Ruby: Add flow summaries for Array/Enumerable methods

2025-12-17 01:03:14 +01:00 · 2021-12-09 08:50:41 +01:00
parent 8c18aaae74
commit 400802c5ce
17 changed files with 2875 additions and 83 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/StandardLibrary.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/StandardLibrary.qll
--- a/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
--- a/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.ql
+++ b/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.ql
@@ -0,0 +1,15 @@
+/**
+ * @kind path-problem
+ */
+
+import ruby
+import TestUtilities.InlineFlowTest
+import PathGraph
+
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() { none() }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/ruby/ql/test/library-tests/dataflow/array-flow/array_flow.rb
+++ b/ruby/ql/test/library-tests/dataflow/array-flow/array_flow.rb
@@ -0,0 +1,523 @@
+def m0(i)
+    a = *source(0)
+    sink(a[0]) # $ hasValueFlow=0
+    sink(a[1])
+    sink(a[i]) # $ hasValueFlow=0
+end
+
+def m1(i)
+    a = [0, source(1), 2]
+    sink(a[0])
+    sink(a[1]) # $ hasValueFlow=1
+    sink(a[2])
+    sink(a[i]) # $ hasValueFlow=1
+end
+
+def m2(i)
+    a = Array.new(0, source(2.1))
+    sink(a[0]) # $ hasValueFlow=2.1
+    sink(a[i]) # $ hasValueFlow=2.1
+
+    b = Array.new(a)
+    sink(b[0]) # $ hasValueFlow=2.1
+    sink(b[i]) # $ hasValueFlow=2.1
+
+    c = Array.new(1) do |x|
+        source(2.2)
+    end
+    sink(c[0]) # $ hasValueFlow=2.2
+    sink(c[i]) # $ hasValueFlow=2.2
+end
+
+def m3
+    a = [source(3), 1]
+    b = Array.try_convert(a)
+    sink(b[0]) # $ hasValueFlow=3
+    sink(b[1])
+end
+
+def m4
+    a = [source(4.1), 1]
+    b = [2, 3, source(4.2)]
+    c = a & b
+    sink(c[0]) # $ hasValueFlow=4.1 $ hasValueFlow=4.2
+    sink(c[1]) # $ hasValueFlow=4.1 $ hasValueFlow=4.2
+end
+
+def m5
+    a = [source(5), 1]
+    b = a * 3
+    sink(b[0]) # $ hasValueFlow=5
+    sink(b[1]) # $ hasValueFlow=5
+end
+
+def m6
+    a = [source(6.1), 1]
+    b = [2, source(6.2)]
+    c = a + b
+    sink(c[0]) # $ hasValueFlow=6.1 $ hasValueFlow=6.2
+    sink(c[1]) # $ hasValueFlow=6.2
+end
+
+def m7
+    a = [source(7.1), 1]
+    b = [2, source(7.2)]
+    c = a - b
+    sink(c[0]) # $ hasValueFlow=7.1
+    sink(c[1]) # $ hasValueFlow=7.1
+end
+
+def m8
+    a = [source(8.1), 1]
+    b = a << source(8.2)
+    sink(b[0]) # $ hasValueFlow=8.1 $ hasValueFlow=8.2
+    sink(b[1]) # $ hasValueFlow=8.2
+end
+
+def m9(i)
+    a = [0, source(9), 2]
+    b, c, d = a
+    sink(b)
+    sink(c) # $ hasValueFlow=9
+    sink(d)
+end
+
+def m10(i)
+    a = [0, source(10), 2]
+    b = a[0, 2]
+    sink(b[0]) # $ hasValueFlow=10
+    sink(b[1]) # $ hasValueFlow=10
+    sink(b[i]) # $ hasValueFlow=10
+end
+
+def m11(i)
+    a = [0, source(11), 2]
+    b = a[0..2]
+    sink(b[0]) # $ hasValueFlow=11
+    sink(b[1]) # $ hasValueFlow=11
+    sink(b[i]) # $ hasValueFlow=11
+end
+
+def m12(i)
+    a = [0, 1]
+    a[0, 1] = source(12)
+    sink(a[0]) # $ hasValueFlow=12
+    sink(a[1]) # $ hasValueFlow=12
+    sink(a[i]) # $ hasValueFlow=12
+end
+
+def m13(i)
+    a = [0, 1]
+    a[0, 1] = [0, source(13), 2]
+    sink(a[0]) # $ hasValueFlow=13
+    sink(a[1]) # $ hasValueFlow=13
+    sink(a[i]) # $ hasValueFlow=13
+end
+
+def m14(i)
+    a = [0, 1]
+    a[0..1] = source(14)
+    sink(a[0]) # $ hasValueFlow=14
+    sink(a[1]) # $ hasValueFlow=14
+    sink(a[i]) # $ hasValueFlow=14
+end
+
+def m15(i)
+    a = [0, 1]
+    a[0..1] = [0, source(15), 2]
+    sink(a[0]) # $ hasValueFlow=15
+    sink(a[1]) # $ hasValueFlow=15
