Ruby: Hide desugared assignments from data flow path graph

2026-04-25 16:55:19 +02:00 · 2023-08-31 13:05:12 +02:00
parent 73370e7282
commit 89e9d25f02
3 changed files with 16 additions and 13 deletions
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -558,9 +558,7 @@ import Cached

 /** Holds if `n` should be hidden from path explanations. */
 predicate nodeIsHidden(Node n) {
-  exists(SsaImpl::DefinitionExt def | def = n.(SsaDefinitionExtNode).getDefinitionExt() |
-    not def instanceof Ssa::WriteDefinition
-  )
+  n.(SsaDefinitionExtNode).isHidden()
  or
  n = LocalFlow::getParameterDefNode(_)
  or
@@ -593,6 +591,13 @@ class SsaDefinitionExtNode extends NodeImpl, TSsaDefinitionExtNode {
  /** Gets the underlying variable. */
  Variable getVariable() { result = def.getSourceVariable() }

+  /** Holds if this node should be hidden from path explanations. */
+  predicate isHidden() {
+    not def instanceof Ssa::WriteDefinition
+    or
+    isDesugarNode(def.(Ssa::WriteDefinition).getWriteAccess().getExpr())
+  }
+
  override CfgScope getCfgScope() { result = def.getBasicBlock().getScope() }

  override Location getLocationImpl() { result = def.getLocation() }
@@ -1593,7 +1598,11 @@ class CastNode extends Node {
 */
 predicate neverSkipInPathGraph(Node n) {
  // ensure that all variable assignments are included in the path graph
-  n.(SsaDefinitionExtNode).getDefinitionExt() instanceof Ssa::WriteDefinition
+  n =
+    any(SsaDefinitionExtNode def |
+      def.getDefinitionExt() instanceof Ssa::WriteDefinition and
+      not def.isHidden()
+    )
 }

 class DataFlowExpr = CfgNodes::ExprCfgNode;
--- a/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
@@ -203,10 +203,8 @@ edges
 | array_flow.rb:80:13:80:21 | call to source | array_flow.rb:80:5:80:5 | a [element 1] |
 | array_flow.rb:81:8:81:8 | c | array_flow.rb:83:10:83:10 | c |
 | array_flow.rb:81:8:81:8 | c | array_flow.rb:83:10:83:10 | c |
-| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | array_flow.rb:81:8:81:8 | c |
-| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | array_flow.rb:81:8:81:8 | c |
-| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:15:81:15 | __synth__3 [element 1] |
-| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:15:81:15 | __synth__3 [element 1] |
+| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:8:81:8 | c |
+| array_flow.rb:81:15:81:15 | a [element 1] | array_flow.rb:81:8:81:8 | c |
 | array_flow.rb:88:5:88:5 | a [element 1] | array_flow.rb:89:9:89:9 | a [element 1] |
 | array_flow.rb:88:5:88:5 | a [element 1] | array_flow.rb:89:9:89:9 | a [element 1] |
 | array_flow.rb:88:13:88:22 | call to source | array_flow.rb:88:5:88:5 | a [element 1] |
@@ -4468,8 +4466,6 @@ nodes
 | array_flow.rb:80:13:80:21 | call to source | semmle.label | call to source |
 | array_flow.rb:81:8:81:8 | c | semmle.label | c |
 | array_flow.rb:81:8:81:8 | c | semmle.label | c |
-| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | semmle.label | __synth__3 [element 1] |
-| array_flow.rb:81:15:81:15 | __synth__3 [element 1] | semmle.label | __synth__3 [element 1] |
 | array_flow.rb:81:15:81:15 | a [element 1] | semmle.label | a [element 1] |
 | array_flow.rb:81:15:81:15 | a [element 1] | semmle.label | a [element 1] |
 | array_flow.rb:83:10:83:10 | c | semmle.label | c |
--- a/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
@@ -81,8 +81,7 @@ edges
 | hash_flow.rb:96:30:96:33 | hash [element :a] | hash_flow.rb:96:13:96:34 | call to try_convert [element :a] |
 | hash_flow.rb:97:10:97:14 | hash2 [element :a] | hash_flow.rb:97:10:97:18 | ...[...] |
 | hash_flow.rb:105:5:105:5 | b | hash_flow.rb:106:10:106:10 | b |
-| hash_flow.rb:105:21:105:30 | __synth__0 | hash_flow.rb:105:5:105:5 | b |
-| hash_flow.rb:105:21:105:30 | call to taint | hash_flow.rb:105:21:105:30 | __synth__0 |
+| hash_flow.rb:105:21:105:30 | call to taint | hash_flow.rb:105:5:105:5 | b |
 | hash_flow.rb:113:5:113:5 | b | hash_flow.rb:115:10:115:10 | b |
 | hash_flow.rb:113:9:113:12 | [post] hash [element :a] | hash_flow.rb:114:10:114:13 | hash [element :a] |
 | hash_flow.rb:113:9:113:34 | call to store | hash_flow.rb:113:5:113:5 | b |
@@ -1063,7 +1062,6 @@ nodes
 | hash_flow.rb:97:10:97:14 | hash2 [element :a] | semmle.label | hash2 [element :a] |
 | hash_flow.rb:97:10:97:18 | ...[...] | semmle.label | ...[...] |
 | hash_flow.rb:105:5:105:5 | b | semmle.label | b |
-| hash_flow.rb:105:21:105:30 | __synth__0 | semmle.label | __synth__0 |
 | hash_flow.rb:105:21:105:30 | call to taint | semmle.label | call to taint |
 | hash_flow.rb:106:10:106:10 | b | semmle.label | b |
 | hash_flow.rb:113:5:113:5 | b | semmle.label | b |