Ruby: support BlockArgument in identifying access path

asgerf · asgerf · commit 2ca45ef9f918 · 2022-03-16T12:51:14.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -106,6 +106,9 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
   or
   token.getName() = "Instance" and
   result = node.getInstance()
+  or
+  token.getName() = "BlockArgument" and
+  result = node.getBlock()
   // Note: The "ArrayElement" token is not implemented yet, as it ultimately requires type-tracking and
   // API graphs to be aware of the steps involving ArrayElement contributed by the standard library model.
   // Type-tracking cannot summarize function calls on its own, so it doesn't benefit from synthesized callables.
@@ -143,15 +146,15 @@ InvokeNode getAnInvocationOf(API::Node node) { result = node }
  */
 bindingset[name]
 predicate isExtraValidTokenNameInIdentifyingAccessPath(string name) {
-  name = ["Member", "Method", "Instance", "WithBlock", "WithoutBlock"]
+  name = ["Member", "Method", "Instance", "WithBlock", "WithoutBlock", "BlockArgument"]
 }
 
 /**
  * Holds if `name` is a valid name for an access path token with no arguments, occuring
  * in an identifying access path.
  */
 predicate isExtraValidNoArgumentTokenInIdentifyingAccessPath(string name) {
-  name = ["Instance", "WithBlock", "WithoutBlock"]
+  name = ["Instance", "WithBlock", "WithoutBlock", "BlockArgument"]
 }
 
 /**
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
@@ -31,6 +31,7 @@ edges
 | summaries.rb:41:24:41:24 | t :  | summaries.rb:41:8:41:25 | call to matchedByName |
 | summaries.rb:42:24:42:24 | t :  | summaries.rb:42:8:42:25 | call to matchedByName |
 | summaries.rb:44:8:44:8 | t :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv |
+| summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint |
 nodes
 | summaries.rb:1:11:1:26 | call to identity :  | semmle.label | call to identity :  |
 | summaries.rb:1:20:1:26 | "taint" :  | semmle.label | "taint" :  |
@@ -66,6 +67,8 @@ nodes
 | summaries.rb:42:24:42:24 | t :  | semmle.label | t :  |
 | summaries.rb:44:8:44:8 | t :  | semmle.label | t :  |
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | semmle.label | call to matchedByNameRcv |
+| summaries.rb:48:8:48:31 | call to preserveTaint | semmle.label | call to preserveTaint |
+| summaries.rb:48:24:48:30 | "taint" :  | semmle.label | "taint" :  |
 subpaths
 invalidSpecComponent
 invalidOutputSpecComponent
@@ -86,6 +89,7 @@ invalidOutputSpecComponent
 | summaries.rb:41:8:41:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:41:8:41:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:42:8:42:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:42:8:42:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
+| summaries.rb:48:8:48:31 | call to preserveTaint | summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint | $@ | summaries.rb:48:24:48:30 | "taint" :  | "taint" :  |
 warning
 | CSV type row should have 5 columns but has 2: test;TooFewColumns |
 | CSV type row should have 5 columns but has 8: test;TooManyColumns;;;Member[Foo].Instance;too;many;columns |
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
@@ -75,8 +75,9 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {
         ";;Member[Foo].Method[secondArg];Argument[1];ReturnValue;taint",
         ";;Member[Foo].Method[onlyWithoutBlock].WithoutBlock;Argument[0];ReturnValue;taint",
         ";;Member[Foo].Method[onlyWithBlock].WithBlock;Argument[0];ReturnValue;taint",
+        ";;Member[Foo].Method[blockArg].BlockArgument.Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
         ";any;Method[matchedByName];Argument[0];ReturnValue;taint",
-        ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint"
+        ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint",
       ]
   }
 }
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb b/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
@@ -43,3 +43,7 @@ def userDefinedFunction(x, y)
   sink(x.unmatchedName(t))
   sink(t.matchedByNameRcv())
 end
+
+Foo.blockArg do |x|
+  sink(x.preserveTaint("taint"))
+end

Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,9 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {`
`75`	`75`	`";;Member[Foo].Method[secondArg];Argument[1];ReturnValue;taint",`
`76`	`76`	`";;Member[Foo].Method[onlyWithoutBlock].WithoutBlock;Argument[0];ReturnValue;taint",`
`77`	`77`	`";;Member[Foo].Method[onlyWithBlock].WithBlock;Argument[0];ReturnValue;taint",`
	`78`	`+ ";;Member[Foo].Method[blockArg].BlockArgument.Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",`
`78`	`79`	`";any;Method[matchedByName];Argument[0];ReturnValue;taint",`
`79`		`- ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint"`
	`80`	`+ ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint",`
`80`	`81`	`]`
`81`	`82`	`}`
`82`	`83`	`}`