Ruby: restructure rack model

Author: alexrford

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -326,7 +326,7 @@ private module Request {
     private import codeql.ruby.frameworks.Rack
 
     private class RackEnv extends Env {
-      RackEnv() { this = any(Rack::AppCandidate app).getEnv().getALocalUse() }
+      RackEnv() { this = any(Rack::App::AppCandidate app).getEnv().getALocalUse() }
     }
 
     /**

ruby/ql/lib/codeql/ruby/frameworks/Rack.qll

@@ -2,5 +2,10 @@
  * Provides modeling for the Rack library.
  */
 module Rack {
-  import rack.Rack
+  import rack.internal.App
+  import rack.internal.Mime
+  import rack.internal.Response::Public as Response
+
+  /** DEPRECATED: Alias for App::AppCandidate */
+  deprecated class AppCandidate = App::AppCandidate;
 }

ruby/ql/lib/codeql/ruby/frameworks/rack/Rack.qll

@@ -0,0 +1,41 @@
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+private import codeql.ruby.typetracking.TypeTracker
+private import Response::Private as RP
+
+private DataFlow::LocalSourceNode trackRackResponse(TypeTracker t, RP::PotentialResponseNode n) {
+  t.start() and
+  result = n
+  or
+  exists(TypeTracker t2 | result = trackRackResponse(t2, n).track(t2, t))
+}
+
+private DataFlow::Node trackRackResponse(RP::PotentialResponseNode n) {
+  trackRackResponse(TypeTracker::end(), n).flowsTo(result)
+}
+
+module App {
+  /**
+   * A class that may be a rack application.
+   * This is a class that has a `call` method that takes a single argument
+   * (traditionally called `env`) and returns a rack-compatible response.
+   */
+  class AppCandidate extends DataFlow::ClassNode {
+    private DataFlow::MethodNode call;
+    private RP::PotentialResponseNode resp;
+
+    AppCandidate() {
+      call = this.getInstanceMethod("call") and
+      call.getNumberOfParameters() = 1 and
+      call.getReturn() = trackRackResponse(resp)
+    }
+
+    /**
+     * Gets the environment of the request, which is the lone parameter to the `call` method.
+     */
+    DataFlow::ParameterNode getEnv() { result = call.getParameter(0) }
+
+    /** Gets the response returned from the request. */
+    RP::PotentialResponseNode getResponse() { result = resp }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll

@@ -1,3 +1,6 @@
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+
 predicate mimeTypeMatches(string ext, string mimeType) {
   ext = ".123" and mimeType = "application/vnd.lotus-1-2-3"
   or
@@ -1283,3 +1286,17 @@ predicate mimeTypeMatches(string ext, string mimeType) {
   or
   ext = ".zmm" and mimeType = "application/vnd.handheld-entertainment+xml"
 }
+
+module Mime {
+  class MimetypeCall extends DataFlow::CallNode {
+    MimetypeCall() {
+      this = API::getTopLevelMember("Rack").getMember("Mime").getAMethodCall("mime_type")
+    }
+
+    private string getExtension() {
+      result = this.getArgument(0).getConstantValue().getStringlikeValue()
+    }
+
+    string getMimeType() { mimeTypeMatches(this.getExtension(), result) }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/MimeTypes.qll renamed to ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Mime.qll