+    sink(a[i]) # $ hasValueFlow=15
+end
+
+def m16
+    a = [0, 1, source(16)]
+    a.all? do |x|
+        sink x # $ hasValueFlow=16
+    end
+end
+
+def m17
+    a = [0, 1, source(17)]
+    a.any? do |x|
+        sink x # $ hasValueFlow=17
+    end
+end
+
+def m18
+    a = ["a", 0]
+    b = ["b", 1]
+    c = ["c", source(18)]
+    d = [a, b, c]
+    sink (d.assoc("a")[0]) # $ hasValueFlow=18
+    sink (d.assoc("c")[0]) # $ hasValueFlow=18
+end
+
+def m19(i)
+    a = [0, source(19), 2]
+    sink(a.at(0))
+    sink(a.at(1)) # $ hasValueFlow=19
+    sink(a.at(2))
+    sink(a.at(i)) # $ hasValueFlow=19
+end
+
+def m20
+    a = [0, 1, source(20)]
+    b = a.bsearch do |x|
+        sink x # $ hasValueFlow=20
+    end
+    sink b # $ hasValueFlow=20
+end
+
+def m21
+    a = [0, 1, source(21)]
+    b = a.bsearch_index do |x|
+        sink x # $ hasValueFlow=21
+    end
+    sink b
+end
+
+def m22
+    a = [0, 1, source(22)]
+    a.clear()
+    sink(a[2])
+end
+
+def m23
+    a = [0, 1, source(23)]
+    b = a.collect do |x|
+        sink x # $ hasValueFlow=23
+        x
+    end
+    sink(b[0]) # $ hasValueFlow=23
+end
+
+def m24
+    a = [0, 1, source(24)]
+    b = a.collect_concat do |x|
+        sink x # $ hasValueFlow=24
+        [x, x]
+    end
+    sink(b[0]) # $ hasValueFlow=24
+end
+
+def m25
+    a = [0, 1, source(25)]
+    a.combination(1) do |x|
+        sink(x[0]) # $ hasValueFlow=25
+    end
+end
+
+def m26
+    a = [0, 1, source(26)]
+    b = a.compact
+    sink(b[0]) # $ hasValueFlow=26
+end
+
+def m27
+    a = [0, 1, source(27.1)]
+    b = [0, 1, source(27.2)]
+    a.concat(b)
+    sink(a[0]) # $ hasValueFlow=27.2
+    sink(a[2]) # $ hasValueFlow=27.1 $ hasValueFlow=27.2
+end
+
+def m28
+    a = [0, 1, source(28)]
+    a.count do |x|
+        sink x # $ hasValueFlow=28
+    end
+end
+
+def m29
+    a = [0, 1, source(29)]
+    a.cycle(2) do |x|
+        sink x # $ hasValueFlow=29
+    end
+end
+
+def m30
+    a = [0, 1, source(30.1)]
+    b = a.delete(2) { source(30.2) }
+    sink b # $ hasValueFlow=30.1 $ hasValueFlow=30.2
+end
+
+def m31
+    a = [0, 1, source(31)]
+    b = a.delete_at(2)
+    sink b # $ hasValueFlow=31
+end
+
+def m32
+    a = [0, 1, source(32)]
+    b = a.delete_if do |x|
+        sink x # $ hasValueFlow=32
+    end
+    sink(b[0]) # $ hasValueFlow=32
+end
+
+def m33
+    a = [0, 1, source(33)]
+    b = a.difference([1])
+    sink(b[0]) # $ hasValueFlow=33
+end
+
+def m34(i)
+    a = [0, 1, source(34.1), [0, source(34.2)]]
+    sink(a.dig(0))
+    sink(a.dig(2)) # $ hasValueFlow=34.1
+    sink(a.dig(i)) # $ hasValueFlow=34.1
+    sink(a.dig(3,0))
+    sink(a.dig(3,1)) # $ hasValueFlow=34.2
+end
+
+def m35
+    a = [0, 1, source(35.1)]
+    b = a.detect(-> { source(35.2) }) do |x|
+        sink x # $ hasValueFlow=35.1
+    end
+    sink b # $ hasValueFlow=35.1 $ hasValueFlow=35.2
+end
+
+def m36(i)
+    a = [0, 1, source(36.1), source(36.2)]
+    b = a.drop(i)
+    sink(b[0]) # $ hasValueFlow=36.1 # $ hasValueFlow=36.2
+    b = a.drop(1)
+    sink(b[0])
+    sink(b[1]) # $ hasValueFlow=36.1
+    sink(b[i]) # $ hasValueFlow=36.1 # $ hasValueFlow=36.2
+    a[i] = source(36.3)
+    b = a.drop(1)
+    sink(b[1]) # $ hasValueFlow=36.1 # $ hasValueFlow=36.3
+    c = b.drop(100)
+    sink(c[1]) # $ hasValueFlow=36.3
+end
+
+def m37
+    a = [0, 1, source(37.1), source(37.2)]
+    b = a.drop_while do |x|
+        sink x # $ hasValueFlow=37.1 # $ hasValueFlow=37.2
+    end
+    sink(b[0]) # $ hasValueFlow=37.1 # $ hasValueFlow=37.2
+end
+
+def m38
+    a = [0, 1, source(38)]
+    b = a.each do |x|
