Ruby: Add filter flow tests

hmac · hmac · commit fae5320c3a59 · 2023-02-21T19:27:53.000+13:00
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected b/ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected
@@ -6,6 +6,11 @@ actionControllerControllerClasses
 | controllers/posts_controller.rb:1:1:32:3 | PostsController |
 | controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | controllers/users/notifications_controller.rb:2:3:5:5 | Users::NotificationsController |
+| filter_flow.rb:9:1:23:3 | OneController |
+| filter_flow.rb:25:1:40:3 | TwoController |
+| filter_flow.rb:42:1:57:3 | ThreeController |
+| filter_flow.rb:59:1:73:3 | FourController |
+| filter_flow.rb:75:1:93:3 | FiveController |
 | input_access.rb:1:1:50:3 | UsersController |
 | params_flow.rb:1:1:162:3 | MyController |
 | params_flow.rb:170:1:178:3 | Subclass |
@@ -27,6 +32,22 @@ actionControllerActionMethods
 | controllers/posts_controller.rb:17:3:18:5 | show |
 | controllers/posts_controller.rb:20:3:21:5 | upvote |
 | controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
+| filter_flow.rb:13:3:15:5 | a |
+| filter_flow.rb:17:3:18:5 | b |
+| filter_flow.rb:20:3:22:5 | c |
+| filter_flow.rb:29:3:31:5 | a |
+| filter_flow.rb:33:3:35:5 | b |
+| filter_flow.rb:37:3:39:5 | c |
+| filter_flow.rb:46:3:49:5 | a |
+| filter_flow.rb:51:3:52:5 | b |
+| filter_flow.rb:54:3:56:5 | c |
+| filter_flow.rb:63:3:65:5 | a |
+| filter_flow.rb:67:3:68:5 | b |
+| filter_flow.rb:70:3:72:5 | c |
+| filter_flow.rb:79:3:81:5 | a |
+| filter_flow.rb:83:3:84:5 | b |
+| filter_flow.rb:86:3:88:5 | c |
+| filter_flow.rb:90:3:92:5 | taint_foo |
 | input_access.rb:2:3:49:5 | index |
 | logging.rb:2:5:8:7 | index |
 | params_flow.rb:2:3:4:5 | m1 |
@@ -72,6 +93,11 @@ paramsCalls
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params |
+| filter_flow.rb:14:12:14:17 | call to params |
+| filter_flow.rb:30:12:30:17 | call to params |
+| filter_flow.rb:47:12:47:17 | call to params |
+| filter_flow.rb:64:16:64:21 | call to params |
+| filter_flow.rb:91:12:91:17 | call to params |
 | params_flow.rb:3:10:3:15 | call to params |
 | params_flow.rb:7:10:7:15 | call to params |
 | params_flow.rb:11:10:11:15 | call to params |
@@ -127,6 +153,11 @@ paramsSources
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params |
+| filter_flow.rb:14:12:14:17 | call to params |
+| filter_flow.rb:30:12:30:17 | call to params |
+| filter_flow.rb:47:12:47:17 | call to params |
+| filter_flow.rb:64:16:64:21 | call to params |
+| filter_flow.rb:91:12:91:17 | call to params |
 | params_flow.rb:3:10:3:15 | call to params |
 | params_flow.rb:7:10:7:15 | call to params |
 | params_flow.rb:11:10:11:15 | call to params |
@@ -192,6 +223,11 @@ httpInputAccesses
 | controllers/foo/bars_controller.rb:21:21:21:26 | call to params | ActionController::Metal#params |
 | controllers/foo/bars_controller.rb:22:10:22:15 | call to params | ActionController::Metal#params |
 | controllers/posts_controller.rb:26:23:26:28 | call to params | ActionController::Metal#params |
+| filter_flow.rb:14:12:14:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:30:12:30:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:47:12:47:17 | call to params | ActionController::Metal#params |
