Ruby: Implement Fuzzy for Ruby

Author: asgerf

ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -176,6 +176,25 @@ API::Node getExtraSuccessorFromInvoke(InvokeNode node, AccessPathToken token) {
   )
 }
 
+pragma[inline]
+API::Node getAFuzzySuccessor(API::Node node) {
+  result = node.getAMember()
+  or
+  result = node.getMethod(_)
+  or
+  result =
+    node.getArgumentAtPosition(any(DataFlowDispatch::ArgumentPosition apos | not apos.isSelf()))
+  or
+  result =
+    node.getParameterAtPosition(any(DataFlowDispatch::ParameterPosition ppos | not ppos.isSelf()))
+  or
+  result = node.getReturn()
+  or
+  result = node.getAnElement()
+  or
+  result = node.getInstance()
+}
+
 /**
  * Holds if `invoke` matches the Ruby-specific call site filter in `token`.
  */

ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected

@@ -45,6 +45,14 @@ edges
 | summaries.rb:1:1:1:7 | tainted | summaries.rb:147:16:147:22 | tainted |
 | summaries.rb:1:1:1:7 | tainted | summaries.rb:150:39:150:45 | tainted |
 | summaries.rb:1:1:1:7 | tainted | summaries.rb:150:39:150:45 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:154:20:154:26 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:154:20:154:26 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:155:28:155:34 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:155:28:155:34 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:156:27:156:33 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:156:27:156:33 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:158:15:158:21 | tainted |
+| summaries.rb:1:1:1:7 | tainted | summaries.rb:158:15:158:21 | tainted |
 | summaries.rb:1:11:1:36 | call to identity | summaries.rb:1:1:1:7 | tainted |
 | summaries.rb:1:11:1:36 | call to identity | summaries.rb:1:1:1:7 | tainted |
 | summaries.rb:1:20:1:36 | call to source | summaries.rb:1:11:1:36 | call to identity |
@@ -232,6 +240,9 @@ edges
 | summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:145:26:145:32 | tainted |
 | summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:147:16:147:22 | tainted |
 | summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:150:39:150:45 | tainted |
+| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:154:20:154:26 | tainted |
+| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:155:28:155:34 | tainted |
+| summaries.rb:122:16:122:22 | [post] tainted | summaries.rb:156:27:156:33 | tainted |
 | summaries.rb:122:16:122:22 | tainted | summaries.rb:122:16:122:22 | [post] tainted |
 | summaries.rb:122:16:122:22 | tainted | summaries.rb:122:25:122:25 | [post] y |
 | summaries.rb:122:16:122:22 | tainted | summaries.rb:122:33:122:33 | [post] z |
@@ -475,6 +486,18 @@ nodes
 | summaries.rb:147:16:147:22 | tainted | semmle.label | tainted |
 | summaries.rb:150:39:150:45 | tainted | semmle.label | tainted |
 | summaries.rb:150:39:150:45 | tainted | semmle.label | tainted |
+| summaries.rb:154:20:154:26 | tainted | semmle.label | tainted |
+| summaries.rb:154:20:154:26 | tainted | semmle.label | tainted |
+| summaries.rb:155:28:155:34 | tainted | semmle.label | tainted |
+| summaries.rb:155:28:155:34 | tainted | semmle.label | tainted |
+| summaries.rb:156:27:156:33 | tainted | semmle.label | tainted |
+| summaries.rb:156:27:156:33 | tainted | semmle.label | tainted |
+| summaries.rb:158:15:158:21 | tainted | semmle.label | tainted |
+| summaries.rb:158:15:158:21 | tainted | semmle.label | tainted |
+| summaries.rb:163:20:163:36 | call to source | semmle.label | call to source |
+| summaries.rb:163:20:163:36 | call to source | semmle.label | call to source |
+| summaries.rb:166:20:166:36 | call to source | semmle.label | call to source |
+| summaries.rb:166:20:166:36 | call to source | semmle.label | call to source |
 subpaths
 invalidSpecComponent
 #select
@@ -574,6 +597,18 @@ invalidSpecComponent
 | summaries.rb:147:16:147:22 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:147:16:147:22 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
 | summaries.rb:150:39:150:45 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:150:39:150:45 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
 | summaries.rb:150:39:150:45 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:150:39:150:45 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:154:20:154:26 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:154:20:154:26 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:154:20:154:26 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:154:20:154:26 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:155:28:155:34 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:155:28:155:34 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:155:28:155:34 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:155:28:155:34 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:156:27:156:33 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:156:27:156:33 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:156:27:156:33 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:156:27:156:33 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:158:15:158:21 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:158:15:158:21 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:158:15:158:21 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:158:15:158:21 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |
+| summaries.rb:163:20:163:36 | call to source | summaries.rb:163:20:163:36 | call to source | summaries.rb:163:20:163:36 | call to source | $@ | summaries.rb:163:20:163:36 | call to source | call to source |
+| summaries.rb:163:20:163:36 | call to source | summaries.rb:163:20:163:36 | call to source | summaries.rb:163:20:163:36 | call to source | $@ | summaries.rb:163:20:163:36 | call to source | call to source |
+| summaries.rb:166:20:166:36 | call to source | summaries.rb:166:20:166:36 | call to source | summaries.rb:166:20:166:36 | call to source | $@ | summaries.rb:166:20:166:36 | call to source | call to source |
+| summaries.rb:166:20:166:36 | call to source | summaries.rb:166:20:166:36 | call to source | summaries.rb:166:20:166:36 | call to source | $@ | summaries.rb:166:20:166:36 | call to source | call to source |
 warning
 | CSV type row should have 3 columns but has 1: TooFewColumns |
 | CSV type row should have 3 columns but has 6: TooManyColumns;;Member[Foo].Instance;too;many;columns |

ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql

@@ -145,6 +145,7 @@ private class SinkFromModel extends ModelInput::SinkModelCsv {
         "Foo!;Method[getSinks].ReturnValue.Element[any].Method[mySink].Argument[0];test-sink", //
         "Foo!;Method[arraySink].Argument[0].Element[any];test-sink", //
         "Foo!;Method[secondArrayElementIsSink].Argument[0].Element[1];test-sink", //
+        "FuzzyLib!;Fuzzy.Method[fuzzyCall].Argument[0];test-sink"
       ]
   }
 }

ruby/ql/test/library-tests/dataflow/summaries/summaries.rb

@@ -150,3 +150,19 @@ def userDefinedFunction(x, y)
 Foo.secondArrayElementIsSink(["safe", tainted, "safe"]) # $ hasValueFlow=tainted
 Foo.secondArrayElementIsSink(["safe", "safe", tainted])
 Foo.secondArrayElementIsSink([tainted] * 10) # $ MISSING: hasValueFlow=tainted
+
+FuzzyLib.fuzzyCall(tainted) # $ hasValueFlow=tainted
+FuzzyLib.foo.bar.fuzzyCall(tainted) # $ hasValueFlow=tainted
+FuzzyLib.foo[0].fuzzyCall(tainted) # $ hasValueFlow=tainted
+FuzzyLib.foo do |x|
+  x.fuzzyCall(tainted) # $ hasValueFlow=tainted
+  x.otherCall(tainted)
+end
+class FuzzySub < FuzzyLib::Foo
+  def blah
+    self.fuzzyCall(source("tainted")) # $ hasValueFlow=tainted
+  end
+  def self.blah
+    self.fuzzyCall(source("tainted")) # $ hasValueFlow=tainted
+  end
+end