Ruby: Introduce ContentSet::isElementOfType[OrUnknown]/1

hvitved · hvitved · commit a9ef3f95a2be · 2023-03-20T10:03:15.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -1,3 +1,4 @@
+private import codeql.util.Boolean
 private import codeql.ruby.AST
 private import codeql.ruby.ast.internal.Synthesis
 private import codeql.ruby.CFG
@@ -456,12 +457,15 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedElementLowerBoundPosition(_, includeUnknown,
         lower)
     } or
+    TElementContentOfTypeContent(string type, Boolean includeUnknown) {
+      type = any(Content::KnownElementContent content).getIndex().getValueType()
+    } or
     TNoContentSet() // Only used by type-tracking
 
   cached
   class TContentSet =
     TSingletonContent or TAnyElementContent or TKnownOrUnknownElementContent or
-        TElementLowerBoundContent;
+        TElementLowerBoundContent or TElementContentOfTypeContent;
 
   private predicate trackKnownValue(ConstantValue cv) {
     not cv.isFloat(_) and
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
@@ -534,6 +534,21 @@ class ContentSet extends TContentSet {
     this = TElementLowerBoundContent(lower, true)
   }
 
+  /**
+   * Holds if this content set represents all `KnownElementContent`s where
+   * the index is of type `type`, as per `ConstantValue::getValueType/0`.
+   */
+  predicate isElementOfType(string type) { this = TElementContentOfTypeContent(type, false) }
+
+  /**
+   * Holds if this content set represents `UnknownElementContent` unioned with
+   * all `KnownElementContent`s where the index is of type `type`, as per
+   * `ConstantValue::getValueType/0`.
+   */
+  predicate isElementOfTypeOrUnknown(string type) {
+    this = TElementContentOfTypeContent(type, true)
+  }
+
   /** Gets a textual representation of this content set. */
   string toString() {
     exists(Content c |
@@ -558,6 +573,16 @@ class ContentSet extends TContentSet {
       includeUnknown = true and
       result = lower + ".."
     )
+    or
+    exists(string type, boolean includeUnknown |
+      this = TElementContentOfTypeContent(type, includeUnknown)
+    |
+      includeUnknown = false and
+      result = "any(" + type + ")!"
+      or
+      includeUnknown = true and
+      result = "any(" + type + ")"
+    )
   }
 
   /** Gets a content that may be stored into when storing into this set. */
@@ -576,7 +601,14 @@ class ContentSet extends TContentSet {
     // step that store only into `1`
     this.isKnownOrUnknownElement(result)
     or
-    this.isElementLowerBound(_) and
+    // These reverse stores are not as accurate as they could be, but making
+    // them more accurate would result in a large fan-out
+    (
+      this.isElementLowerBound(_) or
+      this.isElementLowerBoundOrUnknown(_) or
+      this.isElementOfType(_) or
+      this.isElementOfTypeOrUnknown(_)
+    ) and
     result = TUnknownElementContent()
   }
 
@@ -603,6 +635,15 @@ class ContentSet extends TContentSet {
       includeUnknown = true and
       result = TUnknownElementContent()
     )
+    or
+    exists(string type, boolean includeUnknown |
+      this = TElementContentOfTypeContent(type, includeUnknown)
+    |
+      type = result.(Content::KnownElementContent).getIndex().getValueType()
+      or
+      includeUnknown = true and
+      result = TUnknownElementContent()
+    )
   }
 }
 