+        sink x # $ hasValueFlow=38
+    end
+    sink(b[2]) # $ hasValueFlow=38
+end
+
+def m39
+    a = [0, 1, source(39)]
+    b = for x in a # desugars to an `each` call
+        sink x # $ hasValueFlow=39
+    end
+    sink x # $ hasValueFlow=39
+    sink(b[2]) # $ hasValueFlow=39
+end
+
+def m40
+    a = [0, 1, source(40)]
+    a.each_cons(2) do |x|
+        sink (x[0]) # $ hasValueFlow=40
+    end
+end
+
+def m41
+    a = [0, 1, source(41)]
+    b = a.each_entry do |x|
+        sink x # $ hasValueFlow=41
+    end
+    sink(b[2]) # $ hasValueFlow=41
+end
+
+def m42
+    a = [0, 1, source(42)]
+    b = a.each_index do |x|
+        sink x
+    end
+    sink(b[2]) # $ hasValueFlow=42
+end
+
+def m43
+    a = [0, 1, 2, source(43)]
+    b = a.each_slice do |x|
+        sink(x[0]) # $ hasValueFlow=43
+    end
+    sink(b[3]) # $ hasValueFlow=43
+end
+
+def m44
+    a = [0, 1, 2, source(44)]
+    b = a.each_with_index do |x,i|
+        sink(x) # $ hasValueFlow=44
+        sink(i)
+    end
+    sink(b[3]) # $ hasValueFlow=44
+end
+
+def m45
+    a = [0, 1, 2, source(45.1)]
+    b = a.each_with_object(source(45.2)) do |x,a|
+        sink(x) # $ hasValueFlow=45.1
+        sink(a) # $ hasValueFlow=45.2
+    end
+    sink(b) # $ hasValueFlow=45.2
+end
+
+def m46(i)
+    a = [0, 1, 2, source(46.1)]
+    b = a.fetch(source(46.2)) do |x|
+        sink(x) # $ hasValueFlow=46.2
+    end
+    sink(b) # $ hasValueFlow=46.1
+end
+
+def m47
+    a = [0, 1, 2, source(47.1)]
+    a.fill(source(47.2), 1, 1)
+    sink(a[3]) # $ hasValueFlow=47.1 $ hasValueFlow=47.2
+    a.fill(source(47.3))
+    sink(a[0]) # $ hasValueFlow=47.3
+    a.fill do |i|
+        source(47.4)
+    end
+    sink(a[0]) # $ hasValueFlow=47.4
+    a.fill(2) do |i|
+        source(47.5)
+    end
+    sink(a[0]) # $ hasValueFlow=47.4 $ hasValueFlow=47.5
+end
+
+def m48
+    a = [0, 1, 2, source(48)]
+    b = a.filter do |x|
+        sink(x) # $ hasValueFlow=48
+    end
+    sink(b[0]) # $ hasValueFlow=48
+end
+
+def m49
+    a = [0, 1, 2, source(49)]
+    b = a.filter_map do |x|
+        sink(x) # $ hasValueFlow=49
+    end
+    sink(b[0]) # $ hasValueFlow=49
+end
+
+def m50
+    a = [0, 1, 2, source(50)]
+    b = a.filter! do |x|
+        sink(x) # $ hasValueFlow=50
+    end
+    sink(b[0]) # $ hasValueFlow=50
+end
+
+def m51
+    a = [0, 1, 2, source(51.1)]
+    b = a.find(-> { source(51.2) }) do |x|
+        sink(x) # $ hasValueFlow=51.1
+    end
+    sink(b) # $ hasValueFlow=51.1 $ hasValueFlow=51.2
+end
+
+def m52
+    a = [0, 1, 2, source(52)]
+    b = a.find_all do |x|
+        sink(x) # $ hasValueFlow=52
+    end
+    sink(b[0]) # $ hasValueFlow=52
+end
+
+def m53
+    a = [0, 1, 2, source(53)]
+    a.find_index do |x|
+        sink(x) # $ hasValueFlow=53
+    end
+end
+
+def m54(i)
+    a = [source(54.1), 1, 2, source(54.2)]
+    a[i] = source(54.3)
+    sink(a.first) # $ hasValueFlow=54.1 $ hasValueFlow=54.3
+    b = a.first(2)
+    sink(b[0]) # $ hasValueFlow=54.1 $ hasValueFlow=54.3
+    sink(b[4]) # $ hasValueFlow=54.3
+    c = a.first(i)
+    sink(c[0]) # $ hasValueFlow=54.1 $ hasValueFlow=54.3
+    sink(c[3]) # $ hasValueFlow=54.2 $ hasValueFlow=54.3
+end
+
+def m55
+    a = [0, 1, 2, source(55.1)]
+    b = a.flat_map do |x|
+        sink(x) # $ hasValueFlow=55.1
+        [x, source(55.2)]
+    end
+    sink(b[0]) # $ hasValueFlow=55.1 $ hasValueFlow=55.2
+end
+
+def m56
+    a = [0, 1, [2, source(56)]]
+    b = a.flatten
+    sink(b[0]) # $ hasValueFlow=56
+end
+
+def m57
+    a = [0, 1, [2, source(57)]]
+    sink(a[2][1]) # $ hasValueFlow=57
+    a.flatten!
