Merge pull request #10559 from aibaars/cve-2019-3881

Ruby: some improvements
2026-04-28 18:25:24 +02:00 · 2022-10-04 21:24:14 +02:00
parent d69a658e06 88b5d4da16
commit c1c16e44ee
29 changed files with 5767 additions and 722 deletions
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -33,8 +33,9 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForHttpClientLibraries.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForPathname.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl.qll"
  ],
  "DataFlow Java/C++/C#/Python Common": [
@@ -69,7 +70,7 @@
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll",
    "python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll",
    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll",
-    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll",
+    "ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforregexp/TaintTrackingImpl.qll",
    "swift/ql/lib/codeql/swift/dataflow/internal/tainttracking1/TaintTrackingImpl.qll"
  ],
  "DataFlow Java/C++/C#/Python Consistency checks": [
--- a/ruby/ql/lib/codeql/ruby/Regexp.qll
+++ b/ruby/ql/lib/codeql/ruby/Regexp.qll
@@ -114,7 +114,7 @@ class StdLibRegExpInterpretation extends RegExpInterpretation::Range {
      mce.getMethodName() = ["match", "match?"] and
      this = mce.getArgument(0) and
      // exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
-      not mce.getReceiver().asExpr().getExpr() instanceof Ast::RegExpLiteral
+      not mce.getReceiver() = trackRegexpType()
    )
  }
 }
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -294,6 +294,30 @@ private DataFlowCallable viableLibraryCallable(DataFlowCall call) {
  )
 }

+/** Holds if there is a call like `receiver.extend(M)`. */
+pragma[nomagic]
+private predicate extendCall(DataFlow::ExprNode receiver, Module m) {
+  exists(DataFlow::CallNode extendCall |
+    extendCall.getMethodName() = "extend" and
+    exists(DataFlow::LocalSourceNode sourceNode | sourceNode.flowsTo(extendCall.getArgument(_)) |
+      selfInModule(sourceNode.(SsaSelfDefinitionNode).getVariable(), m) or
+      m = resolveConstantReadAccess(sourceNode.asExpr().getExpr())
+    ) and
+    receiver = extendCall.getReceiver()
+  )
+}
+
+/** Holds if there is a call like `M.extend(N)` */
+pragma[nomagic]
+private predicate extendCallModule(Module m, Module n) {
+  exists(DataFlow::LocalSourceNode receiver, DataFlow::ExprNode e |
+    receiver.flowsTo(e) and extendCall(e, n)
+  |
+    selfInModule(receiver.(SsaSelfDefinitionNode).getVariable(), m) or
+    m = resolveConstantReadAccess(receiver.asExpr().getExpr())
+  )
+}
+
 cached
 private module Cached {
  cached
@@ -340,12 +364,29 @@ private module Cached {
        // def c.singleton; end # <- result
        // c.singleton          # <- call
        // ```
+        // or an `extend`ed instance, e.g.
+        // ```rb
+        // c = C.new
+        // module M
+        //   def instance; end  # <- result
+        // end
+        // c.extend M
+        // c.instance # <- call
+        // ```
        exists(DataFlow::Node receiver |
          methodCall(call, receiver, method) and
          receiver = trackSingletonMethodOnInstance(result, method)
        )
        or
        // singleton method defined on a module
+        // or an `extend`ed module, e.g.
+        // ```rb
+        // module M
+        //   def instance; end  # <- result
+        // end
+        // M.extend(M)
+        // M.instance           # <- call
+        // ```
        exists(DataFlow::Node sourceNode, Module m |
          flowsToMethodCall(call, sourceNode, method) and
          singletonMethodOnModule(result, method, m)
@@ -664,6 +705,12 @@ private predicate flowsToSingletonMethodObject(
 * class << c
 *   def m6; end # not included
 * end
+ *
+ * module M
+ *   def instance; end # included in `N` via `extend` call below
+ * end
+ * N.extend(M)
+ * N.instance
 * ```
 */
 pragma[nomagic]
@@ -674,6 +721,11 @@ private predicate singletonMethodOnModule(MethodBase method, string name, Module
  )
  or
  flowsToSingletonMethodObject(trackModuleAccess(m), method, name)
+  or
+  exists(Module other |
+    extendCallModule(m, other) and
+    method = lookupMethod(other, name)
+  )
 }

 /**
@@ -700,6 +752,11 @@ private predicate singletonMethodOnModule(MethodBase method, string name, Module
 * class << c
 *   def m6; end # included
 * end
+ *
+ * module M
+ *   def instance; end # included in `c` via `extend` call below
+ * end
+ * c.extend(M)
 * ```
 */
 pragma[nomagic]
@@ -708,6 +765,12 @@ predicate singletonMethodOnInstance(MethodBase method, string name, Expr object)
  not selfInModule(object.(SelfVariableReadAccess).getVariable(), _) and
  // cannot use `trackModuleAccess` because of negative recursion
  not exists(resolveConstantReadAccess(object))
+  or
+  exists(DataFlow::ExprNode receiver, Module other |
+    extendCall(receiver, other) and
+    object = receiver.getExprNode().getExpr() and
+    method = lookupMethod(other, name)
+  )
 }

 /**
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForLibraries.qll
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplForRegExp.qll
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -181,6 +181,12 @@ module LocalFlow {
        ) and
        nodeFrom.asExpr() = for.getValue()
      )
+    or
+    nodeTo.asExpr() =
+      any(CfgNodes::ExprNodes::BinaryOperationCfgNode op |
+        op.getExpr() instanceof BinaryLogicalOperation and
+        nodeFrom.asExpr() = op.getAnOperand()
+      )
  }
 }

--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll
@@ -85,7 +85,10 @@ private module Cached {
      op.getAnOperand() = nodeFrom.asExpr() and
      not op.getExpr() =
        any(Expr e |
+          // included in normal data-flow
          e instanceof AssignExpr or
+          e instanceof BinaryLogicalOperation or
+          // has flow summary
          e instanceof SplatExpr
        )
    )
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingImpl.qll
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingParameter.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttrackingforlibraries/TaintTrackingParameter.qll
@@ -1,6 +1,6 @@
 import codeql.ruby.dataflow.internal.TaintTrackingPublic as Public

 module Private {
-  import codeql.ruby.dataflow.internal.DataFlowImplForLibraries as DataFlow
+  import codeql.ruby.dataflow.internal.DataFlowImplForRegExp as DataFlow
  import codeql.ruby.dataflow.internal.TaintTrackingPrivate
 }
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -167,4 +167,14 @@ module Kernel {

    override DataFlow::Node getCode() { result = this.getArgument(0) }
  }
+
+  private class TapSummary extends SimpleSummarizedCallable {
+    TapSummary() { this = "tap" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = ["ReturnValue", "Argument[block].Parameter[0]"] and
+      preservesValue = true
+    }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll
@@ -3,6 +3,7 @@
 */

 private import codeql.ruby.AST
+private import codeql.ruby.dataflow.FlowSummary

 /**
 * Provides modeling for the `Object` class.
@@ -31,4 +32,14 @@ module Object {
        "taint", "tainted?", "to_enum", "to_s", "trust", "untaint", "untrust", "untrusted?"
      ]
  }
+
+  private class DupSummary extends SimpleSummarizedCallable {
+    DupSummary() { this = "dup" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = true
+    }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll
@@ -3,10 +3,9 @@
 private import codeql.ruby.AST
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.Concepts
-private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.FlowSummary
-private import codeql.ruby.dataflow.internal.DataFlowDispatch
 private import codeql.ruby.frameworks.data.ModelsAsData
+private import codeql.ruby.dataflow.internal.DataFlowImplForPathname

 /**
 * Modeling of the `Pathname` class from the Ruby standard library.
@@ -27,31 +26,34 @@ module Pathname {
   *
   * Every `PathnameInstance` is considered to be a `FileNameSource`.
   */
-  class PathnameInstance extends FileNameSource, DataFlow::Node {
-    PathnameInstance() { this = pathnameInstance() }
+  class PathnameInstance extends FileNameSource {
+    PathnameInstance() { any(PathnameConfiguration c).hasFlowTo(this) }
  }

