thanks @asgerf for informing me that Successor wants to be deprecated and thank him that providing the solution

am0o0 · hmac · commit 474a4f8abdba · 2024-02-26T11:59:41.000Z
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
@@ -38,21 +38,25 @@ private class YamlParseStep extends AdditionalTaintStep {
       )
     )
     or
-    exists(API::Node yamlParserMethod |
+    exists(API::Node parseSuccessors | parseSuccessors = yamlParseChildNodeAccess(_) |
       succ =
         [
-          yamlParserMethod.getASuccessor*().getMethod("to_ruby").getReturn().asSource(),
-          yamlParserMethod
-              .getASuccessor*()
-              .getMethod("to_ruby")
-              .getReturn()
-              .getAnElement()
-              .asSource()
+          parseSuccessors.getMethod("to_ruby").getReturn().asSource(),
+          parseSuccessors.getMethod("to_ruby").getReturn().getAnElement().asSource()
         ] and
-      yamlParserMethod = yamlNode().getMethod(["parse", "parse_stream", "parse_file"]) and
-      pred = yamlParserMethod.getReturn().asSource()
+      pred = parseSuccessors.asSource()
     )
   }
 }
 
+API::Node yamlParseChildNodeAccess(API::Node source) {
+  source = yamlNode().getMethod(["parse", "parse_stream"]).getReturn() and source = result
+  or
+  result = yamlParseChildNodeAccess(source).getMethod(_).getReturn()
+  or
+  result = yamlParseChildNodeAccess(source).getMethod(_).getBlock().getParameter(_)
+  or
+  result = yamlParseChildNodeAccess(source).getAnElement()
+}
+
 private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -11,6 +11,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.frameworks.ActiveJob
 private import codeql.ruby.frameworks.core.Module
 private import codeql.ruby.frameworks.core.Kernel
+private import codeql.ruby.frameworks.Yaml
 
 module UnsafeDeserialization {
   /**
@@ -103,19 +104,8 @@ module UnsafeDeserialization {
     YamlParseArgument() {
       this =
         [
-          yamlNode()
-              .getMethod(["parse", "parse_stream", "parse_file"])
-              .getASuccessor*()
-              .getMethod("to_ruby")
-              .getReturn()
-              .asSource(),
-          yamlNode()
-              .getMethod(["parse", "parse_stream", "parse_file"])
-              .getASuccessor*()
-              .getMethod("to_ruby")
-              .getReturn()
-              .getAnElement()
-              .asSource()
+          yamlParseChildNodeAccess(_).getMethod("to_ruby").getReturn().asSource(),
+          yamlParseChildNodeAccess(_).getMethod("to_ruby").getReturn().getAnElement().asSource()
         ]
     }
   }
