From 128168a7e784cf34b5d241a6aa6bcd2035d13738 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Sun, 21 May 2023 20:51:07 +0200
Subject: [PATCH] Ruby: Allow for flow through callbacks to summarized methods
 in type tracking

---
 .../codeql/ruby/typetracking/TypeTrackerSpecific.qll  | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
index 7402b9ea18e..31eb7814632 100644
--- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -598,10 +598,17 @@ private DataFlow::Node evaluateSummaryComponentStackLocal(
       pragma[only_bind_out](tail)) and
     stack = SCS::push(pragma[only_bind_out](head), pragma[only_bind_out](tail))
   |
-    exists(DataFlowDispatch::ArgumentPosition apos, DataFlowDispatch::ParameterPosition ppos |
+    exists(
+      DataFlowDispatch::ArgumentPosition apos, DataFlowDispatch::ParameterPosition ppos,
+      DataFlowPrivate::ParameterNodeImpl p
+    |
       head = SummaryComponent::parameter(apos) and
       DataFlowDispatch::parameterMatch(ppos, apos) and
-      result.(DataFlowPrivate::ParameterNodeImpl).isSourceParameterOf(prev.asExpr().getExpr(), ppos)
+      p.isSourceParameterOf(prev.asExpr().getExpr(), ppos) and
+      // We need to include both `p` and the SSA definition for `p`, since in type-tracking
+      // the step from `p` to the SSA definition is considered a call step.
+      result =
+        [p.(DataFlow::Node), DataFlowPrivate::LocalFlow::getParameterDefNode(p.getParameter())]
     )
     or
     head = SummaryComponent::return() and