-  private DataFlow::Node pathnameInstance() {
-    // A call to `Pathname.new`.
-    result = API::getTopLevelMember("Pathname").getAnInstantiation()
-    or
-    // Class methods on `Pathname` that return a new `Pathname`.
-    result = API::getTopLevelMember("Pathname").getAMethodCall(["getwd", "pwd",])
-    or
-    // Instance methods on `Pathname` that return a new `Pathname`.
-    exists(DataFlow::CallNode c | result = c |
-      c.getReceiver() = pathnameInstance() and
-      c.getMethodName() =
-        [
-          "+", "/", "basename", "cleanpath", "expand_path", "join", "realpath",
-          "relative_path_from", "sub", "sub_ext", "to_path"
-        ]
-    )
-    or
-    exists(DataFlow::Node inst |
-      inst = pathnameInstance() and
-      inst.(DataFlow::LocalSourceNode).flowsTo(result)
-    )
+  private class PathnameConfiguration extends Configuration {
+    PathnameConfiguration() { this = "PathnameConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+      // A call to `Pathname.new`.
+      source = API::getTopLevelMember("Pathname").getAnInstantiation()
+      or
+      // Class methods on `Pathname` that return a new `Pathname`.
+      source = API::getTopLevelMember("Pathname").getAMethodCall(["getwd", "pwd",])
+    }
+
+    override predicate isSink(DataFlow::Node sink) { any() }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      node2 =
+        any(DataFlow::CallNode c |
+          c.getReceiver() = node1 and
+          c.getMethodName() =
+            [
+              "+", "/", "basename", "cleanpath", "expand_path", "join", "realpath",
+              "relative_path_from", "sub", "sub_ext", "to_path"
+            ]
+        )
+    }
  }

  /** A call where the receiver is a `Pathname`. */
--- a/ruby/ql/lib/codeql/ruby/regexp/internal/DebugRegExpConfiguration.ql
+++ b/ruby/ql/lib/codeql/ruby/regexp/internal/DebugRegExpConfiguration.ql
@@ -4,7 +4,7 @@
 */

 import RegExpConfiguration
-import codeql.ruby.dataflow.internal.DataFlowImplForLibraries
+import codeql.ruby.dataflow.internal.DataFlowImplForRegExp
 import PathGraph

 from RegExpConfiguration c, PathNode source, PathNode sink
--- a/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
+++ b/ruby/ql/lib/codeql/ruby/regexp/internal/RegExpConfiguration.qll
@@ -2,7 +2,9 @@ private import codeql.ruby.Regexp
 private import codeql.ruby.ast.Literal as Ast
 private import codeql.ruby.DataFlow
 private import codeql.ruby.controlflow.CfgNodes
-private import codeql.ruby.dataflow.internal.tainttrackingforlibraries.TaintTrackingImpl
+private import codeql.ruby.dataflow.internal.tainttrackingforregexp.TaintTrackingImpl
+private import codeql.ruby.typetracking.TypeTracker
+private import codeql.ruby.ApiGraphs

 class RegExpConfiguration extends Configuration {
  RegExpConfiguration() { this = "RegExpConfiguration" }
@@ -19,12 +21,26 @@ class RegExpConfiguration extends Configuration {
  override predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInterpretation::Range }

