Ruby: Restrict parameter nodes

hmac · hmac · commit 6011d26823fc · 2023-08-11T15:14:32.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -426,9 +426,12 @@ private module Cached {
     TSelfArgumentPosition() or
     TBlockArgumentPosition() or
     TPositionalArgumentPosition(int pos) {
-      exists(Call c | exists(c.getArgument(pos)))
-      or
-      FlowSummaryImplSpecific::ParsePositions::isParsedParameterPosition(_, pos)
+      pos in [0 .. 10] and
+      (
+        exists(Call c | exists(c.getArgument(pos)))
+        or
+        FlowSummaryImplSpecific::ParsePositions::isParsedParameterPosition(_, pos)
+      )
     } or
     TKeywordArgumentPosition(string name) {
       name = any(KeywordParameter kp).getName()
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -337,6 +337,7 @@ private module Cached {
       c.getAnArgument() instanceof CfgNodes::ExprNodes::PairCfgNode
     } or
     TSynthSplatArgumentNode(CfgNodes::ExprNodes::CallCfgNode c) {
+      exists(Argument arg, ArgumentPosition pos | pos.isPositional(_) | arg.isArgumentOf(c, pos)) and
       not exists(Argument arg, ArgumentPosition pos | pos.isSplat(_) or pos.isSplatAll() |
         arg.isArgumentOf(c, pos)
       )
diff --git a/ruby/ql/test/library-tests/dataflow/local/Nodes.expected b/ruby/ql/test/library-tests/dataflow/local/Nodes.expected
@@ -1234,18 +1234,14 @@ arg
 | local_dataflow.rb:9:10:9:10 | 1 | local_dataflow.rb:9:9:9:15 | call to [] | position 0 |
 | local_dataflow.rb:9:12:9:12 | 2 | local_dataflow.rb:9:9:9:15 | call to [] | position 1 |
 | local_dataflow.rb:9:14:9:14 | 3 | local_dataflow.rb:9:9:9:15 | call to [] | position 2 |
-| local_dataflow.rb:10:5:13:3 | * | local_dataflow.rb:10:5:13:3 | call to each | synthetic * |
 | local_dataflow.rb:10:5:13:3 | { ... } | local_dataflow.rb:10:5:13:3 | call to each | block |
 | local_dataflow.rb:10:14:10:18 | array | local_dataflow.rb:10:5:13:3 | call to each | self |
-| local_dataflow.rb:11:1:11:2 | * | local_dataflow.rb:11:1:11:2 | call to do | synthetic * |
 | local_dataflow.rb:11:1:11:2 | self | local_dataflow.rb:11:1:11:2 | call to do | self |
 | local_dataflow.rb:12:3:12:5 | * | local_dataflow.rb:12:3:12:5 | call to p | synthetic * |
 | local_dataflow.rb:12:3:12:5 | self | local_dataflow.rb:12:3:12:5 | call to p | self |
 | local_dataflow.rb:12:5:12:5 | x | local_dataflow.rb:12:3:12:5 | call to p | position 0 |
-| local_dataflow.rb:15:1:17:3 | * | local_dataflow.rb:15:1:17:3 | call to each | synthetic * |
 | local_dataflow.rb:15:1:17:3 | { ... } | local_dataflow.rb:15:1:17:3 | call to each | block |
 | local_dataflow.rb:15:10:15:14 | array | local_dataflow.rb:15:1:17:3 | call to each | self |
-| local_dataflow.rb:19:1:21:3 | * | local_dataflow.rb:19:1:21:3 | call to each | synthetic * |
 | local_dataflow.rb:19:1:21:3 | { ... } | local_dataflow.rb:19:1:21:3 | call to each | block |
 | local_dataflow.rb:19:10:19:14 | array | local_dataflow.rb:19:1:21:3 | call to each | self |
 | local_dataflow.rb:20:6:20:6 | x | local_dataflow.rb:20:6:20:10 | ... > ... | self |
@@ -1257,7 +1253,6 @@ arg
 | local_dataflow.rb:42:6:42:6 | x | local_dataflow.rb:42:6:42:11 | ... == ... | self |
