Ruby: Handle unknown content in splat flow

hmac · hmac · commit 142393b5994d · 2023-08-09T15:01:40.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -812,7 +812,11 @@ private module ParameterNodes {
     ParameterNode getAParameter(ContentSet c) {
       exists(int n |
         isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(n)))) and
-        c = getPositionalContent(n)
+        (
+          c = getPositionalContent(n)
+          or
+          c.isSingleton(TUnknownElementContent())
+        )
       )
     }
 
diff --git a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
@@ -98,6 +98,11 @@ edges
 | params_flow.rb:108:44:108:44 | c | params_flow.rb:111:10:111:10 | c |
 | params_flow.rb:114:33:114:41 | call to taint | params_flow.rb:108:37:108:37 | a |
 | params_flow.rb:114:58:114:66 | call to taint | params_flow.rb:108:44:108:44 | c |
+| params_flow.rb:117:1:117:1 | [post] x [element] | params_flow.rb:118:13:118:13 | x [element] |
+| params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:117:1:117:1 | [post] x [element] |
+| params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:16:9:17 | p1 |
+| params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:20:9:21 | p2 |
+| params_flow.rb:118:13:118:13 | x [element] | params_flow.rb:118:12:118:13 | * ... [element] |
 nodes
 | params_flow.rb:9:16:9:17 | p1 | semmle.label | p1 |
 | params_flow.rb:9:20:9:21 | p2 | semmle.label | p2 |
@@ -217,13 +222,19 @@ nodes
 | params_flow.rb:111:10:111:10 | c | semmle.label | c |
 | params_flow.rb:114:33:114:41 | call to taint | semmle.label | call to taint |
 | params_flow.rb:114:58:114:66 | call to taint | semmle.label | call to taint |
+| params_flow.rb:117:1:117:1 | [post] x [element] | semmle.label | [post] x [element] |
+| params_flow.rb:117:19:117:27 | call to taint | semmle.label | call to taint |
+| params_flow.rb:118:12:118:13 | * ... [element] | semmle.label | * ... [element] |
+| params_flow.rb:118:13:118:13 | x [element] | semmle.label | x [element] |
 subpaths
 #select
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint | call to taint |
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:44:12:44:20 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:44:12:44:20 | call to taint | call to taint |
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:46:9:46:17 | call to taint | call to taint |
+| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint | call to taint |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:46:20:46:28 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:46:20:46:28 | call to taint | call to taint |
+| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint | call to taint |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:22:27:22:34 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:22:27:22:34 | call to taint | call to taint |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:23:33:23:40 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:23:33:23:40 | call to taint | call to taint |
diff --git a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
@@ -7,8 +7,8 @@ def sink x
 end
 
 def positional(p1, p2)
-    sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18
-    sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ MISSING: hasValueFlow=17
+    sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18 $ hasValueFlow=61
+    sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ MISSING: hasValueFlow=17
 end
 
 positional(taint(1), taint(2))
@@ -112,3 +112,7 @@ def splat_followed_by_keyword_param(a, *b, c:)
 end
 
 splat_followed_by_keyword_param(taint(58), taint(59), c: taint(60))
+
+x = []
+x[some_index()] = taint(61)
+positional(*x)

Original file line number	Diff line number	Diff line change
`@@ -812,7 +812,11 @@ private module ParameterNodes {`
`812`	`812`	`ParameterNode getAParameter(ContentSet c) {`
`813`	`813`	`exists(int n \|`
`814`	`814`	`isParameterNode(result, callable, (any(ParameterPosition p \| p.isPositional(n)))) and`
`815`		`- c = getPositionalContent(n)`
	`815`	`+ (`
	`816`	`+ c = getPositionalContent(n)`
	`817`	`+ or`
	`818`	`+ c.isSingleton(TUnknownElementContent())`
	`819`	`+ )`
`816`	`820`	`)`
`817`	`821`	`}`
`818`	`822`