  override predicate isSanitizer(DataFlow::Node node) {
-    // stop flow if `node` is receiver of
-    // https://ruby-doc.org/core-2.4.0/String.html#method-i-match
-    exists(DataFlow::CallNode mce |
-      mce.getMethodName() = ["match", "match?"] and
+    exists(DataFlow::CallNode mce | mce.getMethodName() = ["match", "match?"] |
+      // receiver of https://ruby-doc.org/core-2.4.0/String.html#method-i-match
      node = mce.getReceiver() and
-      mce.getArgument(0).asExpr().getExpr() instanceof Ast::RegExpLiteral
+      mce.getArgument(0) = trackRegexpType()
+      or
+      // first argument of https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
+      node = mce.getArgument(0) and
+      mce.getReceiver() = trackRegexpType()
    )
  }
 }
+
+private DataFlow::LocalSourceNode trackRegexpType(TypeTracker t) {
+  t.start() and
+  (
+    result.asExpr().getExpr() instanceof Ast::RegExpLiteral or
+    result = API::getTopLevelMember("Regexp").getAMethodCall(["compile", "new"])
+  )
+  or
+  exists(TypeTracker t2 | result = trackRegexpType(t2).track(t2, t))
+}
+
+DataFlow::Node trackRegexpType() { trackRegexpType(TypeTracker::end()).flowsTo(result) }
--- a/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected
+++ b/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected
@@ -157,3 +157,125 @@
 | local_dataflow.rb:87:25:87:25 | [post] x | local_dataflow.rb:87:29:87:29 | x |
 | local_dataflow.rb:87:25:87:25 | x | local_dataflow.rb:87:29:87:29 | x |
 | local_dataflow.rb:87:29:87:29 | x | local_dataflow.rb:87:15:87:48 | then ... |
+| local_dataflow.rb:92:1:109:3 | self (and_or) | local_dataflow.rb:93:7:93:15 | self |
+| local_dataflow.rb:92:1:109:3 | self in and_or | local_dataflow.rb:92:1:109:3 | self (and_or) |
+| local_dataflow.rb:93:3:93:28 | ... = ... | local_dataflow.rb:94:8:94:8 | a |
+| local_dataflow.rb:93:7:93:15 | [post] self | local_dataflow.rb:93:20:93:28 | self |
+| local_dataflow.rb:93:7:93:15 | [post] self | local_dataflow.rb:94:3:94:9 | self |
+| local_dataflow.rb:93:7:93:15 | call to source | local_dataflow.rb:93:7:93:28 | ... \|\| ... |
+| local_dataflow.rb:93:7:93:15 | self | local_dataflow.rb:93:20:93:28 | self |
+| local_dataflow.rb:93:7:93:15 | self | local_dataflow.rb:94:3:94:9 | self |
+| local_dataflow.rb:93:7:93:28 | ... \|\| ... | local_dataflow.rb:93:3:93:28 | ... = ... |
+| local_dataflow.rb:93:7:93:28 | ... \|\| ... | local_dataflow.rb:93:3:93:28 | ... = ... |
+| local_dataflow.rb:93:20:93:28 | [post] self | local_dataflow.rb:94:3:94:9 | self |
+| local_dataflow.rb:93:20:93:28 | call to source | local_dataflow.rb:93:7:93:28 | ... \|\| ... |
+| local_dataflow.rb:93:20:93:28 | self | local_dataflow.rb:94:3:94:9 | self |
+| local_dataflow.rb:94:3:94:9 | [post] self | local_dataflow.rb:95:8:95:16 | self |
+| local_dataflow.rb:94:3:94:9 | self | local_dataflow.rb:95:8:95:16 | self |
+| local_dataflow.rb:95:3:95:30 | ... = ... | local_dataflow.rb:96:8:96:8 | b |
+| local_dataflow.rb:95:7:95:30 | ( ... ) | local_dataflow.rb:95:3:95:30 | ... = ... |
+| local_dataflow.rb:95:7:95:30 | ( ... ) | local_dataflow.rb:95:3:95:30 | ... = ... |
+| local_dataflow.rb:95:8:95:16 | [post] self | local_dataflow.rb:95:21:95:29 | self |
+| local_dataflow.rb:95:8:95:16 | [post] self | local_dataflow.rb:96:3:96:9 | self |
+| local_dataflow.rb:95:8:95:16 | call to source | local_dataflow.rb:95:8:95:29 | ... or ... |
+| local_dataflow.rb:95:8:95:16 | self | local_dataflow.rb:95:21:95:29 | self |
+| local_dataflow.rb:95:8:95:16 | self | local_dataflow.rb:96:3:96:9 | self |
+| local_dataflow.rb:95:8:95:29 | ... or ... | local_dataflow.rb:95:7:95:30 | ( ... ) |
+| local_dataflow.rb:95:21:95:29 | [post] self | local_dataflow.rb:96:3:96:9 | self |
+| local_dataflow.rb:95:21:95:29 | call to source | local_dataflow.rb:95:8:95:29 | ... or ... |
+| local_dataflow.rb:95:21:95:29 | self | local_dataflow.rb:96:3:96:9 | self |
+| local_dataflow.rb:96:3:96:9 | [post] self | local_dataflow.rb:98:7:98:15 | self |
+| local_dataflow.rb:96:3:96:9 | self | local_dataflow.rb:98:7:98:15 | self |
+| local_dataflow.rb:98:3:98:28 | ... = ... | local_dataflow.rb:99:8:99:8 | a |
+| local_dataflow.rb:98:7:98:15 | [post] self | local_dataflow.rb:98:20:98:28 | self |
+| local_dataflow.rb:98:7:98:15 | [post] self | local_dataflow.rb:99:3:99:9 | self |
+| local_dataflow.rb:98:7:98:15 | call to source | local_dataflow.rb:98:7:98:28 | ... && ... |
+| local_dataflow.rb:98:7:98:15 | self | local_dataflow.rb:98:20:98:28 | self |
+| local_dataflow.rb:98:7:98:15 | self | local_dataflow.rb:99:3:99:9 | self |
+| local_dataflow.rb:98:7:98:28 | ... && ... | local_dataflow.rb:98:3:98:28 | ... = ... |
+| local_dataflow.rb:98:7:98:28 | ... && ... | local_dataflow.rb:98:3:98:28 | ... = ... |
+| local_dataflow.rb:98:20:98:28 | [post] self | local_dataflow.rb:99:3:99:9 | self |
+| local_dataflow.rb:98:20:98:28 | call to source | local_dataflow.rb:98:7:98:28 | ... && ... |
+| local_dataflow.rb:98:20:98:28 | self | local_dataflow.rb:99:3:99:9 | self |
+| local_dataflow.rb:99:3:99:9 | [post] self | local_dataflow.rb:100:8:100:16 | self |
+| local_dataflow.rb:99:3:99:9 | self | local_dataflow.rb:100:8:100:16 | self |
+| local_dataflow.rb:100:3:100:31 | ... = ... | local_dataflow.rb:101:8:101:8 | b |
+| local_dataflow.rb:100:7:100:31 | ( ... ) | local_dataflow.rb:100:3:100:31 | ... = ... |
+| local_dataflow.rb:100:7:100:31 | ( ... ) | local_dataflow.rb:100:3:100:31 | ... = ... |
+| local_dataflow.rb:100:8:100:16 | [post] self | local_dataflow.rb:100:22:100:30 | self |
+| local_dataflow.rb:100:8:100:16 | [post] self | local_dataflow.rb:101:3:101:9 | self |
+| local_dataflow.rb:100:8:100:16 | call to source | local_dataflow.rb:100:8:100:30 | ... and ... |
+| local_dataflow.rb:100:8:100:16 | self | local_dataflow.rb:100:22:100:30 | self |
+| local_dataflow.rb:100:8:100:16 | self | local_dataflow.rb:101:3:101:9 | self |
+| local_dataflow.rb:100:8:100:30 | ... and ... | local_dataflow.rb:100:7:100:31 | ( ... ) |
+| local_dataflow.rb:100:22:100:30 | [post] self | local_dataflow.rb:101:3:101:9 | self |
+| local_dataflow.rb:100:22:100:30 | call to source | local_dataflow.rb:100:8:100:30 | ... and ... |
+| local_dataflow.rb:100:22:100:30 | self | local_dataflow.rb:101:3:101:9 | self |
+| local_dataflow.rb:101:3:101:9 | [post] self | local_dataflow.rb:103:7:103:15 | self |
+| local_dataflow.rb:101:3:101:9 | self | local_dataflow.rb:103:7:103:15 | self |
+| local_dataflow.rb:103:3:103:15 | ... = ... | local_dataflow.rb:104:3:104:3 | a |
+| local_dataflow.rb:103:7:103:15 | [post] self | local_dataflow.rb:104:9:104:17 | self |
+| local_dataflow.rb:103:7:103:15 | [post] self | local_dataflow.rb:105:3:105:9 | self |
+| local_dataflow.rb:103:7:103:15 | call to source | local_dataflow.rb:103:3:103:15 | ... = ... |
+| local_dataflow.rb:103:7:103:15 | call to source | local_dataflow.rb:103:3:103:15 | ... = ... |
+| local_dataflow.rb:103:7:103:15 | self | local_dataflow.rb:104:9:104:17 | self |
+| local_dataflow.rb:103:7:103:15 | self | local_dataflow.rb:105:3:105:9 | self |
+| local_dataflow.rb:104:3:104:3 | a | local_dataflow.rb:104:5:104:7 | ... \|\| ... |
+| local_dataflow.rb:104:3:104:17 | ... = ... | local_dataflow.rb:105:8:105:8 | a |
+| local_dataflow.rb:104:5:104:7 | ... \|\| ... | local_dataflow.rb:104:3:104:17 | ... = ... |
+| local_dataflow.rb:104:5:104:7 | ... \|\| ... | local_dataflow.rb:104:3:104:17 | ... = ... |
+| local_dataflow.rb:104:9:104:17 | [post] self | local_dataflow.rb:105:3:105:9 | self |
+| local_dataflow.rb:104:9:104:17 | call to source | local_dataflow.rb:104:5:104:7 | ... \|\| ... |
+| local_dataflow.rb:104:9:104:17 | self | local_dataflow.rb:105:3:105:9 | self |
+| local_dataflow.rb:105:3:105:9 | [post] self | local_dataflow.rb:106:7:106:15 | self |
+| local_dataflow.rb:105:3:105:9 | self | local_dataflow.rb:106:7:106:15 | self |
+| local_dataflow.rb:106:3:106:15 | ... = ... | local_dataflow.rb:107:3:107:3 | b |
+| local_dataflow.rb:106:7:106:15 | [post] self | local_dataflow.rb:107:9:107:17 | self |
+| local_dataflow.rb:106:7:106:15 | [post] self | local_dataflow.rb:108:3:108:9 | self |
+| local_dataflow.rb:106:7:106:15 | call to source | local_dataflow.rb:106:3:106:15 | ... = ... |
+| local_dataflow.rb:106:7:106:15 | call to source | local_dataflow.rb:106:3:106:15 | ... = ... |
+| local_dataflow.rb:106:7:106:15 | self | local_dataflow.rb:107:9:107:17 | self |
+| local_dataflow.rb:106:7:106:15 | self | local_dataflow.rb:108:3:108:9 | self |
+| local_dataflow.rb:107:3:107:3 | b | local_dataflow.rb:107:5:107:7 | ... && ... |
+| local_dataflow.rb:107:3:107:17 | ... = ... | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:107:5:107:7 | ... && ... | local_dataflow.rb:107:3:107:17 | ... = ... |
+| local_dataflow.rb:107:5:107:7 | ... && ... | local_dataflow.rb:107:3:107:17 | ... = ... |
+| local_dataflow.rb:107:9:107:17 | [post] self | local_dataflow.rb:108:3:108:9 | self |
+| local_dataflow.rb:107:9:107:17 | call to source | local_dataflow.rb:107:5:107:7 | ... && ... |
+| local_dataflow.rb:107:9:107:17 | self | local_dataflow.rb:108:3:108:9 | self |
+| local_dataflow.rb:111:1:114:3 | self (object_dup) | local_dataflow.rb:112:3:112:21 | self |
+| local_dataflow.rb:111:1:114:3 | self in object_dup | local_dataflow.rb:111:1:114:3 | self (object_dup) |
+| local_dataflow.rb:112:3:112:21 | [post] self | local_dataflow.rb:112:8:112:16 | self |
+| local_dataflow.rb:112:3:112:21 | self | local_dataflow.rb:112:8:112:16 | self |
+| local_dataflow.rb:112:8:112:16 | [post] self | local_dataflow.rb:113:3:113:25 | self |
+| local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:113:3:113:25 | self |
+| local_dataflow.rb:113:3:113:25 | [post] self | local_dataflow.rb:113:8:113:16 | self |
+| local_dataflow.rb:113:3:113:25 | self | local_dataflow.rb:113:8:113:16 | self |
+| local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup |
+| local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:116:1:120:3 | self (kernel_tap) | local_dataflow.rb:117:3:117:24 | self |
+| local_dataflow.rb:116:1:120:3 | self in kernel_tap | local_dataflow.rb:116:1:120:3 | self (kernel_tap) |
+| local_dataflow.rb:117:3:117:24 | [post] self | local_dataflow.rb:117:8:117:16 | self |
+| local_dataflow.rb:117:3:117:24 | self | local_dataflow.rb:117:8:117:16 | self |
+| local_dataflow.rb:117:8:117:16 | [post] self | local_dataflow.rb:118:3:118:11 | self |
+| local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:118:3:118:11 | self |
+| local_dataflow.rb:118:3:118:11 | [post] self | local_dataflow.rb:119:3:119:31 | self |
+| local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap |
+| local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self |
+| local_dataflow.rb:118:17:118:31 | <captured> | local_dataflow.rb:118:23:118:29 | self |
+| local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x |
+| local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self |
+| local_dataflow.rb:119:3:119:31 | self | local_dataflow.rb:119:8:119:16 | self |
+| local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap |
+| local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:122:1:124:3 | self (dup_tap) | local_dataflow.rb:123:3:123:50 | self |
