From 3ee425cc477d70382634dd6aedab98dd0dee3351 Mon Sep 17 00:00:00 2001
From: Harry Maclean <hmac@github.com>
Date: Fri, 13 Oct 2023 11:52:39 +0100
Subject: [PATCH] Ruby: Identify ActionController::API

`ActionController::API < ActionController::Base` is a base controller
class, so we should recognise it as such.
---
 ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
index 5500eca0607..adeaf79fe17 100644
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -100,11 +100,11 @@ private DataFlow::ConstRef actionControllerBaseClass() {
       // In Rails applications `ApplicationController` typically extends `ActionController::Base`, but we
       // treat it separately in case the `ApplicationController` definition is not in the database.
       DataFlow::getConstant("ActionController").getConstant("Base"),
-      // ActionController::Metal technically doesn't contain all of the
+      // ActionController::Metal and ActionController::API technically don't contain all of the
       // methods available in Base, such as those for rendering views.
-      // However we prefer to be over-sensitive in this case in order to find
-      // more results.
-      DataFlow::getConstant("ActionController").getConstant("Metal")
+      // However we prefer to be over-sensitive in this case in order to find more results.
+      DataFlow::getConstant("ActionController").getConstant("Metal"),
+      DataFlow::getConstant("ActionController").getConstant("API")
     ]
 }