Ruby: Use a newtype instead of DataFlow::FlowState for unicode-bypass-validation

Author: alexrford

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll

@@ -19,6 +19,15 @@ class PostValidation extends DataFlow::FlowState {
   PostValidation() { this = "PostValidation" }
 }
 
+/**
+ * A state signifying if a logical validation has been performed or not.
+ */
+private newtype ValidationState =
+  // A state signifying that a logical validation has not been performed.
+  PreValidationState() or
+  // A state signifying that a logical validation has been performed.
+  PostValidationState()
+
 /**
  * A taint-tracking configuration for detecting "Unicode transformation mishandling" vulnerabilities.
  *
@@ -29,20 +38,27 @@ class PostValidation extends DataFlow::FlowState {
 deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnicodeBypassValidation" }
 
+  private ValidationState convertState(DataFlow::FlowState state) {
+    state instanceof PreValidation and result = PreValidationState()
+    or
+    state instanceof PostValidation and result = PostValidationState()
+  }
+
   override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    UnicodeBypassValidationConfig::isSource(source, state)
+    UnicodeBypassValidationConfig::isSource(source, this.convertState(state))
   }
 
   override predicate isAdditionalTaintStep(
     DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
     DataFlow::FlowState stateTo
   ) {
-    UnicodeBypassValidationConfig::isAdditionalFlowStep(nodeFrom, stateFrom, nodeTo, stateTo)
+    UnicodeBypassValidationConfig::isAdditionalFlowStep(nodeFrom, this.convertState(stateFrom), nodeTo,
+    this.convertState(stateTo))
   }
 
   /* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC.  */
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    UnicodeBypassValidationConfig::isSink(sink, state)
+    UnicodeBypassValidationConfig::isSink(sink, this.convertState(state))
   }
 }
 
@@ -53,15 +69,14 @@ deprecated class Configuration extends TaintTracking::Configuration {
  * to track the requirement that a logical validation has been performed before the Unicode Transformation.
  */
 private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowState;
+  class FlowState = ValidationState;
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
-    source instanceof RemoteFlowSource and state instanceof PreValidation
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof RemoteFlowSource and state = PreValidationState()
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node nodeFrom, DataFlow::FlowState stateFrom, DataFlow::Node nodeTo,
-    DataFlow::FlowState stateTo
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
   ) {
     (
       exists(Escaping escaping | nodeFrom = escaping.getAnInput() and nodeTo = escaping.getOutput())
@@ -102,12 +117,12 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
         nodeTo = cn
       )
     ) and
-    stateFrom instanceof PreValidation and
-    stateTo instanceof PostValidation
+    stateFrom = PreValidationState() and
+    stateTo = PostValidationState()
   }
 
   /* A Unicode Tranformation (Unicode tranformation) is considered a sink when the algorithm used is either NFC or NFKC.  */
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+  predicate isSink(DataFlow::Node sink, FlowState state) {
     (
       exists(DataFlow::CallNode cn |
         cn.getMethodName() = "unicode_normalize" and
@@ -145,7 +160,7 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
         sink = cn.getArgument(0)
       )
     ) and
-    state instanceof PostValidation
+    state = PostValidationState()
   }
 }