+    sink(a[0]) # $ hasValueFlow=57
+    sink(a[2][1]) # $ SPURIOUS: hasValueFlow=57
+end
+
+def m58
+    a = [0, 1, 2, source(58.1)]
+    b = a.grep(/.*/)
+    sink(b[0]) # $ hasValueFlow=58.1
+    b = a.grep(/.*/) do |x|
+        sink x # $ hasValueFlow=58.1
+        source(58.2)
+    end
+    sink(b[0]) # $ hasValueFlow=58.2
+end
+
+def m59
+    a = [0, 1, 2, source(59.1)]
+    b = a.grep_v(/A/)
+    sink(b[0]) # $ hasValueFlow=59.1
+    b = a.grep_v(/A/) do |x|
+        sink x # $ hasValueFlow=59.1
+        source(59.2)
+    end
+    sink(b[0]) # $ hasValueFlow=59.2
+end
+
+def m60
+    a = [0, 1, 2, source(60)]
+    a.index do |x|
+        sink x # $ hasValueFlow=60
+    end
+end
+
+def m61
+    a = [0, 1, 2, source(61.1)]
+    a.initialize_copy([source(61.2)])
+    sink(a[0]) # $ hasValueFlow=61.2
+end
+
+
+# TODO: assign appropriate number when reached in the alphabetical ordering
+def m2600
+    a = [0, 1, source(2600.1)]
+    a.prepend(2, 3, source(2600.2))
+    sink(a[0])
+    sink(a[1])
+    sink(a[2]) # $ hasValueFlow=2600.2
+    sink(a[3])
+    sink(a[4])
+    sink(a[5]) # $ hasValueFlow=2600.1
+end
--- a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
@@ -1,5 +1,6 @@
 edges
-| tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path |
+| tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:4:12:4:24 | ...[...] :  |
+| tainted_path.rb:4:12:4:24 | ...[...] :  | tainted_path.rb:5:26:5:29 | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | tainted_path.rb:11:26:11:29 | path |
 | tainted_path.rb:10:31:10:36 | call to params :  | tainted_path.rb:10:31:10:43 | ...[...] :  |
 | tainted_path.rb:10:31:10:43 | ...[...] :  | tainted_path.rb:10:12:10:43 | call to absolute_path :  |
@@ -23,6 +24,7 @@ edges
 | tainted_path.rb:47:43:47:55 | ...[...] :  | tainted_path.rb:47:12:47:63 | call to join :  |
 nodes
 | tainted_path.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
+| tainted_path.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:5:26:5:29 | path | semmle.label | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | semmle.label | call to absolute_path :  |
 | tainted_path.rb:10:31:10:36 | call to params :  | semmle.label | call to params :  |
--- a/ruby/ql/test/query-tests/security/cwe-078/CommandInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-078/CommandInjection.expected
@@ -1,15 +1,18 @@
 edges
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:19:29:24 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
-| CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:6:15:6:26 | ...[...] :  |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:7:10:7:15 | #{...} |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:8:16:8:18 | cmd |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:10:14:10:16 | cmd |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:11:17:11:22 | #{...} |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:13:9:13:14 | #{...} |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:29:19:29:24 | #{...} |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
+| CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:46:15:46:26 | ...[...] :  |
+| CommandInjection.rb:46:15:46:26 | ...[...] :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
 nodes
 | CommandInjection.rb:6:15:6:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:6:15:6:26 | ...[...] :  | semmle.label | ...[...] :  |
 | CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
 | CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
 | CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
@@ -19,6 +22,7 @@ nodes
 | CommandInjection.rb:33:24:33:36 | "echo #{...}" | semmle.label | "echo #{...}" |
 | CommandInjection.rb:34:39:34:51 | "grep #{...}" | semmle.label | "grep #{...}" |
 | CommandInjection.rb:46:15:46:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:46:15:46:26 | ...[...] :  | semmle.label | ...[...] :  |
 | CommandInjection.rb:50:24:50:36 | "echo #{...}" | semmle.label | "echo #{...}" |
 subpaths
 #select
--- a/ruby/ql/test/query-tests/security/cwe-078/KernelOpen.expected
+++ b/ruby/ql/test/query-tests/security/cwe-078/KernelOpen.expected
@@ -1,8 +1,10 @@
 edges
-| KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:4:10:4:13 | file |
-| KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:5:13:5:16 | file |
+| KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:3:12:3:24 | ...[...] :  |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:4:10:4:13 | file |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | KernelOpen.rb:5:13:5:16 | file |
 nodes
 | KernelOpen.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
+| KernelOpen.rb:3:12:3:24 | ...[...] :  | semmle.label | ...[...] :  |
 | KernelOpen.rb:4:10:4:13 | file | semmle.label | file |
 | KernelOpen.rb:5:13:5:16 | file | semmle.label | file |
 subpaths
--- a/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected
+++ b/ruby/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected
@@ -1,11 +1,13 @@
 edges
 | app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params :  | app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name |
-| app/controllers/foo/bars_controller.rb:13:20:13:25 | call to params :  | app/views/foo/bars/show.html.erb:51:5:51:18 | call to user_name_memo |
+| app/controllers/foo/bars_controller.rb:13:20:13:25 | call to params :  | app/controllers/foo/bars_controller.rb:13:20:13:37 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:13:20:13:37 | ...[...] :  | app/views/foo/bars/show.html.erb:51:5:51:18 | call to user_name_memo |
 | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params :  | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
-| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  |
-| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] :  | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] :  | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  |
 | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text |
 | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
 | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
@@ -21,9 +23,11 @@ nodes
 | app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params :  | semmle.label | call to params :  |
 | app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  | semmle.label | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:13:20:13:25 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:13:20:13:37 | ...[...] :  | semmle.label | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params :  | semmle.label | call to params :  |
 | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  | semmle.label | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] :  | semmle.label | ...[...] :  |
 | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  | semmle.label | dt :  |
 | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | semmle.label | dt :  |
 | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
--- a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -4,22 +4,31 @@ edges
 | ActiveRecordInjection.rb:20:22:20:30 | condition :  | ActiveRecordInjection.rb:23:16:23:24 | condition |
 | ActiveRecordInjection.rb:35:30:35:35 | call to params :  | ActiveRecordInjection.rb:35:30:35:44 | ...[...] |
 | ActiveRecordInjection.rb:39:18:39:23 | call to params :  | ActiveRecordInjection.rb:39:18:39:32 | ...[...] |
-| ActiveRecordInjection.rb:43:29:43:34 | call to params :  | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:48:30:48:35 | call to params :  | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:52:31:52:36 | call to params :  | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:57:32:57:37 | call to params :  | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" |
-| ActiveRecordInjection.rb:62:21:62:26 | call to params :  | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL |
-| ActiveRecordInjection.rb:68:34:68:39 | call to params :  | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" |
+| ActiveRecordInjection.rb:43:29:43:34 | call to params :  | ActiveRecordInjection.rb:43:29:43:39 | ...[...] :  |
+| ActiveRecordInjection.rb:43:29:43:39 | ...[...] :  | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:48:30:48:35 | call to params :  | ActiveRecordInjection.rb:48:30:48:40 | ...[...] :  |
+| ActiveRecordInjection.rb:48:30:48:40 | ...[...] :  | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:52:31:52:36 | call to params :  | ActiveRecordInjection.rb:52:31:52:41 | ...[...] :  |
+| ActiveRecordInjection.rb:52:31:52:41 | ...[...] :  | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:57:32:57:37 | call to params :  | ActiveRecordInjection.rb:57:32:57:42 | ...[...] :  |
+| ActiveRecordInjection.rb:57:32:57:42 | ...[...] :  | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:62:21:62:26 | call to params :  | ActiveRecordInjection.rb:62:21:62:35 | ...[...] :  |
+| ActiveRecordInjection.rb:62:21:62:35 | ...[...] :  | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL |
+| ActiveRecordInjection.rb:68:34:68:39 | call to params :  | ActiveRecordInjection.rb:68:34:68:44 | ...[...] :  |
+| ActiveRecordInjection.rb:68:34:68:44 | ...[...] :  | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" |
 | ActiveRecordInjection.rb:70:23:70:28 | call to params :  | ActiveRecordInjection.rb:70:23:70:35 | ...[...] :  |
 | ActiveRecordInjection.rb:70:23:70:35 | ...[...] :  | ActiveRecordInjection.rb:8:25:8:28 | name :  |
 | ActiveRecordInjection.rb:70:38:70:43 | call to params :  | ActiveRecordInjection.rb:70:38:70:50 | ...[...] :  |
 | ActiveRecordInjection.rb:70:38:70:50 | ...[...] :  | ActiveRecordInjection.rb:8:31:8:34 | pass :  |
-| ActiveRecordInjection.rb:74:41:74:46 | call to params :  | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" |
+| ActiveRecordInjection.rb:74:41:74:46 | call to params :  | ActiveRecordInjection.rb:74:41:74:51 | ...[...] :  |
+| ActiveRecordInjection.rb:74:41:74:51 | ...[...] :  | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" |
 | ActiveRecordInjection.rb:83:17:83:22 | call to params :  | ActiveRecordInjection.rb:83:17:83:31 | ...[...] |
 | ActiveRecordInjection.rb:84:19:84:24 | call to params :  | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
 | ActiveRecordInjection.rb:88:18:88:23 | call to params :  | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
 | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
-| ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
+| ActiveRecordInjection.rb:98:10:98:15 | call to params :  | ActiveRecordInjection.rb:99:11:99:12 | ps :  |
+| ActiveRecordInjection.rb:99:11:99:12 | ps :  | ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  |
+| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | ActiveRecordInjection.rb:104:20:104:32 | ... + ... |
 | ActiveRecordInjection.rb:137:21:137:26 | call to params :  | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  |
 | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | ActiveRecordInjection.rb:20:22:20:30 | condition :  |
 nodes
@@ -34,22 +43,29 @@ nodes
 | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | semmle.label | ...[...] |
 | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
 | ActiveRecordInjection.rb:43:29:43:34 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:43:29:43:39 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
 | ActiveRecordInjection.rb:48:30:48:35 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:48:30:48:40 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
 | ActiveRecordInjection.rb:52:31:52:36 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:52:31:52:41 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
 | ActiveRecordInjection.rb:57:32:57:37 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:57:32:57:42 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | semmle.label | <<-SQL |
 | ActiveRecordInjection.rb:62:21:62:26 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:62:21:62:35 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
 | ActiveRecordInjection.rb:68:34:68:39 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:68:34:68:44 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:70:23:70:28 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:70:23:70:35 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:70:38:70:43 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:70:38:70:50 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
 | ActiveRecordInjection.rb:74:41:74:46 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:74:41:74:51 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:83:17:83:22 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:83:17:83:31 | ...[...] | semmle.label | ...[...] |
 | ActiveRecordInjection.rb:84:19:84:24 | call to params :  | semmle.label | call to params :  |
