Add some method calls as a Source

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll

@@ -79,6 +79,47 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
 
   predicate isSource(DataFlow::Node source, FlowState state) {
     source instanceof RemoteFlowSource and state = PreValidationState()
+    or
+    (
+      exists(Escaping escaping | source = escaping.getOutput())
+      or
+      exists(RegexExecution re | source = re)
+      or
+      // String Manipulation Method Calls
+      // https://ruby-doc.org/core-2.7.0/String.html
+      // String Manipulation Method Calls
+      // https://ruby-doc.org/core-2.7.0/String.html
+      exists(DataFlow::CallNode cn |
+        cn.getMethodName() =
+          [
+            [
+                "ljust", "lstrip", "succ", "next", "rjust", "capitalize", "chomp", "gsub", "chop",
+                "downcase", "swapcase", "uprcase", "scrub", "slice", "squeeze", "strip", "sub",
+                "tr", "tr_s", "reverse"
+              ] + ["", "!"], "concat", "dump", "each_line", "replace", "insert", "inspect", "lines",
+            "partition", "prepend", "replace", "rpartition", "scan", "split", "undump",
+            "unpack" + ["", "1"]
+          ] and
+        source = cn and
+        source.getLocation().getFile().getBaseName().matches("object.rb")
+      )
+      or
+      exists(DataFlow::CallNode cn |
+        cn.getMethodName() =
+          [
+            "casecmp" + ["", "?"], "center", "count", "each_char", "index", "rindex", "sum",
+            ["delete", "delete_prefix", "delete_suffix"] + ["", "!"],
+            ["start_with", "end_with" + "eql", "include"] + ["?", "!"], "match" + ["", "?"],
+          ] and
+        source = cn.getReceiver()
+      )
+      or
+      exists(DataFlow::CallNode cn |
+        cn = API::getTopLevelMember("CGI").getAMethodCall("escapeHTML") and
+        source = cn
+      )
+    ) and
+    state = PostValidationState()
   }
 
   predicate isAdditionalFlowStep(