Ruby: Allow for flow out of callbacks passed to summarized methods in type tracking

2026-04-26 01:05:15 +02:00 · 2023-05-22 10:58:05 +02:00
parent 224a2c3d91
commit 33be52f0b7
1 changed files with 7 additions and 2 deletions
--- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -611,8 +611,13 @@ private DataFlow::Node evaluateSummaryComponentStackLocal(
        [p.(DataFlow::Node), DataFlowPrivate::LocalFlow::getParameterDefNode(p.getParameter())]
    )
    or
-    head = SummaryComponent::return() and
-    result.(DataFlowPrivate::SynthReturnNode).getCfgScope() = prev.asExpr().getExpr()
+    exists(DataFlowPrivate::SynthReturnNode ret |
+      head = SummaryComponent::return() and
+      ret.getCfgScope() = prev.asExpr().getExpr() and
+      // We need to include both `ret` and `ret.getAnInput()`, since in type-tracking
+      // the step from `ret.getAnInput()` to `ret` is considered a call step.
+      result = [ret.(DataFlow::Node), ret.getAnInput()]
+    )
    or
    exists(DataFlow::ContentSet content |
      head = SummaryComponent::withoutContent(content) and