Merge pull request #9850 from hmac/hmac/arel

Ruby: Model Arel.sql

ruby/ql/lib/change-notes/2022-07-19-arel.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to `Arel.sql` are now recognised as propagating taint from their argument.

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -10,6 +10,7 @@ private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActiveSupport
 private import codeql.ruby.frameworks.Archive
+private import codeql.ruby.frameworks.Arel
 private import codeql.ruby.frameworks.GraphQL
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.frameworks.Railties

ruby/ql/lib/codeql/ruby/frameworks/Arel.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides modeling for Arel, a low level SQL library that powers ActiveRecord.
+ * Version: 7.0.3
+ * https://api.rubyonrails.org/classes/Arel.html
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+
+/**
+ * Provides modeling for Arel, a low level SQL library that powers ActiveRecord.
+ * Version: 7.0.3
+ * https://api.rubyonrails.org/classes/Arel.html
+ */
+module Arel {
+  /**
+   * Flow summary for `Arel.sql`. This method wraps a SQL string, marking it as
+   * safe.
+   */
+  private class SqlSummary extends SummarizedCallable {
+    SqlSummary() { this = "Arel.sql" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("Arel").getAMethodCall("sql").asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+}