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -34,8 +34,6 @@ class Configuration extends TaintTracking::Configuration {
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
     // allow implicit reads of array elements
     this.isSink(node) and
-    set.isKnownOrUnknownElement(any(DataFlow::Content::KnownElementContent content |
-        content.getIndex().getValueType() = "int"
-      ))
+    set.isElementOfTypeOrUnknown("int")
   }
 }
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
@@ -36,8 +36,6 @@ class Configuration extends TaintTracking::Configuration {
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {
     // allow implicit reads of array elements
     this.isSink(node) and
-    set.isKnownOrUnknownElement(any(DataFlow::Content::KnownElementContent content |
-        content.getIndex().getValueType() = "int"
-      ))
+    set.isElementOfTypeOrUnknown("int")
   }
 }
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -449,6 +449,8 @@ private ContentFilter getFilterFromWithoutContentStep(DataFlow::ContentSet conte
     or
     content.isElementLowerBoundOrUnknown(_)
     or
+    content.isElementOfTypeOrUnknown(_)
+    or
     content.isSingleton(any(DataFlow::Content::UnknownElementContent c))
   ) and
   result = MkElementFilter()
@@ -484,6 +486,10 @@ private ContentFilter getFilterFromWithContentStep(DataFlow::ContentSet content)
     or
     content.isElementLowerBoundOrUnknown(_)
     or
+    content.isElementOfType(_)
+    or
+    content.isElementOfTypeOrUnknown(_)
+    or
     content.isSingleton(any(DataFlow::Content::ElementContent c))
   ) and
   result = MkElementFilter()
diff --git a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.expected b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.expected
@@ -248,6 +248,26 @@ edges
 | semantics.rb:221:14:221:14 | h [element 2] :  | semantics.rb:221:10:221:15 | call to s27 |
 | semantics.rb:221:14:221:14 | h [element] :  | semantics.rb:221:10:221:15 | call to s27 |
 | semantics.rb:221:14:221:14 | h [element] :  | semantics.rb:221:10:221:15 | call to s27 |
+| semantics.rb:225:9:225:18 | call to source :  | semantics.rb:226:13:226:13 | a :  |
+| semantics.rb:225:9:225:18 | call to source :  | semantics.rb:226:13:226:13 | a :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:227:10:227:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:227:10:227:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:228:10:228:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:228:10:228:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:229:10:229:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:229:10:229:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:230:10:230:10 | x [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semantics.rb:230:10:230:10 | x [element] :  |
+| semantics.rb:226:13:226:13 | a :  | semantics.rb:226:9:226:14 | call to s28 [element] :  |
+| semantics.rb:226:13:226:13 | a :  | semantics.rb:226:9:226:14 | call to s28 [element] :  |
+| semantics.rb:227:10:227:10 | x [element] :  | semantics.rb:227:10:227:13 | ...[...] |
+| semantics.rb:227:10:227:10 | x [element] :  | semantics.rb:227:10:227:13 | ...[...] |
+| semantics.rb:228:10:228:10 | x [element] :  | semantics.rb:228:10:228:13 | ...[...] |
+| semantics.rb:228:10:228:10 | x [element] :  | semantics.rb:228:10:228:13 | ...[...] |
+| semantics.rb:229:10:229:10 | x [element] :  | semantics.rb:229:10:229:13 | ...[...] |
+| semantics.rb:229:10:229:10 | x [element] :  | semantics.rb:229:10:229:13 | ...[...] |
+| semantics.rb:230:10:230:10 | x [element] :  | semantics.rb:230:10:230:13 | ...[...] |
+| semantics.rb:230:10:230:10 | x [element] :  | semantics.rb:230:10:230:13 | ...[...] |
 | semantics.rb:235:9:235:18 | call to source :  | semantics.rb:240:5:240:5 | [post] h [element 1] :  |
 | semantics.rb:235:9:235:18 | call to source :  | semantics.rb:240:5:240:5 | [post] h [element 1] :  |
 | semantics.rb:236:9:236:18 | call to source :  | semantics.rb:241:5:241:5 | [post] h [element 2] :  |
@@ -1206,6 +1226,28 @@ nodes
 | semantics.rb:221:14:221:14 | h [element 2] :  | semmle.label | h [element 2] :  |
 | semantics.rb:221:14:221:14 | h [element] :  | semmle.label | h [element] :  |
 | semantics.rb:221:14:221:14 | h [element] :  | semmle.label | h [element] :  |
+| semantics.rb:225:9:225:18 | call to source :  | semmle.label | call to source :  |
+| semantics.rb:225:9:225:18 | call to source :  | semmle.label | call to source :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semmle.label | call to s28 [element] :  |
+| semantics.rb:226:9:226:14 | call to s28 [element] :  | semmle.label | call to s28 [element] :  |
+| semantics.rb:226:13:226:13 | a :  | semmle.label | a :  |
+| semantics.rb:226:13:226:13 | a :  | semmle.label | a :  |
+| semantics.rb:227:10:227:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:227:10:227:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:227:10:227:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:227:10:227:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:228:10:228:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:228:10:228:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:228:10:228:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:228:10:228:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:229:10:229:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:229:10:229:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:229:10:229:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:229:10:229:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:230:10:230:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:230:10:230:10 | x [element] :  | semmle.label | x [element] :  |
+| semantics.rb:230:10:230:13 | ...[...] | semmle.label | ...[...] |
+| semantics.rb:230:10:230:13 | ...[...] | semmle.label | ...[...] |
 | semantics.rb:235:9:235:18 | call to source :  | semmle.label | call to source :  |
 | semantics.rb:235:9:235:18 | call to source :  | semmle.label | call to source :  |
 | semantics.rb:236:9:236:18 | call to source :  | semmle.label | call to source :  |
diff --git a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.rb
@@ -224,10 +224,10 @@ def m27(i)
 def m28(i)
     a = source "a"
     x = s28(a)
-    sink x[0]
-    sink x[1] # $ MISSING: hasValueFlow=a
-    sink x[2] # $ MISSING: hasValueFlow=a
-    sink x[i] # $ MISSING: hasValueFlow=a
+    sink x[0] # $ SPURIOUS: hasValueFlow=a
+    sink x[1] # $ hasValueFlow=a
+    sink x[2] # $ hasValueFlow=a
+    sink x[i] # $ hasValueFlow=a
 end
 
 def m29(i)

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,6 @@ class Configuration extends TaintTracking::Configuration {`
`34`	`34`	`override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {`
`35`	`35`	`// allow implicit reads of array elements`
`36`	`36`	`this.isSink(node) and`
`37`		`- set.isKnownOrUnknownElement(any(DataFlow::Content::KnownElementContent content \|`
`38`		`- content.getIndex().getValueType() = "int"`
`39`		`- ))`
	`37`	`+ set.isElementOfTypeOrUnknown("int")`
`40`	`38`	`}`
`41`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,6 @@ class Configuration extends TaintTracking::Configuration {`
`36`	`36`	`override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet set) {`
`37`	`37`	`// allow implicit reads of array elements`
`38`	`38`	`this.isSink(node) and`
`39`		`- set.isKnownOrUnknownElement(any(DataFlow::Content::KnownElementContent content \|`
`40`		`- content.getIndex().getValueType() = "int"`
`41`		`- ))`
	`39`	`+ set.isElementOfTypeOrUnknown("int")`
`42`	`40`	`}`
`43`	`41`	`}`