@@ -59,6 +75,8 @@ nodes
 | ActiveRecordInjection.rb:92:21:92:26 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | semmle.label | ...[...] |
 | ActiveRecordInjection.rb:98:10:98:15 | call to params :  | semmle.label | call to params :  |
+| ActiveRecordInjection.rb:99:11:99:12 | ps :  | semmle.label | ps :  |
+| ActiveRecordInjection.rb:99:11:99:17 | ...[...] :  | semmle.label | ...[...] :  |
 | ActiveRecordInjection.rb:104:20:104:32 | ... + ... | semmle.label | ... + ... |
 | ActiveRecordInjection.rb:137:21:137:26 | call to params :  | semmle.label | call to params :  |
 | ActiveRecordInjection.rb:137:21:137:44 | ...[...] :  | semmle.label | ...[...] :  |
--- a/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
@@ -1,9 +1,11 @@
 edges
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:6:10:6:13 | code |
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:18:20:18:23 | code |
-| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:21:21:21:24 | code |
+| CodeInjection.rb:3:12:3:17 | call to params :  | CodeInjection.rb:3:12:3:24 | ...[...] :  |
+| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:6:10:6:13 | code |
+| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:18:20:18:23 | code |
+| CodeInjection.rb:3:12:3:24 | ...[...] :  | CodeInjection.rb:21:21:21:24 | code |
 nodes
 | CodeInjection.rb:3:12:3:17 | call to params :  | semmle.label | call to params :  |
+| CodeInjection.rb:3:12:3:24 | ...[...] :  | semmle.label | ...[...] :  |
 | CodeInjection.rb:6:10:6:13 | code | semmle.label | code |
 | CodeInjection.rb:9:10:9:15 | call to params | semmle.label | call to params |
 | CodeInjection.rb:18:20:18:23 | code | semmle.label | code |
--- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
@@ -1,24 +1,29 @@
 edges
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:11:5:11:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:12:5:12:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:13:5:13:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:14:5:14:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:15:5:15:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:16:5:16:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:17:5:17:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:18:5:18:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:19:5:19:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:20:5:20:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:21:5:21:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:22:5:22:8 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:23:17:23:20 | name |
-| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:24:18:24:21 | name |
-| PolynomialReDoS.rb:27:9:27:14 | call to params :  | PolynomialReDoS.rb:28:5:28:5 | a |
-| PolynomialReDoS.rb:29:9:29:14 | call to params :  | PolynomialReDoS.rb:30:5:30:5 | b |
-| PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:32:5:32:5 | c |
+| PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:4:12:4:24 | ...[...] :  |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:10:5:10:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:11:5:11:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:12:5:12:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:13:5:13:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:14:5:14:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:15:5:15:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:16:5:16:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:17:5:17:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:18:5:18:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:19:5:19:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:20:5:20:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:21:5:21:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:22:5:22:8 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:23:17:23:20 | name |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | PolynomialReDoS.rb:24:18:24:21 | name |
+| PolynomialReDoS.rb:27:9:27:14 | call to params :  | PolynomialReDoS.rb:27:9:27:18 | ...[...] :  |
+| PolynomialReDoS.rb:27:9:27:18 | ...[...] :  | PolynomialReDoS.rb:28:5:28:5 | a |
+| PolynomialReDoS.rb:29:9:29:14 | call to params :  | PolynomialReDoS.rb:29:9:29:18 | ...[...] :  |
+| PolynomialReDoS.rb:29:9:29:18 | ...[...] :  | PolynomialReDoS.rb:30:5:30:5 | b |
+| PolynomialReDoS.rb:31:9:31:14 | call to params :  | PolynomialReDoS.rb:31:9:31:18 | ...[...] :  |
+| PolynomialReDoS.rb:31:9:31:18 | ...[...] :  | PolynomialReDoS.rb:32:5:32:5 | c |
 nodes
 | PolynomialReDoS.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | PolynomialReDoS.rb:10:5:10:8 | name | semmle.label | name |
 | PolynomialReDoS.rb:11:5:11:8 | name | semmle.label | name |
 | PolynomialReDoS.rb:12:5:12:8 | name | semmle.label | name |
@@ -35,10 +40,13 @@ nodes
 | PolynomialReDoS.rb:23:17:23:20 | name | semmle.label | name |
 | PolynomialReDoS.rb:24:18:24:21 | name | semmle.label | name |
 | PolynomialReDoS.rb:27:9:27:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:27:9:27:18 | ...[...] :  | semmle.label | ...[...] :  |
 | PolynomialReDoS.rb:28:5:28:5 | a | semmle.label | a |
 | PolynomialReDoS.rb:29:9:29:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:29:9:29:18 | ...[...] :  | semmle.label | ...[...] :  |
 | PolynomialReDoS.rb:30:5:30:5 | b | semmle.label | b |
 | PolynomialReDoS.rb:31:9:31:14 | call to params :  | semmle.label | call to params :  |
+| PolynomialReDoS.rb:31:9:31:18 | ...[...] :  | semmle.label | ...[...] :  |
 | PolynomialReDoS.rb:32:5:32:5 | c | semmle.label | c |
 subpaths
 #select
--- a/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected
@@ -1,19 +1,29 @@
 edges
-| RegExpInjection.rb:4:12:4:17 | call to params :  | RegExpInjection.rb:5:13:5:21 | /#{...}/ |
-| RegExpInjection.rb:10:12:10:17 | call to params :  | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ |
-| RegExpInjection.rb:16:12:16:17 | call to params :  | RegExpInjection.rb:17:24:17:27 | name |
-| RegExpInjection.rb:22:12:22:17 | call to params :  | RegExpInjection.rb:23:24:23:33 | ... + ... |
-| RegExpInjection.rb:54:12:54:17 | call to params :  | RegExpInjection.rb:55:28:55:37 | ... + ... |
+| RegExpInjection.rb:4:12:4:17 | call to params :  | RegExpInjection.rb:4:12:4:24 | ...[...] :  |
+| RegExpInjection.rb:4:12:4:24 | ...[...] :  | RegExpInjection.rb:5:13:5:21 | /#{...}/ |