+| local_dataflow.rb:122:1:124:3 | self in dup_tap | local_dataflow.rb:122:1:124:3 | self (dup_tap) |
+| local_dataflow.rb:123:3:123:50 | [post] self | local_dataflow.rb:123:8:123:16 | self |
+| local_dataflow.rb:123:3:123:50 | self | local_dataflow.rb:123:8:123:16 | self |
+| local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup |
+| local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap |
+| local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup |
+| local_dataflow.rb:123:26:123:45 | <captured> | local_dataflow.rb:123:32:123:43 | self |
--- a/ruby/ql/test/library-tests/dataflow/local/Nodes.expected
+++ b/ruby/ql/test/library-tests/dataflow/local/Nodes.expected
@@ -13,6 +13,12 @@ ret
 | local_dataflow.rb:51:3:51:15 | break |
 | local_dataflow.rb:52:3:52:10 | "normal" |
 | local_dataflow.rb:89:3:89:9 | call to sink |
+| local_dataflow.rb:108:3:108:9 | call to sink |
+| local_dataflow.rb:113:3:113:25 | call to sink |
+| local_dataflow.rb:118:23:118:29 | call to sink |
+| local_dataflow.rb:119:3:119:31 | call to sink |
+| local_dataflow.rb:123:3:123:50 | call to sink |
+| local_dataflow.rb:123:32:123:43 | call to puts |
 arg
 | local_dataflow.rb:3:8:3:10 | self | local_dataflow.rb:3:8:3:10 | call to p | self |
 | local_dataflow.rb:3:10:3:10 | a | local_dataflow.rb:3:8:3:10 | call to p | position 0 |
@@ -75,3 +81,92 @@ arg
 | local_dataflow.rb:87:25:87:25 | x | local_dataflow.rb:87:20:87:26 | call to sink | position 0 |
 | local_dataflow.rb:89:3:89:9 | self | local_dataflow.rb:89:3:89:9 | call to sink | self |
 | local_dataflow.rb:89:8:89:8 | z | local_dataflow.rb:89:3:89:9 | call to sink | position 0 |
+| local_dataflow.rb:93:7:93:15 | call to source | local_dataflow.rb:93:7:93:28 | ... \|\| ... | self |
+| local_dataflow.rb:93:7:93:15 | self | local_dataflow.rb:93:7:93:15 | call to source | self |
+| local_dataflow.rb:93:14:93:14 | 1 | local_dataflow.rb:93:7:93:15 | call to source | position 0 |
+| local_dataflow.rb:93:20:93:28 | call to source | local_dataflow.rb:93:7:93:28 | ... \|\| ... | position 0 |
+| local_dataflow.rb:93:20:93:28 | self | local_dataflow.rb:93:20:93:28 | call to source | self |
+| local_dataflow.rb:93:27:93:27 | 2 | local_dataflow.rb:93:20:93:28 | call to source | position 0 |
+| local_dataflow.rb:94:3:94:9 | self | local_dataflow.rb:94:3:94:9 | call to sink | self |
+| local_dataflow.rb:94:8:94:8 | a | local_dataflow.rb:94:3:94:9 | call to sink | position 0 |
+| local_dataflow.rb:95:8:95:16 | call to source | local_dataflow.rb:95:8:95:29 | ... or ... | self |
+| local_dataflow.rb:95:8:95:16 | self | local_dataflow.rb:95:8:95:16 | call to source | self |
+| local_dataflow.rb:95:15:95:15 | 1 | local_dataflow.rb:95:8:95:16 | call to source | position 0 |
+| local_dataflow.rb:95:21:95:29 | call to source | local_dataflow.rb:95:8:95:29 | ... or ... | position 0 |
+| local_dataflow.rb:95:21:95:29 | self | local_dataflow.rb:95:21:95:29 | call to source | self |
+| local_dataflow.rb:95:28:95:28 | 2 | local_dataflow.rb:95:21:95:29 | call to source | position 0 |
+| local_dataflow.rb:96:3:96:9 | self | local_dataflow.rb:96:3:96:9 | call to sink | self |
+| local_dataflow.rb:96:8:96:8 | b | local_dataflow.rb:96:3:96:9 | call to sink | position 0 |
+| local_dataflow.rb:98:7:98:15 | call to source | local_dataflow.rb:98:7:98:28 | ... && ... | self |
+| local_dataflow.rb:98:7:98:15 | self | local_dataflow.rb:98:7:98:15 | call to source | self |
+| local_dataflow.rb:98:14:98:14 | 1 | local_dataflow.rb:98:7:98:15 | call to source | position 0 |
+| local_dataflow.rb:98:20:98:28 | call to source | local_dataflow.rb:98:7:98:28 | ... && ... | position 0 |
+| local_dataflow.rb:98:20:98:28 | self | local_dataflow.rb:98:20:98:28 | call to source | self |
+| local_dataflow.rb:98:27:98:27 | 2 | local_dataflow.rb:98:20:98:28 | call to source | position 0 |
+| local_dataflow.rb:99:3:99:9 | self | local_dataflow.rb:99:3:99:9 | call to sink | self |
+| local_dataflow.rb:99:8:99:8 | a | local_dataflow.rb:99:3:99:9 | call to sink | position 0 |
+| local_dataflow.rb:100:8:100:16 | call to source | local_dataflow.rb:100:8:100:30 | ... and ... | self |
+| local_dataflow.rb:100:8:100:16 | self | local_dataflow.rb:100:8:100:16 | call to source | self |
+| local_dataflow.rb:100:15:100:15 | 1 | local_dataflow.rb:100:8:100:16 | call to source | position 0 |
+| local_dataflow.rb:100:22:100:30 | call to source | local_dataflow.rb:100:8:100:30 | ... and ... | position 0 |
+| local_dataflow.rb:100:22:100:30 | self | local_dataflow.rb:100:22:100:30 | call to source | self |
+| local_dataflow.rb:100:29:100:29 | 2 | local_dataflow.rb:100:22:100:30 | call to source | position 0 |
+| local_dataflow.rb:101:3:101:9 | self | local_dataflow.rb:101:3:101:9 | call to sink | self |
+| local_dataflow.rb:101:8:101:8 | b | local_dataflow.rb:101:3:101:9 | call to sink | position 0 |
+| local_dataflow.rb:103:7:103:15 | self | local_dataflow.rb:103:7:103:15 | call to source | self |
+| local_dataflow.rb:103:14:103:14 | 5 | local_dataflow.rb:103:7:103:15 | call to source | position 0 |
+| local_dataflow.rb:104:3:104:3 | a | local_dataflow.rb:104:5:104:7 | ... \|\| ... | self |
+| local_dataflow.rb:104:9:104:17 | call to source | local_dataflow.rb:104:5:104:7 | ... \|\| ... | position 0 |
+| local_dataflow.rb:104:9:104:17 | self | local_dataflow.rb:104:9:104:17 | call to source | self |
+| local_dataflow.rb:104:16:104:16 | 6 | local_dataflow.rb:104:9:104:17 | call to source | position 0 |
+| local_dataflow.rb:105:3:105:9 | self | local_dataflow.rb:105:3:105:9 | call to sink | self |
+| local_dataflow.rb:105:8:105:8 | a | local_dataflow.rb:105:3:105:9 | call to sink | position 0 |
+| local_dataflow.rb:106:7:106:15 | self | local_dataflow.rb:106:7:106:15 | call to source | self |
+| local_dataflow.rb:106:14:106:14 | 7 | local_dataflow.rb:106:7:106:15 | call to source | position 0 |
+| local_dataflow.rb:107:3:107:3 | b | local_dataflow.rb:107:5:107:7 | ... && ... | self |
+| local_dataflow.rb:107:9:107:17 | call to source | local_dataflow.rb:107:5:107:7 | ... && ... | position 0 |
+| local_dataflow.rb:107:9:107:17 | self | local_dataflow.rb:107:9:107:17 | call to source | self |
+| local_dataflow.rb:107:16:107:16 | 8 | local_dataflow.rb:107:9:107:17 | call to source | position 0 |
+| local_dataflow.rb:108:3:108:9 | self | local_dataflow.rb:108:3:108:9 | call to sink | self |
+| local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:108:3:108:9 | call to sink | position 0 |
+| local_dataflow.rb:112:3:112:21 | self | local_dataflow.rb:112:3:112:21 | call to sink | self |
+| local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup | self |
+| local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:112:8:112:16 | call to source | self |
+| local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:3:112:21 | call to sink | position 0 |
+| local_dataflow.rb:112:15:112:15 | 1 | local_dataflow.rb:112:8:112:16 | call to source | position 0 |
+| local_dataflow.rb:113:3:113:25 | self | local_dataflow.rb:113:3:113:25 | call to sink | self |
+| local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup | self |
+| local_dataflow.rb:113:8:113:16 | self | local_dataflow.rb:113:8:113:16 | call to source | self |
+| local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup | self |
+| local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:3:113:25 | call to sink | position 0 |
+| local_dataflow.rb:113:15:113:15 | 1 | local_dataflow.rb:113:8:113:16 | call to source | position 0 |
+| local_dataflow.rb:117:3:117:24 | self | local_dataflow.rb:117:3:117:24 | call to sink | self |
+| local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap | self |
+| local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:117:8:117:16 | call to source | self |
+| local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:3:117:24 | call to sink | position 0 |
+| local_dataflow.rb:117:15:117:15 | 1 | local_dataflow.rb:117:8:117:16 | call to source | position 0 |
+| local_dataflow.rb:117:22:117:23 | { ... } | local_dataflow.rb:117:8:117:23 | call to tap | block |
+| local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap | self |
+| local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:118:3:118:11 | call to source | self |
+| local_dataflow.rb:118:10:118:10 | 1 | local_dataflow.rb:118:3:118:11 | call to source | position 0 |
+| local_dataflow.rb:118:17:118:31 | { ... } | local_dataflow.rb:118:3:118:31 | call to tap | block |
+| local_dataflow.rb:118:23:118:29 | self | local_dataflow.rb:118:23:118:29 | call to sink | self |
+| local_dataflow.rb:118:28:118:28 | x | local_dataflow.rb:118:23:118:29 | call to sink | position 0 |
+| local_dataflow.rb:119:3:119:31 | self | local_dataflow.rb:119:3:119:31 | call to sink | self |
+| local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap | self |
+| local_dataflow.rb:119:8:119:16 | self | local_dataflow.rb:119:8:119:16 | call to source | self |
+| local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap | self |
+| local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:3:119:31 | call to sink | position 0 |
+| local_dataflow.rb:119:15:119:15 | 1 | local_dataflow.rb:119:8:119:16 | call to source | position 0 |
+| local_dataflow.rb:119:22:119:23 | { ... } | local_dataflow.rb:119:8:119:23 | call to tap | block |
+| local_dataflow.rb:119:29:119:30 | { ... } | local_dataflow.rb:119:8:119:30 | call to tap | block |
+| local_dataflow.rb:123:3:123:50 | self | local_dataflow.rb:123:3:123:50 | call to sink | self |
+| local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup | self |
+| local_dataflow.rb:123:8:123:16 | self | local_dataflow.rb:123:8:123:16 | call to source | self |
+| local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap | self |
+| local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup | self |
+| local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:3:123:50 | call to sink | position 0 |
+| local_dataflow.rb:123:15:123:15 | 1 | local_dataflow.rb:123:8:123:16 | call to source | position 0 |
+| local_dataflow.rb:123:26:123:45 | { ... } | local_dataflow.rb:123:8:123:45 | call to tap | block |
+| local_dataflow.rb:123:32:123:43 | self | local_dataflow.rb:123:32:123:43 | call to puts | self |
+| local_dataflow.rb:123:37:123:43 | "hello" | local_dataflow.rb:123:32:123:43 | call to puts | position 0 |
--- a/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected
+++ b/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected
@@ -9,6 +9,52 @@ edges
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:86:33:86:33 | g |
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:87:25:87:25 | x |
 | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:89:8:89:8 | z |
+| local_dataflow.rb:93:7:93:15 | call to source :  | local_dataflow.rb:94:8:94:8 | a |
+| local_dataflow.rb:93:7:93:15 | call to source :  | local_dataflow.rb:94:8:94:8 | a |
+| local_dataflow.rb:93:20:93:28 | call to source :  | local_dataflow.rb:94:8:94:8 | a |
+| local_dataflow.rb:93:20:93:28 | call to source :  | local_dataflow.rb:94:8:94:8 | a |
