Merge pull request github#12051 from hmac/actioncontroller-filter-flow-steps

Ruby: flow steps for ActionController filters

Author: hvitved

ruby/ql/lib/change-notes/2023-02-13-actioncontroller-filters.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Flow is now tracked between ActionController `before_filter` and `after_filter` callbacks and their associated action methods.

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -1157,6 +1157,8 @@ predicate jumpStep(Node pred, Node succ) {
   succ.asExpr().getExpr().(ConstantReadAccess).getValue() = pred.asExpr().getExpr()
   or
   FlowSummaryImpl::Private::Steps::summaryJumpStep(pred, succ)
+  or
+  any(AdditionalJumpStep s).step(pred, succ)
 }
 
 private ContentSet getKeywordContent(string name) {
@@ -1484,3 +1486,15 @@ ContentApprox getContentApprox(Content c) {
   or
   result = TNonElementContentApprox(c)
 }
+
+/**
+ * A unit class for adding additional jump steps.
+ *
+ * Extend this class to add additional jump steps.
+ */
+class AdditionalJumpStep extends Unit {
+  /**
+   * Holds if data can flow from `pred` to `succ` in a way that discards call contexts.
+   */
+  abstract predicate step(Node pred, Node succ);
+}

ruby/ql/lib/codeql/ruby/frameworks/Rails.qll

@@ -29,16 +29,13 @@ private module RenderCallUtils {
     result = getTemplatePathValue(renderCall).regexpCapture("^/?(.*/)?(?:[^/]*?)$", 1)
   }
 
-  // everything after the final slash, or the whole string if there is no slash
-  private string getBaseName(MethodCall renderCall) {
-    result = getTemplatePathValue(renderCall).regexpCapture("^/?(?:.*/)?([^/]*?)$", 1)
-  }
-
   /**
    * Gets the template file to be rendered by this render call, if any.
    */
   ErbFile getTemplateFile(MethodCall renderCall) {
-    result.getTemplateName() = getBaseName(renderCall) and
+    // everything after the final slash, or the whole string if there is no slash
+    result.getTemplateName() =
+      getTemplatePathValue(renderCall).regexpCapture("^/?(?:.*/)?([^/]*?)$", 1) and
     result.getRelativePath().matches("%app/views/" + getSubPath(renderCall) + "%")
   }
 

ruby/ql/lib/codeql/ruby/frameworks/actioncontroller/Filters.qll

@@ -9,6 +9,7 @@ private import codeql.ruby.controlflow.CfgNodes::ExprNodes
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 private import codeql.ruby.ast.internal.Constant
+private import codeql.ruby.ast.internal.Module
 
 /**
  * Provides modeling for ActionController filters.
@@ -34,6 +35,17 @@ module Filters {
     }
   }
 
+  bindingset[call]
+  pragma[inline_late]
+  private ActionControllerActionMethod getADescendentAction(MethodCallCfgNode call) {
+    result = call.getExpr().getEnclosingModule().getAMethod()
+    or
+    exists(ModuleBase m |
+      m.getModule() = call.getExpr().getEnclosingModule().getModule().getAnImmediateDescendent+() and
+      result = m.getAMethod()
+    )
+  }
+
   /**
    * A call to a class method that adds or removes a filter from the callback chain.
    * This class exists to encapsulate common behavior between calls that
@@ -64,14 +76,7 @@ module Filters {
         not exists(this.getOnlyArgument()) and
         forall(string except | except = this.getExceptArgument() | result.getName() != except)
       ) and
-      (
-        result = this.getExpr().getEnclosingModule().getAMethod()
-        or
-        exists(ModuleBase m |
-          m.getModule() = this.getExpr().getEnclosingModule().getModule().getADescendent() and
-          result = m.getAMethod()
-        )
-      )
+      result = getADescendentAction(this)
     }
 
     private string getOnlyArgument() {
@@ -104,8 +109,12 @@ module Filters {
 
     StringlikeLiteralCfgNode getFilterArgument() { result = this.getPositionalArgument(_) }
 
+    string getFilterArgumentName() {
+      result = this.getFilterArgument().getConstantValue().getStringlikeValue()
+    }
+
     /**
-     * Gets the callable that implements the filter with name `name`.
+     * Gets the callable that implements a filter registered by this call.
      * This currently only finds methods in the local class or superclass.
      * It doesn't handle:
      * - lambdas
@@ -122,10 +131,9 @@ module Filters {
      * end
      * ```
      */
-    Callable getFilterCallable(string name) {
-      result.(MethodBase).getName() = name and
-      result.getEnclosingModule().getModule() =
-        this.getExpr().getEnclosingModule().getModule().getAnAncestor()
+    Callable getAFilterCallable() {
+      result =
+        lookupMethod(this.getExpr().getEnclosingModule().getModule(), this.getFilterArgumentName())
     }
   }
 
@@ -321,7 +329,9 @@ module Filters {
 
     string getFilterName() { result = this.getConstantValue().getStringlikeValue() }
 
-    Callable getFilterCallable() { result = call.getFilterCallable(this.getFilterName()) }
+    Callable getFilterCallable() {
+      result = call.getAFilterCallable() and result.(MethodBase).getName() = this.getFilterName()
+    }
 
