Ruby: Model ActionMailbox#inbound_mail

hmac · hmac · commit 71f2d8f6d81c · 2022-11-30T11:46:21.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionMailbox.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionMailbox.qll
@@ -25,11 +25,19 @@ module ActionMailbox {
   }
 
   /**
-   * A call to `ActionMailbox::Base#mail`, which is equivalent to calling `inbound_mail.mail`.
-   * The returned object contains data from the incoming mail.
+   * A call to `mail` on the return value of
+   * `ActionMailbox::Base#inbound_email`, or a direct call to
+   * `ActionMailbox::Base#mail`, which is equivalent. The returned object
+   * contains data from the incoming email.
    */
   class MailCall extends DataFlow::CallNode, Mail::Message::Range {
-    MailCall() { this = controller().getAnInstanceSelf().getAMethodCall("mail") }
+    MailCall() {
+      this =
+        [
+          controller().getAnInstanceSelf().getAMethodCall("inbound_email").getAMethodCall("mail"),
+          controller().getAnInstanceSelf().getAMethodCall("mail")
+        ]
+    }
   }
 
   /**
diff --git a/ruby/ql/test/library-tests/frameworks/action_mailbox/ActionMailbox.expected b/ruby/ql/test/library-tests/frameworks/action_mailbox/ActionMailbox.expected
@@ -1,13 +1,15 @@
 processMethods
-| action_mailbox.rb:2:3:5:5 | process |
-| action_mailbox.rb:13:5:15:7 | process |
+| action_mailbox.rb:2:3:7:5 | process |
+| action_mailbox.rb:15:5:17:7 | process |
 messageInstances
 | action_mailbox.rb:3:5:3:8 | call to mail |
 | action_mailbox.rb:4:5:4:8 | call to mail |
-| action_mailbox.rb:8:5:8:8 | call to mail |
-| action_mailbox.rb:14:9:14:12 | call to mail |
+| action_mailbox.rb:6:5:6:10 | call to mail |
+| action_mailbox.rb:10:5:10:8 | call to mail |
+| action_mailbox.rb:16:9:16:12 | call to mail |
 remoteContent
 | action_mailbox.rb:3:5:3:13 | call to body |
 | action_mailbox.rb:4:5:4:11 | call to to |
-| action_mailbox.rb:8:5:8:18 | call to text_part |
-| action_mailbox.rb:14:9:14:23 | call to raw_source |
+| action_mailbox.rb:6:5:6:13 | call to to |
+| action_mailbox.rb:10:5:10:18 | call to text_part |
+| action_mailbox.rb:16:9:16:23 | call to raw_source |
diff --git a/ruby/ql/test/library-tests/frameworks/action_mailbox/action_mailbox.rb b/ruby/ql/test/library-tests/frameworks/action_mailbox/action_mailbox.rb
@@ -2,6 +2,8 @@ class A < ActionMailbox::Base
   def process
     mail.body
     mail.to
+    m = inbound_email
+    m.mail.to
   end
 
   def other_method