+| local_dataflow.rb:95:8:95:16 | call to source :  | local_dataflow.rb:96:8:96:8 | b |
+| local_dataflow.rb:95:8:95:16 | call to source :  | local_dataflow.rb:96:8:96:8 | b |
+| local_dataflow.rb:95:21:95:29 | call to source :  | local_dataflow.rb:96:8:96:8 | b |
+| local_dataflow.rb:95:21:95:29 | call to source :  | local_dataflow.rb:96:8:96:8 | b |
+| local_dataflow.rb:98:7:98:15 | call to source :  | local_dataflow.rb:99:8:99:8 | a |
+| local_dataflow.rb:98:7:98:15 | call to source :  | local_dataflow.rb:99:8:99:8 | a |
+| local_dataflow.rb:98:20:98:28 | call to source :  | local_dataflow.rb:99:8:99:8 | a |
+| local_dataflow.rb:98:20:98:28 | call to source :  | local_dataflow.rb:99:8:99:8 | a |
+| local_dataflow.rb:100:8:100:16 | call to source :  | local_dataflow.rb:101:8:101:8 | b |
+| local_dataflow.rb:100:8:100:16 | call to source :  | local_dataflow.rb:101:8:101:8 | b |
+| local_dataflow.rb:100:22:100:30 | call to source :  | local_dataflow.rb:101:8:101:8 | b |
+| local_dataflow.rb:100:22:100:30 | call to source :  | local_dataflow.rb:101:8:101:8 | b |
+| local_dataflow.rb:103:7:103:15 | call to source :  | local_dataflow.rb:105:8:105:8 | a |
+| local_dataflow.rb:103:7:103:15 | call to source :  | local_dataflow.rb:105:8:105:8 | a |
+| local_dataflow.rb:104:9:104:17 | call to source :  | local_dataflow.rb:105:8:105:8 | a |
+| local_dataflow.rb:104:9:104:17 | call to source :  | local_dataflow.rb:105:8:105:8 | a |
+| local_dataflow.rb:106:7:106:15 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:106:7:106:15 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:20 | call to dup :  |
+| local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:20 | call to dup :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:20:118:20 | x :  |
+| local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:20:118:20 | x :  |
+| local_dataflow.rb:118:20:118:20 | x :  | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:118:20:118:20 | x :  | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:23 | call to tap :  |
+| local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:23 | call to tap :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:20 | call to dup :  |
+| local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:20 | call to dup :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | local_dataflow.rb:123:8:123:45 | call to tap :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | local_dataflow.rb:123:8:123:45 | call to tap :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | local_dataflow.rb:123:8:123:49 | call to dup |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | local_dataflow.rb:123:8:123:49 | call to dup |
 nodes
 | local_dataflow.rb:78:12:78:20 | call to source :  | semmle.label | call to source :  |
 | local_dataflow.rb:79:25:79:25 | b | semmle.label | b |
@@ -20,6 +66,76 @@ nodes
 | local_dataflow.rb:86:33:86:33 | g | semmle.label | g |
 | local_dataflow.rb:87:25:87:25 | x | semmle.label | x |
 | local_dataflow.rb:89:8:89:8 | z | semmle.label | z |
+| local_dataflow.rb:93:7:93:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:93:7:93:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:93:20:93:28 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:93:20:93:28 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:94:8:94:8 | a | semmle.label | a |
+| local_dataflow.rb:94:8:94:8 | a | semmle.label | a |
+| local_dataflow.rb:95:8:95:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:95:8:95:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:95:21:95:29 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:95:21:95:29 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:96:8:96:8 | b | semmle.label | b |
+| local_dataflow.rb:96:8:96:8 | b | semmle.label | b |
+| local_dataflow.rb:98:7:98:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:98:7:98:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:98:20:98:28 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:98:20:98:28 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:99:8:99:8 | a | semmle.label | a |
+| local_dataflow.rb:99:8:99:8 | a | semmle.label | a |
+| local_dataflow.rb:100:8:100:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:100:8:100:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:100:22:100:30 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:100:22:100:30 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:101:8:101:8 | b | semmle.label | b |
+| local_dataflow.rb:101:8:101:8 | b | semmle.label | b |
+| local_dataflow.rb:103:7:103:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:103:7:103:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:104:9:104:17 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:104:9:104:17 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:105:8:105:8 | a | semmle.label | a |
+| local_dataflow.rb:105:8:105:8 | a | semmle.label | a |
+| local_dataflow.rb:106:7:106:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:106:7:106:15 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:107:9:107:17 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:107:9:107:17 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:108:8:108:8 | b | semmle.label | b |
+| local_dataflow.rb:108:8:108:8 | b | semmle.label | b |
+| local_dataflow.rb:112:8:112:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:112:8:112:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:112:8:112:20 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:112:8:112:20 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:113:8:113:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:113:8:113:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:113:8:113:24 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:113:8:113:24 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:117:8:117:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:117:8:117:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:117:8:117:23 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:117:8:117:23 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:118:3:118:11 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:118:3:118:11 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:118:20:118:20 | x :  | semmle.label | x :  |
+| local_dataflow.rb:118:20:118:20 | x :  | semmle.label | x :  |
+| local_dataflow.rb:118:28:118:28 | x | semmle.label | x |
+| local_dataflow.rb:118:28:118:28 | x | semmle.label | x |
+| local_dataflow.rb:119:8:119:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:119:8:119:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:119:8:119:30 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:119:8:119:30 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:123:8:123:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:123:8:123:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:123:8:123:49 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:123:8:123:49 | call to dup | semmle.label | call to dup |
 subpaths
 #select
 | local_dataflow.rb:79:25:79:25 | b | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:79:25:79:25 | b | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
@@ -31,3 +147,21 @@ subpaths
 | local_dataflow.rb:86:33:86:33 | g | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:86:33:86:33 | g | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:87:25:87:25 | x | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:87:25:87:25 | x | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
 | local_dataflow.rb:89:8:89:8 | z | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:89:8:89:8 | z | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
+| local_dataflow.rb:94:8:94:8 | a | local_dataflow.rb:93:7:93:15 | call to source :  | local_dataflow.rb:94:8:94:8 | a | $@ | local_dataflow.rb:93:7:93:15 | call to source :  | call to source :  |
+| local_dataflow.rb:94:8:94:8 | a | local_dataflow.rb:93:20:93:28 | call to source :  | local_dataflow.rb:94:8:94:8 | a | $@ | local_dataflow.rb:93:20:93:28 | call to source :  | call to source :  |
+| local_dataflow.rb:96:8:96:8 | b | local_dataflow.rb:95:8:95:16 | call to source :  | local_dataflow.rb:96:8:96:8 | b | $@ | local_dataflow.rb:95:8:95:16 | call to source :  | call to source :  |
+| local_dataflow.rb:96:8:96:8 | b | local_dataflow.rb:95:21:95:29 | call to source :  | local_dataflow.rb:96:8:96:8 | b | $@ | local_dataflow.rb:95:21:95:29 | call to source :  | call to source :  |
+| local_dataflow.rb:99:8:99:8 | a | local_dataflow.rb:98:7:98:15 | call to source :  | local_dataflow.rb:99:8:99:8 | a | $@ | local_dataflow.rb:98:7:98:15 | call to source :  | call to source :  |
+| local_dataflow.rb:99:8:99:8 | a | local_dataflow.rb:98:20:98:28 | call to source :  | local_dataflow.rb:99:8:99:8 | a | $@ | local_dataflow.rb:98:20:98:28 | call to source :  | call to source :  |
+| local_dataflow.rb:101:8:101:8 | b | local_dataflow.rb:100:8:100:16 | call to source :  | local_dataflow.rb:101:8:101:8 | b | $@ | local_dataflow.rb:100:8:100:16 | call to source :  | call to source :  |
+| local_dataflow.rb:101:8:101:8 | b | local_dataflow.rb:100:22:100:30 | call to source :  | local_dataflow.rb:101:8:101:8 | b | $@ | local_dataflow.rb:100:22:100:30 | call to source :  | call to source :  |
+| local_dataflow.rb:105:8:105:8 | a | local_dataflow.rb:103:7:103:15 | call to source :  | local_dataflow.rb:105:8:105:8 | a | $@ | local_dataflow.rb:103:7:103:15 | call to source :  | call to source :  |
+| local_dataflow.rb:105:8:105:8 | a | local_dataflow.rb:104:9:104:17 | call to source :  | local_dataflow.rb:105:8:105:8 | a | $@ | local_dataflow.rb:104:9:104:17 | call to source :  | call to source :  |
+| local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:106:7:106:15 | call to source :  | local_dataflow.rb:108:8:108:8 | b | $@ | local_dataflow.rb:106:7:106:15 | call to source :  | call to source :  |
+| local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b | $@ | local_dataflow.rb:107:9:107:17 | call to source :  | call to source :  |
+| local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup | $@ | local_dataflow.rb:112:8:112:16 | call to source :  | call to source :  |
+| local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:24 | call to dup | $@ | local_dataflow.rb:113:8:113:16 | call to source :  | call to source :  |
+| local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap | $@ | local_dataflow.rb:117:8:117:16 | call to source :  | call to source :  |
+| local_dataflow.rb:118:28:118:28 | x | local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:28:118:28 | x | $@ | local_dataflow.rb:118:3:118:11 | call to source :  | call to source :  |
+| local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:30 | call to tap | $@ | local_dataflow.rb:119:8:119:16 | call to source :  | call to source :  |
+| local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:49 | call to dup | $@ | local_dataflow.rb:123:8:123:16 | call to source :  | call to source :  |
--- a/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb
+++ b/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb
@@ -89,3 +89,36 @@ def test_case x
  sink(z) # $ hasTaintFlow=1
 end

