Ruby: Identify ActionController::Metal controllers

Subclasses of `ActionController::Metal` are stripped-down controllers. We want to recognise them as ActionController controllers. There are some common ActionController methods that are not available in Metal, but these are not likely to be used anyway as they would throw an exception, so I don't think there's much harm in including them in the modelling.
2026-04-29 02:35:15 +02:00 · 2022-09-28 07:10:09 +13:00
parent 56e3334c6d
commit 28a23209a5
3 changed files with 9 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -32,7 +32,12 @@ class ActionControllerControllerClass extends ClassDeclaration {
        API::getTopLevelMember("ActionController").getMember("Base"),
        // In Rails applications `ApplicationController` typically extends `ActionController::Base`, but we
        // treat it separately in case the `ApplicationController` definition is not in the database.
-        API::getTopLevelMember("ApplicationController")
+        API::getTopLevelMember("ApplicationController"),
+        // ActionController::Metal technically doesn't contain all of the
+        // methods available in Base, such as those for rendering views.
+        // However we prefer to be over-sensitive in this case in order to find
+        // more results.
+        API::getTopLevelMember("ActionController").getMember("Metal")
      ].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
  }

--- a/ruby/ql/test/library-tests/frameworks/ActionController.expected
+++ b/ruby/ql/test/library-tests/frameworks/ActionController.expected
@@ -7,6 +7,7 @@ actionControllerControllerClasses
 | app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
 | app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
+| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
 actionControllerActionMethods
 | active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
--- a/ruby/ql/test/library-tests/frameworks/app/controllers/tags_controller.rb
+++ b/ruby/ql/test/library-tests/frameworks/app/controllers/tags_controller.rb
@@ -0,0 +1,2 @@
+class TagsController < ActionController::Metal
+end