Ruby: Model except: with a const argument

hmac · hmac · commit 708e303c013b · 2023-01-30T21:17:31.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/actioncontroller/Filters.qll b/ruby/ql/lib/codeql/ruby/frameworks/actioncontroller/Filters.qll
@@ -94,8 +94,11 @@ module Filters {
         result = except.getConstantValue().getStringlikeValue()
         or
         // except: [:create, :update]
-        result =
-          except.(ArrayLiteralCfgNode).getAnArgument().getConstantValue().getStringlikeValue()
+        // except: SOME_CONST_ARRAY
+        exists(ArrayLiteralCfgNode n |
+          isArrayConstant(except, n) and
+          result = n.getAnArgument().getConstantValue().getStringlikeValue()
+        )
       )
     }
 
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/Filters.expected b/ruby/ql/test/library-tests/frameworks/action_controller/Filters.expected
@@ -1,45 +1,45 @@
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:98:3:99:5 | foo |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags | controllers/comments_controller.rb:94:3:96:5 | this_must_run_last |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:90:3:92:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:98:3:99:5 | foo | controllers/comments_controller.rb:101:3:102:5 | bar |
-| controllers/comments_controller.rb:16:3:50:5 | index | controllers/comments_controller.rb:101:3:102:5 | bar | controllers/comments_controller.rb:16:3:50:5 | index |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:73:3:76:5 | ensure_user_can_edit_comments |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:82:3:84:5 | log_comment_change |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:73:3:76:5 | ensure_user_can_edit_comments | controllers/comments_controller.rb:98:3:99:5 | foo |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:82:3:84:5 | log_comment_change | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags | controllers/comments_controller.rb:94:3:96:5 | this_must_run_last |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:90:3:92:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:98:3:99:5 | foo | controllers/comments_controller.rb:101:3:102:5 | bar |
-| controllers/comments_controller.rb:52:3:53:5 | create | controllers/comments_controller.rb:101:3:102:5 | bar | controllers/comments_controller.rb:52:3:53:5 | create |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:78:3:80:5 | set_comment |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:78:3:80:5 | set_comment | controllers/comments_controller.rb:98:3:99:5 | foo |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags | controllers/comments_controller.rb:94:3:96:5 | this_must_run_last |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:90:3:92:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:98:3:99:5 | foo | controllers/comments_controller.rb:101:3:102:5 | bar |
-| controllers/comments_controller.rb:55:3:61:5 | show | controllers/comments_controller.rb:101:3:102:5 | bar | controllers/comments_controller.rb:55:3:61:5 | show |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:98:3:99:5 | foo |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:82:3:84:5 | log_comment_change |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:82:3:84:5 | log_comment_change | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags | controllers/comments_controller.rb:94:3:96:5 | this_must_run_last |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:90:3:92:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:98:3:99:5 | foo | controllers/comments_controller.rb:101:3:102:5 | bar |
-| controllers/comments_controller.rb:63:3:65:5 | photo | controllers/comments_controller.rb:101:3:102:5 | bar | controllers/comments_controller.rb:63:3:65:5 | photo |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:73:3:76:5 | ensure_user_can_edit_comments |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:82:3:84:5 | log_comment_change |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:73:3:76:5 | ensure_user_can_edit_comments | controllers/comments_controller.rb:78:3:80:5 | set_comment |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:78:3:80:5 | set_comment | controllers/comments_controller.rb:98:3:99:5 | foo |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:82:3:84:5 | log_comment_change | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:86:3:88:5 | check_feature_flags | controllers/comments_controller.rb:94:3:96:5 | this_must_run_last |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:90:3:92:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:98:3:99:5 | foo | controllers/comments_controller.rb:101:3:102:5 | bar |
-| controllers/comments_controller.rb:67:3:69:5 | destroy | controllers/comments_controller.rb:101:3:102:5 | bar | controllers/comments_controller.rb:67:3:69:5 | destroy |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:99:3:100:5 | foo |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags | controllers/comments_controller.rb:95:3:97:5 | this_must_run_last |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:91:3:93:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:99:3:100:5 | foo | controllers/comments_controller.rb:102:3:103:5 | bar |
