Ruby: Add test for spurious splat flow

hmac · hmac · commit c615f183c1ae · 2023-08-21T16:11:10.000+01:00
We don't yet properly model splat flow when a positional argument
follows a splat argument.
diff --git a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
@@ -107,6 +107,15 @@ edges
 | params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:16:9:17 | p1 |
 | params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:20:9:21 | p2 |
 | params_flow.rb:118:13:118:13 | x [element] | params_flow.rb:118:12:118:13 | * ... [element] |
+| params_flow.rb:130:1:130:4 | args [element 0] | params_flow.rb:131:11:131:14 | args [element 0] |
+| params_flow.rb:130:1:130:4 | args [element 1] | params_flow.rb:131:11:131:14 | args [element 1] |
+| params_flow.rb:130:9:130:17 | call to taint | params_flow.rb:130:1:130:4 | args [element 0] |
+| params_flow.rb:130:20:130:28 | call to taint | params_flow.rb:130:1:130:4 | args [element 1] |
+| params_flow.rb:131:10:131:14 | * ... [element 0] | params_flow.rb:83:14:83:14 | t |
+| params_flow.rb:131:10:131:14 | * ... [element 1] | params_flow.rb:83:17:83:17 | u |
+| params_flow.rb:131:11:131:14 | args [element 0] | params_flow.rb:131:10:131:14 | * ... [element 0] |
+| params_flow.rb:131:11:131:14 | args [element 1] | params_flow.rb:131:10:131:14 | * ... [element 1] |
+| params_flow.rb:131:17:131:25 | call to taint | params_flow.rb:83:17:83:17 | u |
 nodes
 | params_flow.rb:9:16:9:17 | p1 | semmle.label | p1 |
 | params_flow.rb:9:20:9:21 | p2 | semmle.label | p2 |
@@ -235,6 +244,15 @@ nodes
 | params_flow.rb:117:19:117:27 | call to taint | semmle.label | call to taint |
 | params_flow.rb:118:12:118:13 | * ... [element] | semmle.label | * ... [element] |
 | params_flow.rb:118:13:118:13 | x [element] | semmle.label | x [element] |
+| params_flow.rb:130:1:130:4 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:130:1:130:4 | args [element 1] | semmle.label | args [element 1] |
+| params_flow.rb:130:9:130:17 | call to taint | semmle.label | call to taint |
+| params_flow.rb:130:20:130:28 | call to taint | semmle.label | call to taint |
+| params_flow.rb:131:10:131:14 | * ... [element 0] | semmle.label | * ... [element 0] |
+| params_flow.rb:131:10:131:14 | * ... [element 1] | semmle.label | * ... [element 1] |
+| params_flow.rb:131:11:131:14 | args [element 0] | semmle.label | args [element 0] |
+| params_flow.rb:131:11:131:14 | args [element 1] | semmle.label | args [element 1] |
+| params_flow.rb:131:17:131:25 | call to taint | semmle.label | call to taint |
 subpaths
 #select
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint | call to taint |
@@ -275,7 +293,10 @@ subpaths
 | params_flow.rb:75:10:75:10 | r | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:78:54:78:62 | call to taint | call to taint |
 | params_flow.rb:75:10:75:10 | r | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:79:96:87 | call to taint | call to taint |
 | params_flow.rb:84:10:84:10 | t | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:94:10:94:18 | call to taint | call to taint |
+| params_flow.rb:84:10:84:10 | t | params_flow.rb:130:9:130:17 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:130:9:130:17 | call to taint | call to taint |
 | params_flow.rb:85:10:85:10 | u | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:94:21:94:29 | call to taint | call to taint |
+| params_flow.rb:85:10:85:10 | u | params_flow.rb:130:20:130:28 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:130:20:130:28 | call to taint | call to taint |
+| params_flow.rb:85:10:85:10 | u | params_flow.rb:131:17:131:25 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:131:17:131:25 | call to taint | call to taint |
 | params_flow.rb:87:10:87:10 | w | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:94:39:94:47 | call to taint | call to taint |
 | params_flow.rb:99:10:99:10 | a | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:105:15:105:23 | call to taint | call to taint |
 | params_flow.rb:99:10:99:10 | a | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:106:15:106:23 | call to taint | call to taint |
diff --git a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
@@ -81,8 +81,8 @@ def splatmid(x, y, *z, w, r)
 splatmid(taint(32), *args, taint(37))
 
 def pos_many(t, u, v, w, x, y, z)
-    sink t # $ hasValueFlow=38
-    sink u # $ hasValueFlow=39
+    sink t # $ hasValueFlow=38 $ hasValueFlow=66
+    sink u # $ hasValueFlow=39 $ hasValueFlow=67 $ SPURIOUS: hasValueFlow=68
     sink v # $ MISSING: hasValueFlow=40
     sink w # $ MISSING: hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
     sink x # $ MISSING: hasValueFlow=42
@@ -126,3 +126,6 @@ def destruct((a,b), (c,(d,e)))
 end
 
 destruct([taint(62), taint(63)], [taint(64), [0, taint(65)]])
+
+args = [taint(66), taint(67)]
+pos_many(*args, taint(68), nil, nil, nil, nil)