 | local_dataflow.rb:42:6:42:11 | * | local_dataflow.rb:42:6:42:11 | ... == ... | synthetic * |
 | local_dataflow.rb:42:11:42:11 | 4 | local_dataflow.rb:42:6:42:11 | ... == ... | position 0 |
-| local_dataflow.rb:49:1:53:3 | * | local_dataflow.rb:49:1:53:3 | call to m | synthetic * |
 | local_dataflow.rb:49:1:53:3 | self | local_dataflow.rb:49:1:53:3 | call to m | self |
 | local_dataflow.rb:49:3:53:3 | do ... end | local_dataflow.rb:49:1:53:3 | call to m | block |
 | local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:50:18:50:22 | ... < ... | self |
@@ -1389,32 +1384,27 @@ arg
 | local_dataflow.rb:112:8:112:16 | * | local_dataflow.rb:112:8:112:16 | call to source | synthetic * |
 | local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup | self |
 | local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:112:8:112:16 | call to source | self |
-| local_dataflow.rb:112:8:112:20 | * | local_dataflow.rb:112:8:112:20 | call to dup | synthetic * |
 | local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:3:112:21 | call to sink | position 0 |
 | local_dataflow.rb:112:15:112:15 | 1 | local_dataflow.rb:112:8:112:16 | call to source | position 0 |
 | local_dataflow.rb:113:3:113:25 | * | local_dataflow.rb:113:3:113:25 | call to sink | synthetic * |
 | local_dataflow.rb:113:3:113:25 | self | local_dataflow.rb:113:3:113:25 | call to sink | self |
 | local_dataflow.rb:113:8:113:16 | * | local_dataflow.rb:113:8:113:16 | call to source | synthetic * |
 | local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup | self |
 | local_dataflow.rb:113:8:113:16 | self | local_dataflow.rb:113:8:113:16 | call to source | self |
-| local_dataflow.rb:113:8:113:20 | * | local_dataflow.rb:113:8:113:20 | call to dup | synthetic * |
 | local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup | self |
-| local_dataflow.rb:113:8:113:24 | * | local_dataflow.rb:113:8:113:24 | call to dup | synthetic * |
 | local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:3:113:25 | call to sink | position 0 |
 | local_dataflow.rb:113:15:113:15 | 1 | local_dataflow.rb:113:8:113:16 | call to source | position 0 |
 | local_dataflow.rb:117:3:117:24 | * | local_dataflow.rb:117:3:117:24 | call to sink | synthetic * |
 | local_dataflow.rb:117:3:117:24 | self | local_dataflow.rb:117:3:117:24 | call to sink | self |
 | local_dataflow.rb:117:8:117:16 | * | local_dataflow.rb:117:8:117:16 | call to source | synthetic * |
 | local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap | self |
 | local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:117:8:117:16 | call to source | self |
-| local_dataflow.rb:117:8:117:23 | * | local_dataflow.rb:117:8:117:23 | call to tap | synthetic * |
 | local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:3:117:24 | call to sink | position 0 |
 | local_dataflow.rb:117:15:117:15 | 1 | local_dataflow.rb:117:8:117:16 | call to source | position 0 |
 | local_dataflow.rb:117:22:117:23 | { ... } | local_dataflow.rb:117:8:117:23 | call to tap | block |
 | local_dataflow.rb:118:3:118:11 | * | local_dataflow.rb:118:3:118:11 | call to source | synthetic * |
 | local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap | self |
 | local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:118:3:118:11 | call to source | self |