+| controllers/comments_controller.rb:17:3:51:5 | index | controllers/comments_controller.rb:102:3:103:5 | bar | controllers/comments_controller.rb:17:3:51:5 | index |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:74:3:77:5 | ensure_user_can_edit_comments |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:83:3:85:5 | log_comment_change |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:74:3:77:5 | ensure_user_can_edit_comments | controllers/comments_controller.rb:99:3:100:5 | foo |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:83:3:85:5 | log_comment_change | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags | controllers/comments_controller.rb:95:3:97:5 | this_must_run_last |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:91:3:93:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:99:3:100:5 | foo | controllers/comments_controller.rb:102:3:103:5 | bar |
+| controllers/comments_controller.rb:53:3:54:5 | create | controllers/comments_controller.rb:102:3:103:5 | bar | controllers/comments_controller.rb:53:3:54:5 | create |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:79:3:81:5 | set_comment |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:79:3:81:5 | set_comment | controllers/comments_controller.rb:99:3:100:5 | foo |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags | controllers/comments_controller.rb:95:3:97:5 | this_must_run_last |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:91:3:93:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:99:3:100:5 | foo | controllers/comments_controller.rb:102:3:103:5 | bar |
+| controllers/comments_controller.rb:56:3:62:5 | show | controllers/comments_controller.rb:102:3:103:5 | bar | controllers/comments_controller.rb:56:3:62:5 | show |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:99:3:100:5 | foo |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:83:3:85:5 | log_comment_change |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:83:3:85:5 | log_comment_change | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags | controllers/comments_controller.rb:95:3:97:5 | this_must_run_last |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:91:3:93:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:99:3:100:5 | foo | controllers/comments_controller.rb:102:3:103:5 | bar |
+| controllers/comments_controller.rb:64:3:66:5 | photo | controllers/comments_controller.rb:102:3:103:5 | bar | controllers/comments_controller.rb:64:3:66:5 | photo |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:74:3:77:5 | ensure_user_can_edit_comments |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:83:3:85:5 | log_comment_change |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:74:3:77:5 | ensure_user_can_edit_comments | controllers/comments_controller.rb:79:3:81:5 | set_comment |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:79:3:81:5 | set_comment | controllers/comments_controller.rb:99:3:100:5 | foo |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:83:3:85:5 | log_comment_change | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:87:3:89:5 | check_feature_flags | controllers/comments_controller.rb:95:3:97:5 | this_must_run_last |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:91:3:93:5 | this_must_run_first | controllers/application_controller.rb:10:3:12:5 | log_request |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:99:3:100:5 | foo | controllers/comments_controller.rb:102:3:103:5 | bar |
+| controllers/comments_controller.rb:68:3:70:5 | destroy | controllers/comments_controller.rb:102:3:103:5 | bar | controllers/comments_controller.rb:68:3:70:5 | destroy |
 | controllers/photos_controller.rb:3:3:6:5 | show | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/photos_controller.rb:3:3:6:5 | show |
 | controllers/photos_controller.rb:3:3:6:5 | show | controllers/photos_controller.rb:3:3:6:5 | show | controllers/photos_controller.rb:8:3:9:5 | foo |
 | controllers/posts_controller.rb:12:3:13:5 | index | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/posts_controller.rb:12:3:13:5 | index |
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb b/ruby/ql/test/library-tests/frameworks/action_controller/controllers/comments_controller.rb
@@ -7,11 +7,12 @@ class CommentsController < ApplicationController
   before_action :set_comment, only: [:show, :edit, :update, :destroy]
   before_action :foo, :bar
 
-  # this overrides the earlier callback on L2
-  after_action :log_comment_change, except: [:index, :show, :new]
+  # this overrides the earlier callback on L3
+  after_action :log_comment_change, except: READ_ACTIONS
   prepend_before_action :this_must_run_first
 
   WRITE_ACTIONS = %i[create update destroy]
+  READ_ACTIONS = %i[index show new]
 
   def index
     request.params

Original file line number	Diff line number	Diff line change
`@@ -94,8 +94,11 @@ module Filters {`
`94`	`94`	`result = except.getConstantValue().getStringlikeValue()`
`95`	`95`	`or`
`96`	`96`	`// except: [:create, :update]`
`97`		`- result =`
`98`		`- except.(ArrayLiteralCfgNode).getAnArgument().getConstantValue().getStringlikeValue()`
	`97`	`+ // except: SOME_CONST_ARRAY`
	`98`	`+ exists(ArrayLiteralCfgNode n \|`
	`99`	`+ isArrayConstant(except, n) and`
	`100`	`+ result = n.getAnArgument().getConstantValue().getStringlikeValue()`
	`101`	`+ )`
`99`	`102`	`)`
`100`	`103`	`}`
`101`	`104`