+| RegExpInjection.rb:10:12:10:17 | call to params :  | RegExpInjection.rb:10:12:10:24 | ...[...] :  |
+| RegExpInjection.rb:10:12:10:24 | ...[...] :  | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ |
+| RegExpInjection.rb:16:12:16:17 | call to params :  | RegExpInjection.rb:16:12:16:24 | ...[...] :  |
+| RegExpInjection.rb:16:12:16:24 | ...[...] :  | RegExpInjection.rb:17:24:17:27 | name |
+| RegExpInjection.rb:22:12:22:17 | call to params :  | RegExpInjection.rb:22:12:22:24 | ...[...] :  |
+| RegExpInjection.rb:22:12:22:24 | ...[...] :  | RegExpInjection.rb:23:24:23:33 | ... + ... |
+| RegExpInjection.rb:54:12:54:17 | call to params :  | RegExpInjection.rb:54:12:54:24 | ...[...] :  |
+| RegExpInjection.rb:54:12:54:24 | ...[...] :  | RegExpInjection.rb:55:28:55:37 | ... + ... |
 nodes
 | RegExpInjection.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | RegExpInjection.rb:5:13:5:21 | /#{...}/ | semmle.label | /#{...}/ |
 | RegExpInjection.rb:10:12:10:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:10:12:10:24 | ...[...] :  | semmle.label | ...[...] :  |
 | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | semmle.label | /foo#{...}bar/ |
 | RegExpInjection.rb:16:12:16:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:16:12:16:24 | ...[...] :  | semmle.label | ...[...] :  |
 | RegExpInjection.rb:17:24:17:27 | name | semmle.label | name |
 | RegExpInjection.rb:22:12:22:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:22:12:22:24 | ...[...] :  | semmle.label | ...[...] :  |
 | RegExpInjection.rb:23:24:23:33 | ... + ... | semmle.label | ... + ... |
 | RegExpInjection.rb:54:12:54:17 | call to params :  | semmle.label | call to params :  |
+| RegExpInjection.rb:54:12:54:24 | ...[...] :  | semmle.label | ...[...] :  |
 | RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
--- a/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected
@@ -1,7 +1,9 @@
 edges
-| OjGlobalOptions.rb:13:17:13:22 | call to params :  | OjGlobalOptions.rb:14:22:14:30 | json_data |
+| OjGlobalOptions.rb:13:17:13:22 | call to params :  | OjGlobalOptions.rb:13:17:13:28 | ...[...] :  |
+| OjGlobalOptions.rb:13:17:13:28 | ...[...] :  | OjGlobalOptions.rb:14:22:14:30 | json_data |
 nodes
 | OjGlobalOptions.rb:13:17:13:22 | call to params :  | semmle.label | call to params :  |
+| OjGlobalOptions.rb:13:17:13:28 | ...[...] :  | semmle.label | ...[...] :  |
 | OjGlobalOptions.rb:14:22:14:30 | json_data | semmle.label | json_data |
 subpaths
 #select
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
@@ -1,27 +1,41 @@
 edges
-| UnsafeDeserialization.rb:9:39:9:44 | call to params :  | UnsafeDeserialization.rb:10:27:10:41 | serialized_data |
-| UnsafeDeserialization.rb:15:39:15:44 | call to params :  | UnsafeDeserialization.rb:16:30:16:44 | serialized_data |
-| UnsafeDeserialization.rb:21:17:21:22 | call to params :  | UnsafeDeserialization.rb:22:24:22:32 | json_data |
-| UnsafeDeserialization.rb:27:17:27:22 | call to params :  | UnsafeDeserialization.rb:28:27:28:35 | json_data |
-| UnsafeDeserialization.rb:39:17:39:22 | call to params :  | UnsafeDeserialization.rb:40:24:40:32 | yaml_data |
-| UnsafeDeserialization.rb:51:17:51:22 | call to params :  | UnsafeDeserialization.rb:52:22:52:30 | json_data |
-| UnsafeDeserialization.rb:51:17:51:22 | call to params :  | UnsafeDeserialization.rb:53:22:53:30 | json_data |
-| UnsafeDeserialization.rb:58:17:58:22 | call to params :  | UnsafeDeserialization.rb:68:23:68:31 | json_data |
+| UnsafeDeserialization.rb:9:39:9:44 | call to params :  | UnsafeDeserialization.rb:9:39:9:50 | ...[...] :  |
+| UnsafeDeserialization.rb:9:39:9:50 | ...[...] :  | UnsafeDeserialization.rb:10:27:10:41 | serialized_data |
+| UnsafeDeserialization.rb:15:39:15:44 | call to params :  | UnsafeDeserialization.rb:15:39:15:50 | ...[...] :  |
+| UnsafeDeserialization.rb:15:39:15:50 | ...[...] :  | UnsafeDeserialization.rb:16:30:16:44 | serialized_data |
+| UnsafeDeserialization.rb:21:17:21:22 | call to params :  | UnsafeDeserialization.rb:21:17:21:28 | ...[...] :  |
+| UnsafeDeserialization.rb:21:17:21:28 | ...[...] :  | UnsafeDeserialization.rb:22:24:22:32 | json_data |
+| UnsafeDeserialization.rb:27:17:27:22 | call to params :  | UnsafeDeserialization.rb:27:17:27:28 | ...[...] :  |
+| UnsafeDeserialization.rb:27:17:27:28 | ...[...] :  | UnsafeDeserialization.rb:28:27:28:35 | json_data |
+| UnsafeDeserialization.rb:39:17:39:22 | call to params :  | UnsafeDeserialization.rb:39:17:39:28 | ...[...] :  |
+| UnsafeDeserialization.rb:39:17:39:28 | ...[...] :  | UnsafeDeserialization.rb:40:24:40:32 | yaml_data |
+| UnsafeDeserialization.rb:51:17:51:22 | call to params :  | UnsafeDeserialization.rb:51:17:51:28 | ...[...] :  |
+| UnsafeDeserialization.rb:51:17:51:28 | ...[...] :  | UnsafeDeserialization.rb:52:22:52:30 | json_data |
+| UnsafeDeserialization.rb:51:17:51:28 | ...[...] :  | UnsafeDeserialization.rb:53:22:53:30 | json_data |
+| UnsafeDeserialization.rb:58:17:58:22 | call to params :  | UnsafeDeserialization.rb:58:17:58:28 | ...[...] :  |
+| UnsafeDeserialization.rb:58:17:58:28 | ...[...] :  | UnsafeDeserialization.rb:68:23:68:31 | json_data |
 nodes
 | UnsafeDeserialization.rb:9:39:9:44 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:9:39:9:50 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:10:27:10:41 | serialized_data | semmle.label | serialized_data |
 | UnsafeDeserialization.rb:15:39:15:44 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:15:39:15:50 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:16:30:16:44 | serialized_data | semmle.label | serialized_data |
 | UnsafeDeserialization.rb:21:17:21:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:21:17:21:28 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:22:24:22:32 | json_data | semmle.label | json_data |
 | UnsafeDeserialization.rb:27:17:27:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:27:17:27:28 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:28:27:28:35 | json_data | semmle.label | json_data |
 | UnsafeDeserialization.rb:39:17:39:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:39:17:39:28 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:40:24:40:32 | yaml_data | semmle.label | yaml_data |
 | UnsafeDeserialization.rb:51:17:51:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:51:17:51:28 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:52:22:52:30 | json_data | semmle.label | json_data |