-| local_dataflow.rb:118:3:118:31 | * | local_dataflow.rb:118:3:118:31 | call to tap | synthetic * |
 | local_dataflow.rb:118:10:118:10 | 1 | local_dataflow.rb:118:3:118:11 | call to source | position 0 |
 | local_dataflow.rb:118:17:118:31 | { ... } | local_dataflow.rb:118:3:118:31 | call to tap | block |
 | local_dataflow.rb:118:23:118:29 | * | local_dataflow.rb:118:23:118:29 | call to sink | synthetic * |
@@ -1425,9 +1415,7 @@ arg
 | local_dataflow.rb:119:8:119:16 | * | local_dataflow.rb:119:8:119:16 | call to source | synthetic * |
 | local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap | self |
 | local_dataflow.rb:119:8:119:16 | self | local_dataflow.rb:119:8:119:16 | call to source | self |
-| local_dataflow.rb:119:8:119:23 | * | local_dataflow.rb:119:8:119:23 | call to tap | synthetic * |
 | local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap | self |
-| local_dataflow.rb:119:8:119:30 | * | local_dataflow.rb:119:8:119:30 | call to tap | synthetic * |
 | local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:3:119:31 | call to sink | position 0 |
 | local_dataflow.rb:119:15:119:15 | 1 | local_dataflow.rb:119:8:119:16 | call to source | position 0 |
 | local_dataflow.rb:119:22:119:23 | { ... } | local_dataflow.rb:119:8:119:23 | call to tap | block |
@@ -1437,18 +1425,14 @@ arg
 | local_dataflow.rb:123:8:123:16 | * | local_dataflow.rb:123:8:123:16 | call to source | synthetic * |
 | local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup | self |
 | local_dataflow.rb:123:8:123:16 | self | local_dataflow.rb:123:8:123:16 | call to source | self |
-| local_dataflow.rb:123:8:123:20 | * | local_dataflow.rb:123:8:123:20 | call to dup | synthetic * |
 | local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap | self |
-| local_dataflow.rb:123:8:123:45 | * | local_dataflow.rb:123:8:123:45 | call to tap | synthetic * |
 | local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup | self |
-| local_dataflow.rb:123:8:123:49 | * | local_dataflow.rb:123:8:123:49 | call to dup | synthetic * |
 | local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:3:123:50 | call to sink | position 0 |
 | local_dataflow.rb:123:15:123:15 | 1 | local_dataflow.rb:123:8:123:16 | call to source | position 0 |
 | local_dataflow.rb:123:26:123:45 | { ... } | local_dataflow.rb:123:8:123:45 | call to tap | block |
 | local_dataflow.rb:123:32:123:43 | * | local_dataflow.rb:123:32:123:43 | call to puts | synthetic * |
 | local_dataflow.rb:123:32:123:43 | self | local_dataflow.rb:123:32:123:43 | call to puts | self |
 | local_dataflow.rb:123:37:123:43 | "hello" | local_dataflow.rb:123:32:123:43 | call to puts | position 0 |
-| local_dataflow.rb:127:3:127:8 | * | local_dataflow.rb:127:3:127:8 | call to rand | synthetic * |
 | local_dataflow.rb:127:3:127:8 | self | local_dataflow.rb:127:3:127:8 | call to rand | self |
 | local_dataflow.rb:132:6:132:11 | * | local_dataflow.rb:132:6:132:11 | call to use | synthetic * |
 | local_dataflow.rb:132:6:132:11 | self | local_dataflow.rb:132:6:132:11 | call to use | self |
@@ -1478,17 +1462,13 @@ arg
 | local_dataflow.rb:137:10:137:26 | * | local_dataflow.rb:137:10:137:26 | [false] ... && ... | synthetic * |
