Merge pull request #10931 from hvitved/ruby/fix-flow-into-phis

Ruby: Fix flow steps into phi nodes
2026-04-29 02:35:15 +02:00 · 2022-11-02 21:07:06 +01:00
parent 8eee450c65 ee9163aa40
commit 46631d6eaf
4 changed files with 106 additions and 13 deletions
--- a/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa-flow.expected
@@ -0,0 +1,20 @@
+failures
+edges
+| ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  | ssa_flow.rb:16:10:16:10 | a [element 0] :  |
+| ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  | ssa_flow.rb:16:10:16:10 | a [element 0] :  |
+| ssa_flow.rb:12:16:12:23 | call to taint :  | ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  |
+| ssa_flow.rb:12:16:12:23 | call to taint :  | ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  |
+| ssa_flow.rb:16:10:16:10 | a [element 0] :  | ssa_flow.rb:16:10:16:13 | ...[...] |
+| ssa_flow.rb:16:10:16:10 | a [element 0] :  | ssa_flow.rb:16:10:16:13 | ...[...] |
+nodes
+| ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  | semmle.label | [post] a [element 0] :  |
+| ssa_flow.rb:12:9:12:9 | [post] a [element 0] :  | semmle.label | [post] a [element 0] :  |
+| ssa_flow.rb:12:16:12:23 | call to taint :  | semmle.label | call to taint :  |
+| ssa_flow.rb:12:16:12:23 | call to taint :  | semmle.label | call to taint :  |
+| ssa_flow.rb:16:10:16:10 | a [element 0] :  | semmle.label | a [element 0] :  |
+| ssa_flow.rb:16:10:16:10 | a [element 0] :  | semmle.label | a [element 0] :  |
+| ssa_flow.rb:16:10:16:13 | ...[...] | semmle.label | ...[...] |
+| ssa_flow.rb:16:10:16:13 | ...[...] | semmle.label | ...[...] |
+subpaths
+#select
+| ssa_flow.rb:16:10:16:13 | ...[...] | ssa_flow.rb:12:16:12:23 | call to taint :  | ssa_flow.rb:16:10:16:13 | ...[...] | $@ | ssa_flow.rb:12:16:12:23 | call to taint :  | call to taint :  |
--- a/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa-flow.ql
+++ b/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa-flow.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind path-problem
+ */
+
+import codeql.ruby.AST
+import TestUtilities.InlineFlowTest
+import PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa_flow.rb
+++ b/ruby/ql/test/library-tests/dataflow/ssa-flow/ssa_flow.rb
@@ -0,0 +1,32 @@
+def taint x
+    x
+end
+
+def sink x
+    puts "SINK: #{x}"
+end
+
+def m1
+    a = Array.new
+    if rand() > 0 then
+        a[0] = taint(1)
+    else
+        a = nil
+    end
+    sink(a[0]) # $ hasValueFlow=1
+end
+
+m1
+
+def m2
+    a = Array.new
+    if rand() > 0 then
+        a[0] = taint(2)
+        a.clear
+    else
+        a = nil
+    end
+    sink(a[0])
+end
+
+m2