Ruby: support BlockArgument in identifying access path

2026-04-30 19:26:02 +02:00 · 2022-03-16 12:51:14 +01:00
parent c9355095e3
commit 2ca45ef9f9
4 changed files with 15 additions and 3 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -106,6 +106,9 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
  or
  token.getName() = "Instance" and
  result = node.getInstance()
+  or
+  token.getName() = "BlockArgument" and
+  result = node.getBlock()
  // Note: The "ArrayElement" token is not implemented yet, as it ultimately requires type-tracking and
  // API graphs to be aware of the steps involving ArrayElement contributed by the standard library model.
  // Type-tracking cannot summarize function calls on its own, so it doesn't benefit from synthesized callables.
@@ -143,7 +146,7 @@ InvokeNode getAnInvocationOf(API::Node node) { result = node }
 */
 bindingset[name]
 predicate isExtraValidTokenNameInIdentifyingAccessPath(string name) {
-  name = ["Member", "Method", "Instance", "WithBlock", "WithoutBlock"]
+  name = ["Member", "Method", "Instance", "WithBlock", "WithoutBlock", "BlockArgument"]
 }

 /**
@@ -151,7 +154,7 @@ predicate isExtraValidTokenNameInIdentifyingAccessPath(string name) {
 * in an identifying access path.
 */
 predicate isExtraValidNoArgumentTokenInIdentifyingAccessPath(string name) {
-  name = ["Instance", "WithBlock", "WithoutBlock"]
+  name = ["Instance", "WithBlock", "WithoutBlock", "BlockArgument"]
 }

 /**
--- a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
+++ b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
@@ -31,6 +31,7 @@ edges
 | summaries.rb:41:24:41:24 | t :  | summaries.rb:41:8:41:25 | call to matchedByName |
 | summaries.rb:42:24:42:24 | t :  | summaries.rb:42:8:42:25 | call to matchedByName |
 | summaries.rb:44:8:44:8 | t :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv |
+| summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint |
 nodes
 | summaries.rb:1:11:1:26 | call to identity :  | semmle.label | call to identity :  |
 | summaries.rb:1:20:1:26 | "taint" :  | semmle.label | "taint" :  |
@@ -66,6 +67,8 @@ nodes
 | summaries.rb:42:24:42:24 | t :  | semmle.label | t :  |
 | summaries.rb:44:8:44:8 | t :  | semmle.label | t :  |
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | semmle.label | call to matchedByNameRcv |
+| summaries.rb:48:8:48:31 | call to preserveTaint | semmle.label | call to preserveTaint |
+| summaries.rb:48:24:48:30 | "taint" :  | semmle.label | "taint" :  |
 subpaths
 invalidSpecComponent
 invalidOutputSpecComponent
@@ -86,6 +89,7 @@ invalidOutputSpecComponent
 | summaries.rb:41:8:41:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:41:8:41:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:42:8:42:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:42:8:42:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
+| summaries.rb:48:8:48:31 | call to preserveTaint | summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint | $@ | summaries.rb:48:24:48:30 | "taint" :  | "taint" :  |
 warning
 | CSV type row should have 5 columns but has 2: test;TooFewColumns |
 | CSV type row should have 5 columns but has 8: test;TooManyColumns;;;Member[Foo].Instance;too;many;columns |
--- a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
+++ b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
@@ -75,8 +75,9 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {
        ";;Member[Foo].Method[secondArg];Argument[1];ReturnValue;taint",
        ";;Member[Foo].Method[onlyWithoutBlock].WithoutBlock;Argument[0];ReturnValue;taint",
        ";;Member[Foo].Method[onlyWithBlock].WithBlock;Argument[0];ReturnValue;taint",
+        ";;Member[Foo].Method[blockArg].BlockArgument.Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
        ";any;Method[matchedByName];Argument[0];ReturnValue;taint",
-        ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint"
+        ";any;Method[matchedByNameRcv];Receiver;ReturnValue;taint",
      ]
  }
 }
--- a/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
+++ b/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
@@ -43,3 +43,7 @@ def userDefinedFunction(x, y)
  sink(x.unmatchedName(t))
  sink(t.matchedByNameRcv())
 end
+
+Foo.blockArg do |x|
+  sink(x.preserveTaint("taint"))
+end