 | local_dataflow.rb:137:10:137:26 | * | local_dataflow.rb:137:10:137:26 | [true] ... && ... | synthetic * |
 | local_dataflow.rb:137:14:137:14 | x | local_dataflow.rb:137:10:137:15 | call to use | position 0 |
-| local_dataflow.rb:137:20:137:26 | * | local_dataflow.rb:137:20:137:26 | [false] ! ... | synthetic * |
-| local_dataflow.rb:137:20:137:26 | * | local_dataflow.rb:137:20:137:26 | [true] ! ... | synthetic * |
 | local_dataflow.rb:137:20:137:26 | [false] ! ... | local_dataflow.rb:137:10:137:26 | [false] ... && ... | position 0 |
 | local_dataflow.rb:137:20:137:26 | [true] ! ... | local_dataflow.rb:137:10:137:26 | [true] ... && ... | position 0 |
 | local_dataflow.rb:137:21:137:26 | * | local_dataflow.rb:137:21:137:26 | call to use | synthetic * |
 | local_dataflow.rb:137:21:137:26 | call to use | local_dataflow.rb:137:20:137:26 | [false] ! ... | self |
 | local_dataflow.rb:137:21:137:26 | call to use | local_dataflow.rb:137:20:137:26 | [true] ! ... | self |
 | local_dataflow.rb:137:21:137:26 | self | local_dataflow.rb:137:21:137:26 | call to use | self |
 | local_dataflow.rb:137:25:137:25 | x | local_dataflow.rb:137:21:137:26 | call to use | position 0 |
-| local_dataflow.rb:141:8:141:14 | * | local_dataflow.rb:141:8:141:14 | [false] ! ... | synthetic * |
-| local_dataflow.rb:141:8:141:14 | * | local_dataflow.rb:141:8:141:14 | [true] ! ... | synthetic * |
 | local_dataflow.rb:141:8:141:14 | [false] ! ... | local_dataflow.rb:141:8:141:37 | [false] ... \|\| ... | self |
 | local_dataflow.rb:141:8:141:14 | [false] ! ... | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... | self |
 | local_dataflow.rb:141:8:141:14 | [true] ! ... | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... | self |
@@ -1508,8 +1488,6 @@ arg
 | local_dataflow.rb:141:20:141:36 | * | local_dataflow.rb:141:20:141:36 | [false] ... && ... | synthetic * |
 | local_dataflow.rb:141:20:141:36 | * | local_dataflow.rb:141:20:141:36 | [true] ... && ... | synthetic * |
 | local_dataflow.rb:141:24:141:24 | x | local_dataflow.rb:141:20:141:25 | call to use | position 0 |
-| local_dataflow.rb:141:30:141:36 | * | local_dataflow.rb:141:30:141:36 | [false] ! ... | synthetic * |
-| local_dataflow.rb:141:30:141:36 | * | local_dataflow.rb:141:30:141:36 | [true] ! ... | synthetic * |
 | local_dataflow.rb:141:30:141:36 | [false] ! ... | local_dataflow.rb:141:20:141:36 | [false] ... && ... | position 0 |
 | local_dataflow.rb:141:30:141:36 | [true] ! ... | local_dataflow.rb:141:20:141:36 | [true] ... && ... | position 0 |
 | local_dataflow.rb:141:31:141:36 | * | local_dataflow.rb:141:31:141:36 | call to use | synthetic * |

Original file line number	Diff line number	Diff line change
`@@ -337,6 +337,7 @@ private module Cached {`
`337`	`337`	`c.getAnArgument() instanceof CfgNodes::ExprNodes::PairCfgNode`
`338`	`338`	`} or`
`339`	`339`	`TSynthSplatArgumentNode(CfgNodes::ExprNodes::CallCfgNode c) {`
	`340`	`+ exists(Argument arg, ArgumentPosition pos \| pos.isPositional(_) \| arg.isArgumentOf(c, pos)) and`
`340`	`341`	`not exists(Argument arg, ArgumentPosition pos \| pos.isSplat(_) or pos.isSplatAll() \|`
`341`	`342`	`arg.isArgumentOf(c, pos)`
`342`	`343`	`)`