Merge pull request github#13288 from asgerf/rb/super-and-flow-through

asgerf · web-flow · commit 3831dc77852a · 2023-05-26T15:04:52.000+02:00
Ruby: two bug fixes
diff --git a/ruby/ql/lib/codeql/ruby/ast/internal/Call.qll b/ruby/ql/lib/codeql/ruby/ast/internal/Call.qll
@@ -121,13 +121,15 @@ private Ruby::AstNode getSuperParent(Ruby::Super sup) {
   result = sup
   or
   result = getSuperParent(sup).getParent() and
-  not result instanceof Ruby::Method
+  not result instanceof Ruby::Method and
+  not result instanceof Ruby::SingletonMethod
 }
 
 private string getSuperMethodName(Ruby::Super sup) {
-  exists(Ruby::Method meth |
-    meth = getSuperParent(sup).getParent() and
+  exists(Ruby::AstNode meth | meth = getSuperParent(sup).getParent() |
     result = any(Method c | toGenerated(c) = meth).getName()
+    or
+    result = any(SingletonMethod c | toGenerated(c) = meth).getName()
   )
 }
 
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -89,12 +89,23 @@ private predicate flowThrough(DataFlowPublic::ParameterNode param) {
   )
 }
 
+/** Holds if there is flow from `arg` to `p` via the call `call`, not counting `new -> initialize` call steps. */
+pragma[nomagic]
+predicate callStepNoInitialize(
+  ExprNodes::CallCfgNode call, Node arg, DataFlowPrivate::ParameterNodeImpl p
+) {
+  exists(DataFlowDispatch::ParameterPosition pos |
+    argumentPositionMatch(call, arg, pos) and
+    p.isSourceParameterOf(DataFlowDispatch::getTarget(call), pos)
+  )
+}
+
 /** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
 pragma[nomagic]
 predicate levelStepCall(Node nodeFrom, Node nodeTo) {
   exists(DataFlowPublic::ParameterNode param |
     flowThrough(param) and
-    callStep(nodeTo.asExpr(), nodeFrom, param)
+    callStepNoInitialize(nodeTo.asExpr(), nodeFrom, param)
   )
 }
 
diff --git a/ruby/ql/src/change-notes/2023-05-26-super-and-flow-through.md b/ruby/ql/src/change-notes/2023-05-26-super-and-flow-through.md
@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Fixed a bug that would occur when an `initialize` method returns `self` or one of its parameters.
+  In such cases, the corresponding calls to `new` would be associated with an incorrect return type.
+  This could result in inaccurate call target resolution and cause false positive alerts.

Original file line number	Diff line number	Diff line change
`@@ -121,13 +121,15 @@ private Ruby::AstNode getSuperParent(Ruby::Super sup) {`
`121`	`121`	`result = sup`
`122`	`122`	`or`
`123`	`123`	`result = getSuperParent(sup).getParent() and`
`124`		`- not result instanceof Ruby::Method`
	`124`	`+ not result instanceof Ruby::Method and`
	`125`	`+ not result instanceof Ruby::SingletonMethod`
`125`	`126`	`}`
`126`	`127`
`127`	`128`	`private string getSuperMethodName(Ruby::Super sup) {`
`128`		`- exists(Ruby::Method meth \|`
`129`		`- meth = getSuperParent(sup).getParent() and`
	`129`	`+ exists(Ruby::AstNode meth \| meth = getSuperParent(sup).getParent() \|`
`130`	`130`	`result = any(Method c \| toGenerated(c) = meth).getName()`
	`131`	`+ or`
	`132`	`+ result = any(SingletonMethod c \| toGenerated(c) = meth).getName()`
`131`	`133`	`)`
`132`	`134`	`}`
`133`	`135`
Original file line number	Diff line number	Diff line change
`@@ -89,12 +89,23 @@ private predicate flowThrough(DataFlowPublic::ParameterNode param) {`
`89`	`89`	`)`
`90`	`90`	`}`
`91`	`91`
	`92`	+/** Holds if there is flow from `arg` to `p` via the call `call`, not counting `new -> initialize` call steps. */
	`93`	`+pragma[nomagic]`
	`94`	`+predicate callStepNoInitialize(`
	`95`	`+ ExprNodes::CallCfgNode call, Node arg, DataFlowPrivate::ParameterNodeImpl p`
	`96`	`+) {`
	`97`	`+ exists(DataFlowDispatch::ParameterPosition pos \|`
	`98`	`+ argumentPositionMatch(call, arg, pos) and`
	`99`	`+ p.isSourceParameterOf(DataFlowDispatch::getTarget(call), pos)`
	`100`	`+ )`
	`101`	`+}`
	`102`	`+`
`92`	`103`	/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
`93`	`104`	`pragma[nomagic]`
`94`	`105`	`predicate levelStepCall(Node nodeFrom, Node nodeTo) {`
`95`	`106`	`exists(DataFlowPublic::ParameterNode param \|`
`96`	`107`	`flowThrough(param) and`
`97`		`- callStep(nodeTo.asExpr(), nodeFrom, param)`
	`108`	`+ callStepNoInitialize(nodeTo.asExpr(), nodeFrom, param)`
`98`	`109`	`)`
`99`	`110`	`}`
`100`	`111`