Ruby: Model send_data as an HTTP response

hmac · hmac · commit 9f357837faad · 2022-11-16T13:46:51.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -539,12 +539,38 @@ private class ActionControllerProtectFromForgeryCall extends CsrfProtectionSetti
 /**
  * A call to `send_file`, which sends the file at the given path to the client.
  */
-private class SendFile extends FileSystemAccess::Range, DataFlow::CallNode {
+private class SendFile extends FileSystemAccess::Range, Http::Server::HttpResponse::Range,
+  DataFlow::CallNode {
   SendFile() {
     this = [actionControllerInstance(), Response::response()].getAMethodCall("send_file")
   }
 
   override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
+
+  override DataFlow::Node getBody() { result = this.getArgument(0) }
+
+  override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+  override string getMimetypeDefault() { result = "application/octet-stream" }
+}
+
+/**
+ * A call to `send_data`, which sends the given data to the client.
+ */
+class SendDataCall extends DataFlow::CallNode, Http::Server::HttpResponse::Range {
+  SendDataCall() {
+    this.getMethodName() = "send_data" and
+    (
+      this.asExpr().getExpr() instanceof ActionControllerContextCall or
+      this.getReceiver().asExpr().getExpr() instanceof Response::ResponseCall
+    )
+  }
+
+  override DataFlow::Node getBody() { result = this.getArgument(0) }
+
+  override DataFlow::Node getMimetypeOrContentTypeArg() { none() }
+
+  override string getMimetypeDefault() { result = "application/octet-stream" }
 }
 
 private module ParamsSummaries {
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected b/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected
@@ -1,5 +1,5 @@
 actionControllerControllerClasses
-| controllers/comments_controller.rb:1:1:45:3 | CommentsController |
+| controllers/comments_controller.rb:1:1:49:3 | CommentsController |
 | controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
 | controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | controllers/posts_controller.rb:1:1:10:3 | PostsController |
@@ -11,6 +11,7 @@ actionControllerControllerClasses
 actionControllerActionMethods
 | controllers/comments_controller.rb:2:3:36:5 | index |
 | controllers/comments_controller.rb:38:3:44:5 | show |
+| controllers/comments_controller.rb:46:3:48:5 | photo |
 | controllers/foo/bars_controller.rb:5:3:7:5 | index |
 | controllers/foo/bars_controller.rb:9:3:18:5 | show_debug |
 | controllers/foo/bars_controller.rb:20:3:24:5 | show |
@@ -262,6 +263,16 @@ renderCalls
 | controllers/foo/bars_controller.rb:35:5:35:33 | call to render |
 | controllers/foo/bars_controller.rb:38:5:38:50 | call to render |
 | controllers/foo/bars_controller.rb:44:5:44:17 | call to render |
+httpResponses
+| controllers/comments_controller.rb:11:5:11:17 | call to body= | controllers/comments_controller.rb:11:21:11:34 | ... = ... |
+| controllers/comments_controller.rb:21:5:21:37 | call to send_file | controllers/comments_controller.rb:21:24:21:36 | "my-file.ext" |
+| controllers/comments_controller.rb:47:5:47:20 | call to send_data | controllers/comments_controller.rb:47:15:47:20 | @photo |
+| controllers/foo/bars_controller.rb:15:16:15:97 | call to render_to_string | controllers/foo/bars_controller.rb:15:33:15:47 | "foo/bars/show" |
+| controllers/foo/bars_controller.rb:23:5:23:76 | call to render | controllers/foo/bars_controller.rb:23:12:23:26 | "foo/bars/show" |
+| controllers/foo/bars_controller.rb:35:5:35:33 | call to render | controllers/foo/bars_controller.rb:35:18:35:33 | call to [] |
+| controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string | controllers/foo/bars_controller.rb:36:29:36:33 | @user |
+| controllers/foo/bars_controller.rb:38:5:38:50 | call to render | controllers/foo/bars_controller.rb:38:12:38:22 | call to backtrace |
+| controllers/foo/bars_controller.rb:44:5:44:17 | call to render | controllers/foo/bars_controller.rb:44:12:44:17 | "show" |
 actionControllerHelperMethods
 getAssociatedControllerClasses
 controllerTemplateFiles
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.ql b/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.ql
@@ -25,6 +25,10 @@ query predicate redirectToCalls(RedirectToCall c) { any() }
 
 query predicate renderCalls(Rails::RenderCall c) { any() }
 
+query predicate httpResponses(Http::Server::HttpResponse r, DataFlow::Node body) {
+  body = r.getBody()
+}
+
 query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
 
 query predicate getAssociatedControllerClasses(ActionControllerClass cls, ErbFile f) {
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb b/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb
@@ -42,4 +42,8 @@ def show
       format.xml  { render xml: @comment.to_xml(include: @photo) }
     end
   end
+
+  def photo
+    send_data @photo
+  end
 end