+def and_or
+  a = source(1) || source(2)
+  sink(a) # $ hasValueFlow=1 hasValueFlow=2
+  b = (source(1) or source(2))
+  sink(b) # $ hasValueFlow=1 hasValueFlow=2
+  
+  a = source(1) && source(2)
+  sink(a) # $ hasValueFlow=1 hasValueFlow=2
+  b = (source(1) and source(2))
+  sink(b) # $ hasValueFlow=1 hasValueFlow=2
+
+  a = source(5)
+  a ||= source(6)
+  sink(a) # $ hasValueFlow=5 hasValueFlow=6
+  b = source(7)
+  b &&= source(8)
+  sink(b) # $ hasValueFlow=7 hasValueFlow=8
+end
+
+def object_dup
+  sink(source(1).dup) # $ hasValueFlow=1
+  sink(source(1).dup.dup) # $ hasValueFlow=1
+end
+
+def kernel_tap
+  sink(source(1).tap {}) # $ hasValueFlow=1
+  source(1).tap { |x| sink(x) } # $ hasValueFlow=1
+  sink(source(1).tap {}.tap {}) # $ hasValueFlow=1
+end
+
+def dup_tap
+  sink(source(1).dup.tap { |x| puts "hello" }.dup)  # $ hasValueFlow=1
+end
--- a/ruby/ql/test/library-tests/frameworks/pathname/Pathname.expected
+++ b/ruby/ql/test/library-tests/frameworks/pathname/Pathname.expected
@@ -57,6 +57,16 @@ pathnameInstances
 | Pathname.rb:39:12:39:19 | foo_path |
 | Pathname.rb:41:1:41:3 | p08 |
 | Pathname.rb:42:1:42:3 | p01 |
+| file://:0:0:0:0 | parameter position 0 of + |
+| file://:0:0:0:0 | parameter self of + |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[cleanpath] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[expand_path] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[realpath] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[relative_path_from] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[sub_ext] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[to_path] |
+| file://:0:0:0:0 | parameter self of sub |
+| file://:0:0:0:0 | parameter self of to_s |
 fileSystemAccesses
 | Pathname.rb:26:12:26:24 | call to open | Pathname.rb:26:12:26:19 | foo_path |
 | Pathname.rb:28:11:28:22 | call to opendir | Pathname.rb:28:11:28:14 | pwd1 |
@@ -123,6 +133,16 @@ fileNameSources
 | Pathname.rb:39:12:39:19 | foo_path |
 | Pathname.rb:41:1:41:3 | p08 |
 | Pathname.rb:42:1:42:3 | p01 |
+| file://:0:0:0:0 | parameter position 0 of + |
+| file://:0:0:0:0 | parameter self of + |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[cleanpath] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[expand_path] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[realpath] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[relative_path_from] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[sub_ext] |
+| file://:0:0:0:0 | parameter self of ;Pathname;Method[to_path] |
+| file://:0:0:0:0 | parameter self of sub |
+| file://:0:0:0:0 | parameter self of to_s |
 fileSystemReadAccesses
 | Pathname.rb:32:12:32:24 | call to read | Pathname.rb:32:12:32:24 | call to read |
 fileSystemWriteAccesses
--- a/ruby/ql/test/library-tests/modules/ancestors.expected
+++ b/ruby/ql/test/library-tests/modules/ancestors.expected
@@ -97,13 +97,17 @@ calls.rb:

 #  480| ExtendSingletonMethod

-#  490| ProtectedMethodInModule
+#  490| ExtendSingletonMethod2

-#  496| ProtectedMethods
+#  496| ExtendSingletonMethod3
+
+#  509| ProtectedMethodInModule
+
+#  515| ProtectedMethods
 #-----| super -> Object
 #-----| include -> ProtectedMethodInModule

-#  515| ProtectedMethodsSub
+#  534| ProtectedMethodsSub
 #-----| super -> ProtectedMethods

 hello.rb:
--- a/ruby/ql/test/library-tests/modules/callgraph.expected
+++ b/ruby/ql/test/library-tests/modules/callgraph.expected
@@ -183,25 +183,29 @@ getTarget
 | calls.rb:476:1:476:27 | call to new | calls.rb:117:5:117:16 | new |
 | calls.rb:477:1:477:27 | call to new | calls.rb:117:5:117:16 | new |
 | calls.rb:478:1:478:27 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:497:5:497:35 | call to include | calls.rb:108:5:110:7 | include |
-| calls.rb:500:9:500:35 | call to puts | calls.rb:102:5:102:30 | puts |
-| calls.rb:504:9:504:11 | call to foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:505:9:505:11 | call to bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:506:9:506:28 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:506:9:506:32 | call to foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:507:9:507:28 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:507:9:507:32 | call to bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:511:1:511:20 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:512:1:512:20 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:513:1:513:20 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:513:1:513:24 | call to baz | calls.rb:503:5:508:7 | baz |
-| calls.rb:517:9:517:11 | call to foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:518:9:518:31 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:518:9:518:35 | call to foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:522:1:522:23 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:523:1:523:23 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:524:1:524:23 | call to new | calls.rb:117:5:117:16 | new |
-| calls.rb:524:1:524:27 | call to baz | calls.rb:516:5:519:7 | baz |
+| calls.rb:488:1:488:31 | call to singleton | calls.rb:481:5:483:7 | singleton |
+| calls.rb:494:1:494:32 | call to singleton | calls.rb:481:5:483:7 | singleton |
+| calls.rb:501:1:501:32 | call to singleton | calls.rb:481:5:483:7 | singleton |
+| calls.rb:507:1:507:13 | call to singleton | calls.rb:481:5:483:7 | singleton |
+| calls.rb:516:5:516:35 | call to include | calls.rb:108:5:110:7 | include |
+| calls.rb:519:9:519:35 | call to puts | calls.rb:102:5:102:30 | puts |
+| calls.rb:523:9:523:11 | call to foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:524:9:524:11 | call to bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:525:9:525:28 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:525:9:525:32 | call to foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:526:9:526:28 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:526:9:526:32 | call to bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:530:1:530:20 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:531:1:531:20 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:532:1:532:20 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:532:1:532:24 | call to baz | calls.rb:522:5:527:7 | baz |
+| calls.rb:536:9:536:11 | call to foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:537:9:537:31 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:537:9:537:35 | call to foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:541:1:541:23 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:542:1:542:23 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:543:1:543:23 | call to new | calls.rb:117:5:117:16 | new |
+| calls.rb:543:1:543:27 | call to baz | calls.rb:535:5:538:7 | baz |
 | hello.rb:12:5:12:24 | call to include | calls.rb:108:5:110:7 | include |
 | hello.rb:14:16:14:20 | call to hello | hello.rb:2:5:4:7 | hello |
 | hello.rb:20:16:20:20 | call to super | hello.rb:13:5:15:7 | message |
@@ -304,14 +308,17 @@ unresolvedCall
 | calls.rb:478:1:478:33 | call to baz_2 |
 | calls.rb:482:9:482:46 | call to puts |
 | calls.rb:485:5:485:15 | call to extend |
-| calls.rb:488:1:488:31 | call to singleton |
-| calls.rb:491:5:493:7 | call to protected |
-| calls.rb:492:9:492:42 | call to puts |
-| calls.rb:499:5:501:7 | call to protected |
-| calls.rb:511:1:511:24 | call to foo |
-| calls.rb:512:1:512:24 | call to bar |
-| calls.rb:522:1:522:27 | call to foo |
-| calls.rb:523:1:523:27 | call to bar |
+| calls.rb:491:5:491:32 | call to extend |
+| calls.rb:499:1:499:51 | call to extend |
+| calls.rb:504:1:504:13 | call to singleton |
+| calls.rb:505:1:505:32 | call to extend |
+| calls.rb:510:5:512:7 | call to protected |
+| calls.rb:511:9:511:42 | call to puts |
+| calls.rb:518:5:520:7 | call to protected |
+| calls.rb:530:1:530:24 | call to foo |
+| calls.rb:531:1:531:24 | call to bar |
+| calls.rb:541:1:541:27 | call to foo |
+| calls.rb:542:1:542:27 | call to bar |
 | hello.rb:20:16:20:26 | ... + ... |
 | hello.rb:20:16:20:34 | ... + ... |
 | hello.rb:20:16:20:40 | ... + ... |
@@ -411,8 +418,8 @@ publicMethod
 | calls.rb:430:13:432:15 | m4 |
 | calls.rb:440:13:442:15 | m5 |
 | calls.rb:481:5:483:7 | singleton |
-| calls.rb:503:5:508:7 | baz |
-| calls.rb:516:5:519:7 | baz |
+| calls.rb:522:5:527:7 | baz |
+| calls.rb:535:5:538:7 | baz |
 | hello.rb:2:5:4:7 | hello |
 | hello.rb:5:5:7:7 | world |
 | hello.rb:13:5:15:7 | message |
@@ -429,7 +436,7 @@ publicMethod
 | private.rb:66:3:67:5 | public |
 | private.rb:91:3:93:5 | call_m1 |
 protectedMethod
-| calls.rb:491:15:493:7 | foo |
-| calls.rb:499:15:501:7 | bar |
+| calls.rb:510:15:512:7 | foo |
+| calls.rb:518:15:520:7 | bar |
 | private.rb:32:3:33:5 | protected1 |
 | private.rb:35:3:36:5 | protected2 |
--- a/ruby/ql/test/library-tests/modules/calls.rb
+++ b/ruby/ql/test/library-tests/modules/calls.rb
@@ -485,7 +485,26 @@ module ExtendSingletonMethod
    extend self
 end

-ExtendSingletonMethod.singleton # currently unable to resolve
+ExtendSingletonMethod.singleton
+
+module ExtendSingletonMethod2
+    extend ExtendSingletonMethod
+end
+
+ExtendSingletonMethod2.singleton
+
+module ExtendSingletonMethod3
+end
+
+ExtendSingletonMethod3.extend ExtendSingletonMethod
+
+ExtendSingletonMethod3.singleton
+
+foo = "hello"
+foo.singleton # NoMethodError
+foo.extend ExtendSingletonMethod
+
+foo.singleton

