Ruby: revert to simpler Rack PotentialResponseNode def and use TypeBackTracker to track instances

alexrford · alexrford · commit 0a7ae587101b · 2023-06-07T16:30:53.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll b/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll
@@ -7,15 +7,20 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.typetracking.TypeTracker
 private import Response::Private as RP
 
-private DataFlow::LocalSourceNode trackRackResponse(TypeTracker t, RP::PotentialResponseNode n) {
+/** A method node for a method named `call`. */
+private class CallMethodNode extends DataFlow::MethodNode {
+  CallMethodNode() { this.getMethodName() = "call" }
+}
+
+private DataFlow::LocalSourceNode trackRackResponse(TypeBackTracker t, CallMethodNode call) {
   t.start() and
-  result = n
+  result = call.getAReturningNode()
   or
-  exists(TypeTracker t2 | result = trackRackResponse(t2, n).track(t2, t))
+  exists(TypeBackTracker t2 | result = trackRackResponse(t2, call).backtrack(t2, t))
 }
 
-private DataFlow::Node trackRackResponse(RP::PotentialResponseNode n) {
-  trackRackResponse(TypeTracker::end(), n).flowsTo(result)
+private RP::PotentialResponseNode trackRackResponse(CallMethodNode call) {
+  result = trackRackResponse(TypeBackTracker::end(), call)
 }
 
 /**
@@ -28,21 +33,21 @@ module App {
    * (traditionally called `env`) and returns a rack-compatible response.
    */
   class AppCandidate extends DataFlow::ClassNode {
-    private DataFlow::MethodNode call;
+    private CallMethodNode call;
     private RP::PotentialResponseNode resp;
 
     AppCandidate() {
       call = this.getInstanceMethod("call") and
       call.getNumberOfParameters() = 1 and
-      call.getAReturningNode() = trackRackResponse(resp)
+      resp = trackRackResponse(call)
     }
 
     /**
      * Gets the environment of the request, which is the lone parameter to the `call` method.
      */
     DataFlow::ParameterNode getEnv() { result = call.getParameter(0) }
 
-    /** Gets the response returned from the request. */
+    /** Gets the response returned from a request to this application. */
     RP::PotentialResponseNode getResponse() { result = resp }
   }
 }
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll b/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll
@@ -24,10 +24,7 @@ module Private {
   /** A `DataFlow::Node` that may be a rack response. This is detected heuristically, if something "looks like" a rack response syntactically then we consider it to be a potential response node. */
   class PotentialResponseNode extends DataFlow::ArrayLiteralNode {
     // [status, headers, body]
-    PotentialResponseNode() {
-      this.getNumberOfArguments() = 3 and
-      this.asExpr().getExpr().getEnclosingModule+().getAMethod().getName() = "call"
-    }
+    PotentialResponseNode() { this.getNumberOfArguments() = 3 }
 
     /**
      * Gets an HTTP status code that may be returned in this response.