+| filter_flow.rb:64:16:64:21 | call to params | ActionController::Metal#params |
+| filter_flow.rb:91:12:91:17 | call to params | ActionController::Metal#params |
 | input_access.rb:3:5:3:18 | call to params | ActionDispatch::Request#params |
 | input_access.rb:4:5:4:22 | call to parameters | ActionDispatch::Request#parameters |
 | input_access.rb:5:5:5:15 | call to GET | ActionDispatch::Request#GET |
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/Filters.expected b/ruby/ql/test/library-tests/frameworks/action_controller/Filters.expected
@@ -2,12 +2,12 @@ additionalFlowSteps
 | controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/comments_controller.rb:74:3:77:5 | self in ensure_user_can_edit_comments |
 | controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/comments_controller.rb:79:3:81:5 | self in set_comment |
 | controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/comments_controller.rb:99:3:100:5 | self in foo |
-| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:12:3:13:5 | self in index |
-| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:15:3:16:5 | self in show |
-| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:18:3:19:5 | self in upvote |
+| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:12:3:15:5 | self in index |
+| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:17:3:18:5 | self in show |
+| controllers/application_controller.rb:7:5:7:9 | [post] self | controllers/posts_controller.rb:20:3:21:5 | self in upvote |
 | controllers/application_controller.rb:11:53:11:59 | self | controllers/application_controller.rb:6:3:8:5 | self in set_user |
 | controllers/application_controller.rb:11:53:11:59 | self | controllers/photos_controller.rb:3:3:6:5 | self in show |
-| controllers/application_controller.rb:11:53:11:59 | self | controllers/posts_controller.rb:23:3:25:5 | self in set_post |
+| controllers/application_controller.rb:11:53:11:59 | self | controllers/posts_controller.rb:25:3:27:5 | self in set_post |
 | controllers/comments_controller.rb:50:5:50:12 | self | controllers/comments_controller.rb:87:3:89:5 | self in check_feature_flags |
 | controllers/comments_controller.rb:53:3:54:5 | self in create | controllers/comments_controller.rb:83:3:85:5 | self in log_comment_change |
 | controllers/comments_controller.rb:57:5:61:7 | self | controllers/comments_controller.rb:87:3:89:5 | self in check_feature_flags |
@@ -28,8 +28,18 @@ additionalFlowSteps
 | controllers/comments_controller.rb:102:3:103:5 | self in bar | controllers/comments_controller.rb:64:3:66:5 | self in photo |
 | controllers/comments_controller.rb:102:3:103:5 | self in bar | controllers/comments_controller.rb:68:3:70:5 | self in destroy |
 | controllers/photos_controller.rb:5:5:5:6 | [post] self | controllers/photos_controller.rb:8:3:9:5 | self in foo |
-| controllers/posts_controller.rb:18:3:19:5 | self in upvote | controllers/posts_controller.rb:27:3:29:5 | self in log_upvote |
-| controllers/posts_controller.rb:24:5:24:9 | [post] self | controllers/application_controller.rb:6:3:8:5 | self in set_user |
