Ruby: Include self parameters in type tracking flow-through logic

2026-04-26 09:15:12 +02:00 · 2023-05-08 11:39:38 +02:00
parent 3cdb27725a
commit 826b6219a0
3 changed files with 11 additions and 8 deletions
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -940,6 +940,12 @@ private class NewCall extends DataFlowCall {
 abstract class ReturningNode extends Node {
  /** Gets the kind of this return node. */
  abstract ReturnKind getKind();
+
+  pragma[nomagic]
+  predicate hasKind(ReturnKind kind, CfgScope scope) {
+    kind = this.getKind() and
+    scope = this.(NodeImpl).getCfgScope()
+  }
 }

 /** A data-flow node that represents a value returned by a callable. */
@@ -1060,10 +1066,8 @@ private module ReturnNodes {
    SynthReturnNode() { this = TSynthReturnNode(scope, kind) }

    /** Gets a syntactic return node that flows into this synthetic node. */
-    ReturningNode getAnInput() {
-      result.(NodeImpl).getCfgScope() = scope and
-      result.getKind() = kind
-    }
+    pragma[nomagic]
+    ReturningNode getAnInput() { result.hasKind(kind, scope) }

    override ReturnKind getKind() { result = kind }

--- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -80,10 +80,8 @@ predicate jumpStep = DataFlowPrivate::jumpStep/2;
 pragma[nomagic]
 private predicate flowThrough(DataFlowPublic::ParameterNode param) {
  exists(DataFlowPrivate::ReturningNode returnNode, DataFlowDispatch::ReturnKind rk |
-    DataFlowPrivate::LocalFlow::getParameterDefNode(param.getParameter())
-        .(TypeTrackingNode)
-        .flowsTo(returnNode) and
-    rk = returnNode.getKind()
+    param.flowsTo(returnNode) and
+    returnNode.hasKind(rk, param.(DataFlowPrivate::NodeImpl).getCfgScope())
  |
    rk instanceof DataFlowDispatch::NormalReturnKind
    or
--- a/ruby/ql/test/library-tests/modules/callgraph.expected
+++ b/ruby/ql/test/library-tests/modules/callgraph.expected
@@ -153,6 +153,7 @@ getTarget
 | calls.rb:383:1:383:23 | call to instance | calls.rb:326:5:328:7 | instance |
 | calls.rb:383:1:383:23 | call to instance | calls.rb:336:5:338:7 | instance |
 | calls.rb:383:1:383:23 | call to instance | calls.rb:342:5:344:7 | instance |
+| calls.rb:383:1:383:23 | call to instance | calls.rb:375:5:377:7 | instance |
 | calls.rb:388:13:388:48 | call to puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:392:13:392:22 | call to singleton1 | calls.rb:387:9:389:11 | singleton1 |
 | calls.rb:392:13:392:22 | call to singleton1 | calls.rb:422:9:424:11 | singleton1 |