Ruby: Handle alternative gemspec names

hmac · hmac · commit ad608341ab72 · 2023-11-27T09:18:00.000Z
Gemspecs are sometimes named via the first argument to
`Gem::Specification.new`:

```rb
Gem::Specification.new 'sinatra' do |s|
  # ...
end
```
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Gem.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Gem.qll
@@ -57,7 +57,10 @@ module Gem {
     }
 
     /** Gets the name of the gem */
-    string getName() { result = this.getSpecProperty("name").getConstantValue().getString() }
+    string getName() {
+      result = this.getSpecProperty("name").getConstantValue().getString() or
+      result = specCall.getArgument(0).getAValueReachingSink().getConstantValue().getString()
+    }
 
     /** Gets a path that is loaded when the gem is required */
     private string getARequirePath() {
diff --git a/ruby/ql/src/utils/modeleditor/ModelEditor.qll b/ruby/ql/src/utils/modeleditor/ModelEditor.qll
@@ -15,14 +15,14 @@ private predicate isUninteresting(DataFlow::MethodNode c) {
   c.getLocation().getFile() instanceof TestFile
 }
 
-private predicate fileStep(Folder folder, File file, int n) {
-  n = 0 and folder.getAFile() = file
+private predicate gemFileStep(Gem::GemSpec gem, Folder folder, int n) {
+  n = 0 and folder.getAFile() = gem.(File)
   or
-  exists(int m | fileStep(folder.getAFolder(), file, m) | n = m + 1)
-}
-
-private predicate gemFileStep(Gem::GemSpec gem, File file, int n) {
-  fileStep(any(Folder f | f.getAFile() = gem.(File)), file, n)
+  exists(Folder parent, int m |
+    gemFileStep(gem, parent, m) and
+    parent.getAFolder() = folder and
+    n = m + 1
+  )
 }
 
 /**
@@ -40,11 +40,13 @@ class Endpoint extends DataFlow::MethodNode {
    */
   bindingset[this]
   string getNamespace() {
-    // The nearest gemspec to this endpoint, if one exists
-    result = min(Gem::GemSpec g, int n | gemFileStep(g, this.getFile(), n) | g order by n).getName()
-    or
-    not exists(Gem::GemSpec g) and
-    result = ""
+    exists(Folder folder | folder = this.getFile().getParentContainer() |
+      // The nearest gemspec to this endpoint, if one exists
+      result = min(Gem::GemSpec g, int n | gemFileStep(g, folder, n) | g order by n).getName()
+      or
+      not exists(Gem::GemSpec g | gemFileStep(g, folder, _)) and
+      result = ""
+    )
   }
 
   /**