+| controllers/posts_controller.rb:20:3:21:5 | self in upvote | controllers/posts_controller.rb:29:3:31:5 | self in log_upvote |
+| controllers/posts_controller.rb:26:5:26:9 | [post] self | controllers/application_controller.rb:6:3:8:5 | self in set_user |
+| filter_flow.rb:14:5:14:8 | [post] self | filter_flow.rb:17:3:18:5 | self in b |
+| filter_flow.rb:17:3:18:5 | self in b | filter_flow.rb:20:3:22:5 | self in c |
+| filter_flow.rb:30:5:30:8 | [post] self | filter_flow.rb:33:3:35:5 | self in b |
+| filter_flow.rb:34:5:34:8 | [post] self | filter_flow.rb:37:3:39:5 | self in c |
+| filter_flow.rb:48:5:48:8 | [post] self | filter_flow.rb:51:3:52:5 | self in b |
+| filter_flow.rb:51:3:52:5 | self in b | filter_flow.rb:54:3:56:5 | self in c |
+| filter_flow.rb:64:16:64:21 | self | filter_flow.rb:67:3:68:5 | self in b |
+| filter_flow.rb:67:3:68:5 | self in b | filter_flow.rb:70:3:72:5 | self in c |
+| filter_flow.rb:80:5:80:8 | self | filter_flow.rb:83:3:84:5 | self in b |
+| filter_flow.rb:83:3:84:5 | self in b | filter_flow.rb:86:3:88:5 | self in c |
 filterChain
 | controllers/comments_controller.rb:17:3:51:5 | index | controllers/application_controller.rb:6:3:8:5 | set_user | controllers/comments_controller.rb:99:3:100:5 | foo |
 | controllers/comments_controller.rb:17:3:51:5 | index | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/application_controller.rb:6:3:8:5 | set_user |
@@ -84,3 +94,13 @@ filterChain
 | controllers/posts_controller.rb:20:3:21:5 | upvote | controllers/application_controller.rb:10:3:12:5 | log_request | controllers/posts_controller.rb:25:3:27:5 | set_post |
 | controllers/posts_controller.rb:20:3:21:5 | upvote | controllers/posts_controller.rb:20:3:21:5 | upvote | controllers/posts_controller.rb:29:3:31:5 | log_upvote |
 | controllers/posts_controller.rb:20:3:21:5 | upvote | controllers/posts_controller.rb:25:3:27:5 | set_post | controllers/application_controller.rb:6:3:8:5 | set_user |
+| filter_flow.rb:17:3:18:5 | b | filter_flow.rb:13:3:15:5 | a | filter_flow.rb:17:3:18:5 | b |
+| filter_flow.rb:17:3:18:5 | b | filter_flow.rb:17:3:18:5 | b | filter_flow.rb:20:3:22:5 | c |
+| filter_flow.rb:33:3:35:5 | b | filter_flow.rb:29:3:31:5 | a | filter_flow.rb:33:3:35:5 | b |
+| filter_flow.rb:33:3:35:5 | b | filter_flow.rb:33:3:35:5 | b | filter_flow.rb:37:3:39:5 | c |
+| filter_flow.rb:51:3:52:5 | b | filter_flow.rb:46:3:49:5 | a | filter_flow.rb:51:3:52:5 | b |
+| filter_flow.rb:51:3:52:5 | b | filter_flow.rb:51:3:52:5 | b | filter_flow.rb:54:3:56:5 | c |
+| filter_flow.rb:67:3:68:5 | b | filter_flow.rb:63:3:65:5 | a | filter_flow.rb:67:3:68:5 | b |
+| filter_flow.rb:67:3:68:5 | b | filter_flow.rb:67:3:68:5 | b | filter_flow.rb:70:3:72:5 | c |
+| filter_flow.rb:83:3:84:5 | b | filter_flow.rb:79:3:81:5 | a | filter_flow.rb:83:3:84:5 | b |
+| filter_flow.rb:83:3:84:5 | b | filter_flow.rb:83:3:84:5 | b | filter_flow.rb:86:3:88:5 | c |
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb b/ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb
@@ -0,0 +1,93 @@
+Rails.application.routes.draw do
+  get 'one/b', to: "one#b"
+  get 'two/b', to: "two#b"
+  get 'three/b', to: "three#b"