 | UnsafeDeserialization.rb:53:22:53:30 | json_data | semmle.label | json_data |
 | UnsafeDeserialization.rb:58:17:58:22 | call to params :  | semmle.label | call to params :  |
+| UnsafeDeserialization.rb:58:17:58:28 | ...[...] :  | semmle.label | ...[...] :  |
 | UnsafeDeserialization.rb:68:23:68:31 | json_data | semmle.label | json_data |
 subpaths
 #select
--- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
+++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
@@ -4,7 +4,8 @@ edges
 | UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
 | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
 | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:56:21:56:32 | input_params :  |
-| UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
+| UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:20:34:31 | ...[...] :  |
+| UrlRedirect.rb:34:20:34:31 | ...[...] :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
 | UrlRedirect.rb:56:21:56:32 | input_params :  | UrlRedirect.rb:57:5:57:29 | call to permit :  |
 nodes
 | UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
@@ -18,6 +19,7 @@ nodes
 | UrlRedirect.rb:24:31:24:36 | call to params :  | semmle.label | call to params :  |
 | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | semmle.label | "#{...}/foo" |
 | UrlRedirect.rb:34:20:34:25 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:34:20:34:31 | ...[...] :  | semmle.label | ...[...] :  |
 | UrlRedirect.rb:56:21:56:32 | input_params :  | semmle.label | input_params :  |
 | UrlRedirect.rb:57:5:57:29 | call to permit :  | semmle.label | call to permit :  |
 subpaths
--- a/ruby/ql/test/query-tests/security/cwe-611/Xxe.expected
+++ b/ruby/ql/test/query-tests/security/cwe-611/Xxe.expected
@@ -1,29 +1,32 @@
 edges
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:4:34:4:40 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:5:32:5:38 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:6:30:6:36 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:7:32:7:38 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:8:30:8:36 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:9:28:9:34 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:11:26:11:32 | content |
-| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:12:24:12:30 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:5:26:5:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:6:26:6:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:7:26:7:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:8:26:8:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:9:26:9:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:11:26:11:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:12:26:12:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:15:26:15:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:16:26:16:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:18:26:18:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:19:26:19:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:22:26:22:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:25:26:25:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:27:26:27:32 | content |
-| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:28:26:28:32 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:3:15:3:26 | ...[...] :  |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:4:34:4:40 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:5:32:5:38 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:6:30:6:36 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:7:32:7:38 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:8:30:8:36 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:9:28:9:34 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:11:26:11:32 | content |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | LibXmlRuby.rb:12:24:12:30 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:3:15:3:26 | ...[...] :  |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:5:26:5:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:6:26:6:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:7:26:7:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:8:26:8:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:9:26:9:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:11:26:11:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:12:26:12:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:15:26:15:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:16:26:16:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:18:26:18:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:19:26:19:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:22:26:22:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:25:26:25:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:27:26:27:32 | content |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | Nokogiri.rb:28:26:28:32 | content |
 nodes
 | LibXmlRuby.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
+| LibXmlRuby.rb:3:15:3:26 | ...[...] :  | semmle.label | ...[...] :  |
 | LibXmlRuby.rb:4:34:4:40 | content | semmle.label | content |
 | LibXmlRuby.rb:5:32:5:38 | content | semmle.label | content |
 | LibXmlRuby.rb:6:30:6:36 | content | semmle.label | content |
@@ -33,6 +36,7 @@ nodes
 | LibXmlRuby.rb:11:26:11:32 | content | semmle.label | content |
 | LibXmlRuby.rb:12:24:12:30 | content | semmle.label | content |
 | Nokogiri.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
+| Nokogiri.rb:3:15:3:26 | ...[...] :  | semmle.label | ...[...] :  |
 | Nokogiri.rb:5:26:5:32 | content | semmle.label | content |
 | Nokogiri.rb:6:26:6:32 | content | semmle.label | content |
 | Nokogiri.rb:7:26:7:32 | content | semmle.label | content |
--- a/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected
+++ b/ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected
@@ -1,7 +1,9 @@
 edges
-| ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" |
+| ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:9:32:9:60 | ...[...] :  |
+| ServerSideRequestForgery.rb:9:32:9:60 | ...[...] :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" |
 nodes
 | ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | semmle.label | call to params :  |
+| ServerSideRequestForgery.rb:9:32:9:60 | ...[...] :  | semmle.label | ...[...] :  |
 | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
 subpaths
 #select