meanwhile, the ``asExpr`` member predicate maps between a data flow ``ExprNode``
37
37
...
38
38
}
39
39
40
-
You can also use the predicates ``exprNode`` and ``parameterNode``:
40
+
You can use the predicates ``exprNode`` and ``parameterNode`` to map from expressions and parameters to their data-flow node:
41
41
42
42
.. code-block:: ql
43
43
@@ -52,8 +52,8 @@ You can also use the predicates ``exprNode`` and ``parameterNode``:
52
52
ParameterNode parameterNode(Parameter p) { ... }
53
53
54
54
Note that since ``asExpr`` and ``exprNode`` map between data-flow and control-flow nodes, you then need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node,
55
-
e.g. by writing ``node.asExpr().getExpr()``.
56
-
Due to the control-flow graph being split, there can be multiple data-flow and control-flow nodes associated with a single expression AST node.
55
+
for example, by writing ``node.asExpr().getExpr()``.
56
+
A control-flow graph considers every way control can flow through code, consequently, there can be multiple data-flow and control-flow nodes associated with a single expression node in the AST.
57
57
58
58
The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``.
59
59
You can apply the predicate recursively, by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.
@@ -67,7 +67,7 @@ For example, you can find flow from an expression ``source`` to an expression ``
67
67
Using local taint tracking
68
68
~~~~~~~~~~~~~~~~~~~~~~~~~~
69
69
70
-
Local taint tracking extends local data flow by including non-value-preserving flow steps.
70
+
Local taint tracking extends local data flow to include flow steps where values are not preserved, for example, string manipulation.
71
71
For example:
72
72
73
73
.. code-block:: ruby
@@ -91,17 +91,17 @@ For example, you can find taint propagation from an expression ``source`` to an
91
91
Using local sources
92
92
~~~~~~~~~~~~~~~~~~~
93
93
94
-
When asking for local data flow or taint propagation between two expressions as above, you would normally constrain the expressions to be relevant to a certain investigation.
95
-
The next section will give some concrete examples, but there is a more abstract concept that we should call out explicitly, namely that of a local source.
94
+
When exploring local data flow or taint propagation between two expressions as above, you would normally constrain the expressions to be relevant to your investigation.
95
+
The next section gives some concrete examples, but first it's helpful to introduce the concept of a local source.
96
96
97
97
A local source is a data-flow node with no local data flow into it.
98
98
As such, it is a local origin of data flow, a place where a new value is created.
99
-
This includes parameters (which only receive global data flow) and most expressions (because they are not value-preserving).
99
+
This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
100
100
The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
101
101
It comes with a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.
102
102
103
-
Examples
104
-
~~~~~~~~
103
+
Examples of local data flow
104
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~
105
105
106
106
This query finds the filename argument passed in each call to ``File.open``:
107
107
@@ -134,8 +134,8 @@ So we use local data flow to find all expressions that flow into the argument:
134
134
Many expressions flow to the same call.
135
135
If you run this query, you may notice that you get several data-flow nodes for an expression as it flows towards a call (notice repeated locations in the ``call`` column).
136
136
We are mostly interested in the "first" of these, what might be called the local source for the file name.
137
-
To restrict attention to such local sources, and to simultaneously make the analysis more performant, we have the QL class ``LocalSourceNode``.
138
-
We could demand that ``expr`` is such a node:
137
+
To restrict the results to local sources for the file name, and to simultaneously make the analysis more efficient, we can use the CodeQL class ``LocalSourceNode``.
138
+
We can update the query to specify that ``expr`` is an instance of a ``LocalSourceNode``.
139
139
140
140
.. code-block:: ql
141
141
@@ -149,7 +149,7 @@ We could demand that ``expr`` is such a node:
149
149
expr instanceof DataFlow::LocalSourceNode
150
150
select call, expr
151
151
152
-
However, we could also enforce this by casting.
152
+
An alternative approach to limit the results to local sources for the file name is to enforce this by casting.
153
153
That would allow us to use the member predicate ``flowsTo`` on ``LocalSourceNode`` like so:
154
154
155
155
.. code-block:: ql
@@ -181,7 +181,7 @@ We now mostly have one expression per call.
181
181
182
182
We may still have cases of more than one expression flowing to a call, but then they flow through different code paths (possibly due to control-flow splitting).
183
183
184
-
We might want to make the source more specific, for example a parameter to a method or block.
184
+
We might want to make the source more specific, for example, a parameter to a method or block.
185
185
This query finds instances where a parameter is used as the name when opening a file:
186
186
187
187
.. code-block:: ql
@@ -197,7 +197,7 @@ This query finds instances where a parameter is used as the name when opening a
197
197
198
198
Using the exact name supplied via the parameter may be too strict.
199
199
If we want to know if the parameter influences the file name, we can use taint tracking instead of data flow.
200
-
This query finds calls to ``File.open`` where the filename is derived from a parameter:
200
+
This query finds calls to ``File.open`` where the file name is derived from a parameter:
201
201
202
202
.. code-block:: ql
203
203
@@ -224,7 +224,7 @@ However, global data flow is less precise than local data flow, and the analysis
224
224
Using global data flow
225
225
~~~~~~~~~~~~~~~~~~~~~~
226
226
227
-
The global data flow library is used by extending the class ``DataFlow::Configuration``:
227
+
You can use the global data flow library by extending the class ``DataFlow::Configuration``:
228
228
229
229
.. code-block:: ql
230
230
@@ -316,15 +316,15 @@ Class hierarchy
316
316
- ``Concepts::SystemCommandExecution`` - a data-flow node that executes an operating system command, for instance by spawning a new process.
317
317
- ``Concepts::FileSystemAccess`` - a data-flow node that performs a file system access, including reading and writing data, creating and deleting files and folders, checking and updating permissions, and so on.
318
318
- ``Concepts::Path::PathNormalization`` - a data-flow node that performs path normalization. This is often needed in order to safely access paths.
319
-
- ``Concepts::CodeExecution`` - a data-flow node that dynamically executes Python code.
319
+
- ``Concepts::CodeExecution`` - a data-flow node that dynamically executes Ruby code.
320
320
- ``Concepts::SqlExecution`` - a data-flow node that executes SQL statements.
321
321
- ``Concepts::HTTP::Server::RouteSetup`` - a data-flow node that sets up a route on a server.
322
322
- ``Concepts::HTTP::Server::HttpResponse`` - a data-flow node that creates an HTTP response on a server.
323
323
324
324
- ``TaintTracking::Configuration`` - base class for custom global taint tracking analysis.
325
325
326
-
Examples
327
-
~~~~~~~~
326
+
Examples of global data flow
327
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
328
328
329
329
This query shows a data flow configuration that uses all network input as data sources:
0 commit comments