+  get 'four/b', to: "four#b"
+  get 'five/b', to: "five#b"
+end
+
+class OneController < ActionController::Base
+  before_action :a
+  after_action :c
+  
+  def a
+    @foo = params[:foo]
+  end
+
+  def b
+  end
+
+  def c
+    sink @foo
+  end
+end
+
+class TwoController < ActionController::Base
+  before_action :a
+  after_action :c
+  
+  def a
+    @foo = params[:foo]
+  end
+
+  def b
+    @foo = "safe"
+  end
+
+  def c
+    sink @foo
+  end
+end
+
+class ThreeController < ActionController::Base
+  before_action :a
+  after_action :c
+  
+  def a
+    @foo = params[:foo]
+    @foo = "safe"
+  end
+
+  def b
+  end
+
+  def c
+    sink @foo
+  end
+end
+
+class FourController < ActionController::Base
+  before_action :a
+  after_action :c
+  
+  def a
+    @foo.bar = params[:foo]
+  end
+
+  def b
+  end
+
+  def c
+    sink(@foo.bar)
+  end
+end
+
+class FiveController < ActionController::Base
+  before_action :a
+  after_action :c
+  
+  def a
+    self.taint_foo
+  end
+
+  def b
+  end
+
+  def c
+    sink @foo
+  end
+  
+  def taint_foo
+    @foo = params[:foo]
+  end
+end
diff --git a/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected b/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
@@ -1,5 +1,22 @@
 failures
+| filter_flow.rb:21:10:21:13 | @foo | Unexpected result: hasTaintFlow= |
+| filter_flow.rb:71:10:71:17 | call to bar | Unexpected result: hasTaintFlow= |
 edges
+| filter_flow.rb:14:5:14:8 | [post] self [@foo] :  | filter_flow.rb:17:3:18:5 | self in b [@foo] :  |
+| filter_flow.rb:14:12:14:17 | call to params :  | filter_flow.rb:14:12:14:23 | ...[...] :  |
+| filter_flow.rb:14:12:14:23 | ...[...] :  | filter_flow.rb:14:5:14:8 | [post] self [@foo] :  |
+| filter_flow.rb:17:3:18:5 | self in b [@foo] :  | filter_flow.rb:20:3:22:5 | self in c [@foo] :  |
+| filter_flow.rb:20:3:22:5 | self in c [@foo] :  | filter_flow.rb:21:10:21:13 | self [@foo] :  |
+| filter_flow.rb:21:10:21:13 | self [@foo] :  | filter_flow.rb:21:10:21:13 | @foo |
+| filter_flow.rb:64:5:64:8 | [post] @foo [@bar] :  | filter_flow.rb:64:5:64:8 | [post] self [@foo, @bar] :  |
+| filter_flow.rb:64:5:64:8 | [post] self [@foo, @bar] :  | filter_flow.rb:64:16:64:21 | self [@foo, @bar] :  |
+| filter_flow.rb:64:16:64:21 | call to params :  | filter_flow.rb:64:16:64:27 | ...[...] :  |
+| filter_flow.rb:64:16:64:21 | self [@foo, @bar] :  | filter_flow.rb:67:3:68:5 | self in b [@foo, @bar] :  |
+| filter_flow.rb:64:16:64:27 | ...[...] :  | filter_flow.rb:64:5:64:8 | [post] @foo [@bar] :  |
+| filter_flow.rb:67:3:68:5 | self in b [@foo, @bar] :  | filter_flow.rb:70:3:72:5 | self in c [@foo, @bar] :  |
+| filter_flow.rb:70:3:72:5 | self in c [@foo, @bar] :  | filter_flow.rb:71:10:71:13 | self [@foo, @bar] :  |
+| filter_flow.rb:71:10:71:13 | @foo [@bar] :  | filter_flow.rb:71:10:71:17 | call to bar |
+| filter_flow.rb:71:10:71:13 | self [@foo, @bar] :  | filter_flow.rb:71:10:71:13 | @foo [@bar] :  |
 | params_flow.rb:3:10:3:15 | call to params :  | params_flow.rb:3:10:3:19 | ...[...] |
 | params_flow.rb:7:10:7:15 | call to params :  | params_flow.rb:7:10:7:23 | call to as_json |
