Ruby: Track types in data flow #15118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hvitved wants to merge 9 commits into github:main from hvitved:ruby/type-flow

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll

-Original file line number
+Diff line change
@@ Expand Up @@
       }
       predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, Node node2) { none() }
+      predicate isAdditionalTypedLocalFlowStep(Node node1, DataFlowType t1, Node node2, DataFlowType t2) {
+        none()
+      }
     }
     deprecated private import Impl<Config> as I
@@ Expand Down @@

ruby/ql/consistency-queries/DataFlowConsistency.ql

-Original file line number
+Diff line change
@@ Expand Up / @@ -44,6 +44,14 @@ private module Input implements InputSig<RubyDataFlow> { @@
           n.getASplit() instanceof Split::ConditionalCompletionSplit
         )
       }
+      predicate uniqueTypeExclude(Node n) {
+        n =
+          any(DataFlow::CallNode call |
+            Private::isStandardNewCall(call.getExprNode(), _, _) and
+            not call.getReceiver().asExpr().getExpr() instanceof ConstantReadAccess
+          )
+      }
     }
     import MakeConsistency<RubyDataFlow, RubyTaintTracking, Input>

ruby/ql/lib/change-notes/2024-01-22-erb-render-flow.md

-Original file line number
+Diff line change
@@ -0,0 +1,4 @@
+    ---
+    category: minorAnalysis
+    ---
+    * Flow is now tracked through Rails `render` calls, when the argument is a `ViewComponent`. In this case, data flow is tracked into the accompanying `.html.erb` file.

ruby/ql/lib/codeql/ruby/Frameworks.qll

-Original file line number
+Diff line change
@@ Expand Up / @@ -38,3 +38,4 @@ private import codeql.ruby.frameworks.Yaml @@
     private import codeql.ruby.frameworks.Sequel
     private import codeql.ruby.frameworks.Ldap
     private import codeql.ruby.frameworks.Jwt
+    private import codeql.ruby.frameworks.ViewComponent

ruby/ql/lib/codeql/ruby/ast/Call.qll

-Original file line number
+Diff line change
@@ Expand Up / @@ -58,7 +58,7 @@ class Call extends Expr instanceof CallImpl { @@
           TCfgScope(result) = viableCallableLambda(c, _)
         )
         or
-        result = getTarget(this.getAControlFlowNode())
+        result = getTarget(TNormalCall(this.getAControlFlowNode()))
       }
       override AstNode getAChild(string pred) {
@@ Expand Down @@

ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll

-Original file line number
+Diff line change
@@ Expand Up @@
      */
     private module LibraryCallbackSummaries {
       private predicate libraryCall(CfgNodes::ExprNodes::CallCfgNode call) {
-        not exists(getTarget(call))
+        not exists(getTarget(TNormalCall(call)))
       }
       private DataFlow::LocalSourceNode trackLambdaCreation(TypeTracker t) {
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ruby: Track types in data flow #15118

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!