Ruby: use new features in ActionController

2026-04-28 02:05:14 +02:00 · 2023-06-19 12:06:35 +02:00
parent fbfa31937f
commit bb3b973b32
1 changed files with 20 additions and 27 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -83,8 +83,8 @@ class ActionControllerClass extends DataFlow::ClassNode {
  }
 }

-private DataFlow::LocalSourceNode actionControllerInstance() {
-  result = any(ActionControllerClass cls).getSelf()
+private API::Node actionControllerInstance() {
+  result = any(ActionControllerClass cls).getSelf().track()
 }

 /**
@@ -222,19 +222,19 @@ private class ActionControllerRenderToCall extends RenderToCallImpl {
  }
 }

+pragma[nomagic]
+private DataFlow::CallNode renderCall() {
+  // ActionController#render is an alias for ActionController::Renderer#render
+  result =
+    [
+      any(ActionControllerClass c).trackModule().getAMethodCall("render"),
+      any(ActionControllerClass c).trackModule().getReturn("renderer").getAMethodCall("render")
+    ]
+}
+
 /** A call to `ActionController::Renderer#render`. */
 private class RendererRenderCall extends RenderCallImpl {
-  RendererRenderCall() {
-    this =
-      [
-        // ActionController#render is an alias for ActionController::Renderer#render
-        any(ActionControllerClass c).getAnImmediateReference().getAMethodCall("render"),
-        any(ActionControllerClass c)
-            .getAnImmediateReference()
-            .getAMethodCall("renderer")
-            .getAMethodCall("render")
-      ].asExpr().getExpr()
-  }
+  RendererRenderCall() { this = renderCall().asExpr().getExpr() }
 }

 /** A call to `html_escape` from within a controller. */
@@ -260,6 +260,7 @@ class RedirectToCall extends MethodCall {
    this =
      controller
          .getSelf()
+          .track()
          .getAMethodCall(["redirect_to", "redirect_back", "redirect_back_or_to"])
          .asExpr()
          .getExpr()
@@ -600,9 +601,7 @@ private module ParamsSummaries {
 * response.
 */
 private module Response {
-  DataFlow::LocalSourceNode response() {
-    result = actionControllerInstance().getAMethodCall("response")
-  }
+  API::Node response() { result = actionControllerInstance().getReturn("response") }

  class BodyWrite extends DataFlow::CallNode, Http::Server::HttpResponse::Range {
    BodyWrite() { this = response().getAMethodCall("body=") }
@@ -628,7 +627,7 @@ private module Response {
    HeaderWrite() {
      // response.header[key] = val
      // response.headers[key] = val
-      this = response().getAMethodCall(["header", "headers"]).getAMethodCall("[]=")
+      this = response().getReturn(["header", "headers"]).getAMethodCall("[]=")
      or
      // response.set_header(key) = val
      // response[header] = val
@@ -673,18 +672,12 @@ private module Response {
  }
 }

-private class ActionControllerLoggerInstance extends DataFlow::Node {
-  ActionControllerLoggerInstance() {
-    this = actionControllerInstance().getAMethodCall("logger")
-    or
-    any(ActionControllerLoggerInstance i).(DataFlow::LocalSourceNode).flowsTo(this)
-  }
-}
-
 private class ActionControllerLoggingCall extends DataFlow::CallNode, Logging::Range {
  ActionControllerLoggingCall() {
-    this.getReceiver() instanceof ActionControllerLoggerInstance and
-    this.getMethodName() = ["debug", "error", "fatal", "info", "unknown", "warn"]
+    this =
+      actionControllerInstance()
+          .getReturn("logger")
+          .getAMethodCall(["debug", "error", "fatal", "info", "unknown", "warn"])
  }

  // Note: this is identical to the definition `stdlib.Logger.LoggerInfoStyleCall`.