 | params_flow.rb:15:10:15:15 | call to params :  | params_flow.rb:15:10:15:33 | call to permit |
@@ -52,6 +69,23 @@ edges
 | params_flow.rb:172:10:172:15 | call to params :  | params_flow.rb:172:10:172:19 | ...[...] |
 | params_flow.rb:176:10:176:15 | call to params :  | params_flow.rb:176:10:176:19 | ...[...] |
 nodes
+| filter_flow.rb:14:5:14:8 | [post] self [@foo] :  | semmle.label | [post] self [@foo] :  |
+| filter_flow.rb:14:12:14:17 | call to params :  | semmle.label | call to params :  |
+| filter_flow.rb:14:12:14:23 | ...[...] :  | semmle.label | ...[...] :  |
+| filter_flow.rb:17:3:18:5 | self in b [@foo] :  | semmle.label | self in b [@foo] :  |
+| filter_flow.rb:20:3:22:5 | self in c [@foo] :  | semmle.label | self in c [@foo] :  |
+| filter_flow.rb:21:10:21:13 | @foo | semmle.label | @foo |
+| filter_flow.rb:21:10:21:13 | self [@foo] :  | semmle.label | self [@foo] :  |
+| filter_flow.rb:64:5:64:8 | [post] @foo [@bar] :  | semmle.label | [post] @foo [@bar] :  |
+| filter_flow.rb:64:5:64:8 | [post] self [@foo, @bar] :  | semmle.label | [post] self [@foo, @bar] :  |
+| filter_flow.rb:64:16:64:21 | call to params :  | semmle.label | call to params :  |
+| filter_flow.rb:64:16:64:21 | self [@foo, @bar] :  | semmle.label | self [@foo, @bar] :  |
+| filter_flow.rb:64:16:64:27 | ...[...] :  | semmle.label | ...[...] :  |
+| filter_flow.rb:67:3:68:5 | self in b [@foo, @bar] :  | semmle.label | self in b [@foo, @bar] :  |
+| filter_flow.rb:70:3:72:5 | self in c [@foo, @bar] :  | semmle.label | self in c [@foo, @bar] :  |
+| filter_flow.rb:71:10:71:13 | @foo [@bar] :  | semmle.label | @foo [@bar] :  |
+| filter_flow.rb:71:10:71:13 | self [@foo, @bar] :  | semmle.label | self [@foo, @bar] :  |
+| filter_flow.rb:71:10:71:17 | call to bar | semmle.label | call to bar |
 | params_flow.rb:3:10:3:15 | call to params :  | semmle.label | call to params :  |
 | params_flow.rb:3:10:3:19 | ...[...] | semmle.label | ...[...] |
 | params_flow.rb:7:10:7:15 | call to params :  | semmle.label | call to params :  |
@@ -152,6 +186,8 @@ nodes
 | params_flow.rb:176:10:176:19 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
+| filter_flow.rb:21:10:21:13 | @foo | filter_flow.rb:14:12:14:17 | call to params :  | filter_flow.rb:21:10:21:13 | @foo | $@ | filter_flow.rb:14:12:14:17 | call to params :  | call to params :  |
+| filter_flow.rb:71:10:71:17 | call to bar | filter_flow.rb:64:16:64:21 | call to params :  | filter_flow.rb:71:10:71:17 | call to bar | $@ | filter_flow.rb:64:16:64:21 | call to params :  | call to params :  |
 | params_flow.rb:3:10:3:19 | ...[...] | params_flow.rb:3:10:3:15 | call to params :  | params_flow.rb:3:10:3:19 | ...[...] | $@ | params_flow.rb:3:10:3:15 | call to params :  | call to params :  |
 | params_flow.rb:7:10:7:23 | call to as_json | params_flow.rb:7:10:7:15 | call to params :  | params_flow.rb:7:10:7:23 | call to as_json | $@ | params_flow.rb:7:10:7:15 | call to params :  | call to params :  |
 | params_flow.rb:15:10:15:33 | call to permit | params_flow.rb:15:10:15:15 | call to params :  | params_flow.rb:15:10:15:33 | call to permit | $@ | params_flow.rb:15:10:15:15 | call to params :  | call to params :  |