     ActionControllerActionMethod getAnAction() { result = call.getAnAction() }
   }
@@ -387,4 +397,62 @@ module Filters {
    * `pred` and `succ` may be methods bound to callbacks or controller actions.
    */
   predicate next(Method pred, Method succ) { next(_, pred, succ) }
+
+  /**
+   * Holds if `n` is a post-update node for `self` in method `m`.
+   */
+  private predicate selfPostUpdate(DataFlow::PostUpdateNode n, Method m) {
+    n.getPreUpdateNode().asExpr().getExpr() =
+      any(SelfVariableAccess self |
+        pragma[only_bind_into](m) = self.getEnclosingCallable() and
+        self.getVariable().getDeclaringScope() = m
+      )
+  }
+
+  /**
+   * Holds if `n` is the self parameter of method `m`.
+   */
+  private predicate selfParameter(DataFlowPrivate::SelfParameterNode n, Method m) {
+    m = n.getMethod()
+  }
+
+  /**
+   * A class defining additional jump steps arising from filters.
+   */
+  class FilterJumpStep extends DataFlowPrivate::AdditionalJumpStep {
+    /**
+     * Holds if data can flow from `pred` to `succ` via a callback chain.
+     * `pred` is the post-update node of the self parameter in a method, and
+     * `succ` is the self parameter of a subsequent method that is executed as
+     * part of the callback chain.
+     */
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(Method predMethod, Method succMethod | next(predMethod, succMethod) |
+        // Flow from a post-update node of self  in `pred` to the self parameter of `succ`
+        //
+        // def a
+        //   foo() ---------+
+        //   @x = 1 ---+    |
+        // end         |    |
+        //             |    |
+        // def b  <----+----+
+        //  ...
+        //
+        selfPostUpdate(pred, predMethod) and
+        selfParameter(succ, succMethod)
+        or
+        // Flow from the self parameter of `pred` to the self parameter of `succ`
+        //
+        // def a ---+
+        //   ...    |
+        // end      |
+        //          |
+        // def b  <-+
+        //   ...
+        //
+        selfParameter(pred, predMethod) and
+        selfParameter(succ, succMethod)
+      )
+    }
+  }
 }

ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected

@@ -6,6 +6,11 @@ actionControllerControllerClasses
 | controllers/posts_controller.rb:1:1:32:3 | PostsController |
 | controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | controllers/users/notifications_controller.rb:2:3:5:5 | Users::NotificationsController |
+| filter_flow.rb:9:1:23:3 | OneController |
+| filter_flow.rb:25:1:40:3 | TwoController |
+| filter_flow.rb:42:1:57:3 | ThreeController |
+| filter_flow.rb:59:1:73:3 | FourController |
+| filter_flow.rb:75:1:93:3 | FiveController |
 | input_access.rb:1:1:50:3 | UsersController |
 | params_flow.rb:1:1:162:3 | MyController |
 | params_flow.rb:170:1:178:3 | Subclass |
@@ -27,6 +32,22 @@ actionControllerActionMethods
 | controllers/posts_controller.rb:17:3:18:5 | show |
 | controllers/posts_controller.rb:20:3:21:5 | upvote |
 | controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
+| filter_flow.rb:13:3:15:5 | a |
+| filter_flow.rb:17:3:18:5 | b |
+| filter_flow.rb:20:3:22:5 | c |
+| filter_flow.rb:29:3:31:5 | a |
+| filter_flow.rb:33:3:35:5 | b |
+| filter_flow.rb:37:3:39:5 | c |
+| filter_flow.rb:46:3:49:5 | a |
+| filter_flow.rb:51:3:52:5 | b |
+| filter_flow.rb:54:3:56:5 | c |
+| filter_flow.rb:63:3:65:5 | a |
+| filter_flow.rb:67:3:68:5 | b |
+| filter_flow.rb:70:3:72:5 | c |
+| filter_flow.rb:79:3:81:5 | a |
+| filter_flow.rb:83:3:84:5 | b |
+| filter_flow.rb:86:3:88:5 | c |
+| filter_flow.rb:90:3:92:5 | taint_foo |
 | input_access.rb:2:3:49:5 | index |
 | logging.rb:2:5:8:7 | index |
 | params_flow.rb:2:3:4:5 | m1 |
@@ -72,6 +93,11 @@ paramsCalls
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params |
+| filter_flow.rb:14:12:14:17 | call to params |
+| filter_flow.rb:30:12:30:17 | call to params |
+| filter_flow.rb:47:12:47:17 | call to params |
+| filter_flow.rb:64:16:64:21 | call to params |
+| filter_flow.rb:91:12:91:17 | call to params |
 | params_flow.rb:3:10:3:15 | call to params |
 | params_flow.rb:7:10:7:15 | call to params |
 | params_flow.rb:11:10:11:15 | call to params |
@@ -127,6 +153,11 @@ paramsSources
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params |
+| filter_flow.rb:14:12:14:17 | call to params |
+| filter_flow.rb:30:12:30:17 | call to params |
+| filter_flow.rb:47:12:47:17 | call to params |
+| filter_flow.rb:64:16:64:21 | call to params |
+| filter_flow.rb:91:12:91:17 | call to params |
 | params_flow.rb:3:10:3:15 | call to params |
 | params_flow.rb:7:10:7:15 | call to params |
 | params_flow.rb:11:10:11:15 | call to params |
@@ -192,6 +223,11 @@ httpInputAccesses
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params | ActionController::Metal#params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params | ActionController::Metal#params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params | ActionController::Metal#params |
+| filter_flow.rb:14:12:14:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:30:12:30:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:47:12:47:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:64:16:64:21 | call to params | ActionController::Metal#params |
+| filter_flow.rb:91:12:91:17 | call to params | ActionController::Metal#params |
 | input_access.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
 | input_access.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
 | input_access.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |