Ruby: port part of Railties model

2026-04-28 02:05:14 +02:00 · 2022-10-18 13:58:14 +02:00
parent 38955d1761
commit 12ce46e4b1
1 changed files with 10 additions and 20 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/Railties.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Railties.qll
@@ -12,26 +12,15 @@ private import codeql.ruby.DataFlow
 * Modeling for `railties`.
 */
 module Railties {
-  private class IncludeOrPrependCall extends MethodCall {
-    IncludeOrPrependCall() { this.getMethodName() = ["include", "prepend"] }
+  private DataFlow::ConstRef generatorsActionsConst() {
+    result = DataFlow::getConst("Rails").getConst("Generators").getConst("Actions")
  }

  /**
-   * A class which `include`s `Rails::Generators::Actions`.
+   * Gets a class which is a descendent of `Rails::Generators::Actions`.
   */
-  private class GeneratorsActionsContext extends ClassDeclaration {
-    GeneratorsActionsContext() {
-      exists(IncludeOrPrependCall i |
-        i.getEnclosingModule() = this and
-        i.getArgument(0) =
-          API::getTopLevelMember("Rails")
-              .getMember("Generators")
-              .getMember("Actions")
-              .getAValueReachableFromSource()
-              .asExpr()
-              .getExpr()
-      )
-    }
+  private DataFlow::ClassNode generatorsActionsClass() {
+    result = generatorsActionsConst().getADescendentModule()
  }

  /**
@@ -40,8 +29,7 @@ module Railties {
   */
  private class ExecuteCommandCall extends SystemCommandExecution::Range, DataFlow::CallNode {
    ExecuteCommandCall() {
-      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
-      this.getMethodName() = "execute_command"
+      this = generatorsActionsClass().getAnInstanceSelf().getAMethodCall("execute_command")
    }

    override DataFlow::Node getAnArgument() { result = this.getArgument([0, 1]) }
@@ -54,8 +42,10 @@ module Railties {
   */
  private class ExecuteCommandWrapperCall extends SystemCommandExecution::Range, DataFlow::CallNode {
    ExecuteCommandWrapperCall() {
-      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
-      this.getMethodName() = ["rake", "rails_command", "git"]
+      this =
+        generatorsActionsClass()
+            .getAnInstanceSelf()
+            .getAMethodCall(["rake", "rails_command", "git"])
    }

    override DataFlow::Node getAnArgument() { result = this.getArgument(0) }