ruby: Limit rack PotentialResponseNode to things that look like they occur in a rack application

Author: alexrford

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

@@ -30,7 +30,7 @@ module App {
     AppCandidate() {
       call = this.getInstanceMethod("call") and
       call.getNumberOfParameters() = 1 and
-      call.getReturn() = trackRackResponse(resp)
+      call.getAReturningNode() = trackRackResponse(resp)
     }
 
     /**

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll

@@ -19,7 +19,10 @@ module Private {
 
   class PotentialResponseNode extends DataFlow::ArrayLiteralNode {
     // [status, headers, body]
-    PotentialResponseNode() { this.getNumberOfArguments() = 3 }
+    PotentialResponseNode() {
+      this.getNumberOfArguments() = 3 and
+      this.asExpr().getExpr().getEnclosingModule+().getAMethod().getName() = "call"
+    }
 
     /**
      * Gets an HTTP status code that may be returned in this response.