@@ -0,0 +1,84 @@
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.Concepts
+private import codeql.ruby.controlflow.CfgNodes::ExprNodes
+private import codeql.ruby.DataFlow
+private import codeql.ruby.typetracking.TypeTracker
+private import App as A
+
+module Private {
+  private DataFlow::LocalSourceNode trackInt(TypeTracker t, int i) {
+    t.start() and
+    result.getConstantValue().isInt(i)
+    or
+    exists(TypeTracker t2 | result = trackInt(t2, i).track(t2, t))
+  }
+
+  private DataFlow::Node trackInt(int i) { trackInt(TypeTracker::end(), i).flowsTo(result) }
+
+  class PotentialResponseNode extends DataFlow::ArrayLiteralNode {
+    // [status, headers, body]
+    PotentialResponseNode() { this.getNumberOfArguments() = 3 }
+
+    /**
+     * Gets an HTTP status code that may be returned in this response.
+     */
+    int getAStatusCode() { this.getElement(0) = trackInt(result) }
+
+    /** Gets the headers returned with this response. */
+    DataFlow::Node getHeaders() { result = this.getElement(1) }
+
+    /** Gets the body of this response. */
+    DataFlow::Node getBody() { result = this.getElement(2) }
+  }
+}
+
+module Public {
+  bindingset[headerName]
+  private DataFlow::Node getHeaderValue(ResponseNode resp, string headerName) {
+    exists(DataFlow::Node headers | headers = resp.getHeaders() |
+      // set via `headers.<header_name>=`
+      exists(
+        DataFlow::CallNode contentTypeAssignment, Assignment assignment,
+        DataFlow::PostUpdateNode postUpdateHeaders
+      |
+        contentTypeAssignment.getMethodName() = headerName.replaceAll("-", "_").toLowerCase() + "=" and
+        assignment =
+          contentTypeAssignment.getArgument(0).(DataFlow::OperationNode).asOperationAstNode() and
+        postUpdateHeaders.(DataFlow::LocalSourceNode).flowsTo(headers) and
+        postUpdateHeaders.getPreUpdateNode() = contentTypeAssignment.getReceiver()
+      |
+        result.asExpr().getExpr() = assignment.getRightOperand()
+      )
+      or
+      // set within a hash
+      exists(DataFlow::HashLiteralNode headersHash | headersHash.flowsTo(headers) |
+        result =
+          headersHash
+              .getElementFromKey(any(ConstantValue v |
+                  v.getStringlikeValue().toLowerCase() = headerName.toLowerCase()
+                ))
+      )
+    )
+  }
+
+  /** A `DataFlow::Node` returned from a rack request. */
+  class ResponseNode extends Private::PotentialResponseNode, Http::Server::HttpResponse::Range {
+    ResponseNode() { this = any(A::App::AppCandidate app).getResponse() }
+
+    override DataFlow::Node getBody() { result = this.getElement(2) }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() {
+      result = getHeaderValue(this, "content-type")
+    }
+
+    // TODO
+    override string getMimetypeDefault() { none() }
+  }
+
+  class RedirectResponse extends ResponseNode, Http::Server::HttpRedirectResponse::Range {
+    RedirectResponse() { this.getAStatusCode() = [300, 301, 302, 303, 307, 308] }
+
+    override DataFlow::Node getRedirectLocation() { result = getHeaderValue(this, "location") }
+  }
+}

ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Response.qll

@@ -2,20 +2,26 @@ private import codeql.ruby.AST
 private import codeql.ruby.frameworks.Rack
 private import codeql.ruby.DataFlow
 
-query predicate rackApps(Rack::AppCandidate c, DataFlow::ParameterNode env) { env = c.getEnv() }
+query predicate rackApps(Rack::App::AppCandidate c, DataFlow::ParameterNode env) {
+  env = c.getEnv()
+}
 
-query predicate rackResponseStatusCodes(Rack::ResponseNode resp, string status) {
+query predicate rackResponseStatusCodes(Rack::Response::ResponseNode resp, string status) {
   if exists(resp.getAStatusCode())
   then status = resp.getAStatusCode().toString()
   else status = "<unknown>"
 }
 
-query predicate rackResponseContentTypes(Rack::ResponseNode resp, DataFlow::Node contentType) {
+query predicate rackResponseContentTypes(
+  Rack::Response::ResponseNode resp, DataFlow::Node contentType
+) {
   contentType = resp.getMimetypeOrContentTypeArg()
 }
 
-query predicate mimetypeCalls(Rack::MimetypeCall c, string mimetype) { mimetype = c.getMimeType() }
+query predicate mimetypeCalls(Rack::Mime::MimetypeCall c, string mimetype) {
+  mimetype = c.getMimeType()
+}
 
-query predicate redirectResponses(Rack::RedirectResponse resp, DataFlow::Node location) {
+query predicate redirectResponses(Rack::Response::RedirectResponse resp, DataFlow::Node location) {
   location = resp.getRedirectLocation()
 }