 module ProtectedMethodInModule
    protected def foo
--- a/ruby/ql/test/library-tests/modules/methods.expected
+++ b/ruby/ql/test/library-tests/modules/methods.expected
@@ -39,10 +39,10 @@ getMethod
 | calls.rb:417:1:445:3 | ConditionalInstanceMethods | m1 | calls.rb:419:9:421:11 | m1 |
 | calls.rb:417:1:445:3 | ConditionalInstanceMethods | m2 | calls.rb:424:5:436:7 | m2 |
 | calls.rb:480:1:486:3 | ExtendSingletonMethod | singleton | calls.rb:481:5:483:7 | singleton |
-| calls.rb:490:1:494:3 | ProtectedMethodInModule | foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:496:1:509:3 | ProtectedMethods | bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:496:1:509:3 | ProtectedMethods | baz | calls.rb:503:5:508:7 | baz |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | baz | calls.rb:516:5:519:7 | baz |
+| calls.rb:509:1:513:3 | ProtectedMethodInModule | foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:515:1:528:3 | ProtectedMethods | bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:515:1:528:3 | ProtectedMethods | baz | calls.rb:522:5:527:7 | baz |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | baz | calls.rb:535:5:538:7 | baz |
 | hello.rb:1:1:8:3 | EnglishWords | hello | hello.rb:2:5:4:7 | hello |
 | hello.rb:1:1:8:3 | EnglishWords | world | hello.rb:5:5:7:7 | world |
 | hello.rb:11:1:16:3 | Greeting | message | hello.rb:13:5:15:7 | message |
@@ -357,37 +357,37 @@ lookupMethod
 | calls.rb:417:1:445:3 | ConditionalInstanceMethods | puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:417:1:445:3 | ConditionalInstanceMethods | to_s | calls.rb:172:5:173:7 | to_s |
 | calls.rb:480:1:486:3 | ExtendSingletonMethod | singleton | calls.rb:481:5:483:7 | singleton |
-| calls.rb:490:1:494:3 | ProtectedMethodInModule | foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:496:1:509:3 | ProtectedMethods | add_singleton | calls.rb:367:1:371:3 | add_singleton |
-| calls.rb:496:1:509:3 | ProtectedMethods | bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:496:1:509:3 | ProtectedMethods | baz | calls.rb:503:5:508:7 | baz |
-| calls.rb:496:1:509:3 | ProtectedMethods | call_block | calls.rb:81:1:83:3 | call_block |
-| calls.rb:496:1:509:3 | ProtectedMethods | call_instance_m | calls.rb:39:1:41:3 | call_instance_m |
-| calls.rb:496:1:509:3 | ProtectedMethods | create | calls.rb:278:1:286:3 | create |
-| calls.rb:496:1:509:3 | ProtectedMethods | foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:496:1:509:3 | ProtectedMethods | funny | calls.rb:140:1:142:3 | funny |
-| calls.rb:496:1:509:3 | ProtectedMethods | indirect | calls.rb:158:1:160:3 | indirect |
-| calls.rb:496:1:509:3 | ProtectedMethods | new | calls.rb:117:5:117:16 | new |
-| calls.rb:496:1:509:3 | ProtectedMethods | optional_arg | calls.rb:76:1:79:3 | optional_arg |
-| calls.rb:496:1:509:3 | ProtectedMethods | pattern_dispatch | calls.rb:343:1:359:3 | pattern_dispatch |
-| calls.rb:496:1:509:3 | ProtectedMethods | private_on_main | calls.rb:185:1:186:3 | private_on_main |
-| calls.rb:496:1:509:3 | ProtectedMethods | puts | calls.rb:102:5:102:30 | puts |
-| calls.rb:496:1:509:3 | ProtectedMethods | to_s | calls.rb:172:5:173:7 | to_s |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | add_singleton | calls.rb:367:1:371:3 | add_singleton |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | baz | calls.rb:516:5:519:7 | baz |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | call_block | calls.rb:81:1:83:3 | call_block |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | call_instance_m | calls.rb:39:1:41:3 | call_instance_m |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | create | calls.rb:278:1:286:3 | create |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | funny | calls.rb:140:1:142:3 | funny |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | indirect | calls.rb:158:1:160:3 | indirect |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | new | calls.rb:117:5:117:16 | new |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | optional_arg | calls.rb:76:1:79:3 | optional_arg |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | pattern_dispatch | calls.rb:343:1:359:3 | pattern_dispatch |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | private_on_main | calls.rb:185:1:186:3 | private_on_main |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | puts | calls.rb:102:5:102:30 | puts |
-| calls.rb:515:1:520:3 | ProtectedMethodsSub | to_s | calls.rb:172:5:173:7 | to_s |
+| calls.rb:509:1:513:3 | ProtectedMethodInModule | foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:515:1:528:3 | ProtectedMethods | add_singleton | calls.rb:367:1:371:3 | add_singleton |
+| calls.rb:515:1:528:3 | ProtectedMethods | bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:515:1:528:3 | ProtectedMethods | baz | calls.rb:522:5:527:7 | baz |
+| calls.rb:515:1:528:3 | ProtectedMethods | call_block | calls.rb:81:1:83:3 | call_block |
+| calls.rb:515:1:528:3 | ProtectedMethods | call_instance_m | calls.rb:39:1:41:3 | call_instance_m |
+| calls.rb:515:1:528:3 | ProtectedMethods | create | calls.rb:278:1:286:3 | create |
+| calls.rb:515:1:528:3 | ProtectedMethods | foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:515:1:528:3 | ProtectedMethods | funny | calls.rb:140:1:142:3 | funny |
+| calls.rb:515:1:528:3 | ProtectedMethods | indirect | calls.rb:158:1:160:3 | indirect |
+| calls.rb:515:1:528:3 | ProtectedMethods | new | calls.rb:117:5:117:16 | new |
+| calls.rb:515:1:528:3 | ProtectedMethods | optional_arg | calls.rb:76:1:79:3 | optional_arg |
+| calls.rb:515:1:528:3 | ProtectedMethods | pattern_dispatch | calls.rb:343:1:359:3 | pattern_dispatch |
+| calls.rb:515:1:528:3 | ProtectedMethods | private_on_main | calls.rb:185:1:186:3 | private_on_main |
+| calls.rb:515:1:528:3 | ProtectedMethods | puts | calls.rb:102:5:102:30 | puts |
+| calls.rb:515:1:528:3 | ProtectedMethods | to_s | calls.rb:172:5:173:7 | to_s |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | add_singleton | calls.rb:367:1:371:3 | add_singleton |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | baz | calls.rb:535:5:538:7 | baz |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | call_block | calls.rb:81:1:83:3 | call_block |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | call_instance_m | calls.rb:39:1:41:3 | call_instance_m |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | create | calls.rb:278:1:286:3 | create |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | funny | calls.rb:140:1:142:3 | funny |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | indirect | calls.rb:158:1:160:3 | indirect |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | new | calls.rb:117:5:117:16 | new |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | optional_arg | calls.rb:76:1:79:3 | optional_arg |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | pattern_dispatch | calls.rb:343:1:359:3 | pattern_dispatch |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | private_on_main | calls.rb:185:1:186:3 | private_on_main |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | puts | calls.rb:102:5:102:30 | puts |
+| calls.rb:534:1:539:3 | ProtectedMethodsSub | to_s | calls.rb:172:5:173:7 | to_s |
 | file://:0:0:0:0 | Class | include | calls.rb:108:5:110:7 | include |
 | file://:0:0:0:0 | Class | module_eval | calls.rb:107:5:107:24 | module_eval |
 | file://:0:0:0:0 | Class | new | calls.rb:117:5:117:16 | new |
@@ -809,29 +809,29 @@ enclosingMethod
 | calls.rb:482:9:482:46 | self | calls.rb:481:5:483:7 | singleton |
 | calls.rb:482:14:482:46 | "ExtendSingletonMethod#singleton" | calls.rb:481:5:483:7 | singleton |
 | calls.rb:482:15:482:45 | ExtendSingletonMethod#singleton | calls.rb:481:5:483:7 | singleton |
-| calls.rb:492:9:492:42 | call to puts | calls.rb:491:15:493:7 | foo |
-| calls.rb:492:9:492:42 | self | calls.rb:491:15:493:7 | foo |
-| calls.rb:492:14:492:42 | "ProtectedMethodInModule#foo" | calls.rb:491:15:493:7 | foo |
-| calls.rb:492:15:492:41 | ProtectedMethodInModule#foo | calls.rb:491:15:493:7 | foo |
-| calls.rb:500:9:500:35 | call to puts | calls.rb:499:15:501:7 | bar |
-| calls.rb:500:9:500:35 | self | calls.rb:499:15:501:7 | bar |
-| calls.rb:500:14:500:35 | "ProtectedMethods#bar" | calls.rb:499:15:501:7 | bar |
-| calls.rb:500:15:500:34 | ProtectedMethods#bar | calls.rb:499:15:501:7 | bar |
-| calls.rb:504:9:504:11 | call to foo | calls.rb:503:5:508:7 | baz |
-| calls.rb:504:9:504:11 | self | calls.rb:503:5:508:7 | baz |
-| calls.rb:505:9:505:11 | call to bar | calls.rb:503:5:508:7 | baz |
-| calls.rb:505:9:505:11 | self | calls.rb:503:5:508:7 | baz |
-| calls.rb:506:9:506:24 | ProtectedMethods | calls.rb:503:5:508:7 | baz |
-| calls.rb:506:9:506:28 | call to new | calls.rb:503:5:508:7 | baz |
-| calls.rb:506:9:506:32 | call to foo | calls.rb:503:5:508:7 | baz |
-| calls.rb:507:9:507:24 | ProtectedMethods | calls.rb:503:5:508:7 | baz |
-| calls.rb:507:9:507:28 | call to new | calls.rb:503:5:508:7 | baz |
-| calls.rb:507:9:507:32 | call to bar | calls.rb:503:5:508:7 | baz |
-| calls.rb:517:9:517:11 | call to foo | calls.rb:516:5:519:7 | baz |
-| calls.rb:517:9:517:11 | self | calls.rb:516:5:519:7 | baz |
-| calls.rb:518:9:518:27 | ProtectedMethodsSub | calls.rb:516:5:519:7 | baz |
-| calls.rb:518:9:518:31 | call to new | calls.rb:516:5:519:7 | baz |
-| calls.rb:518:9:518:35 | call to foo | calls.rb:516:5:519:7 | baz |
+| calls.rb:511:9:511:42 | call to puts | calls.rb:510:15:512:7 | foo |
+| calls.rb:511:9:511:42 | self | calls.rb:510:15:512:7 | foo |
+| calls.rb:511:14:511:42 | "ProtectedMethodInModule#foo" | calls.rb:510:15:512:7 | foo |
+| calls.rb:511:15:511:41 | ProtectedMethodInModule#foo | calls.rb:510:15:512:7 | foo |
+| calls.rb:519:9:519:35 | call to puts | calls.rb:518:15:520:7 | bar |
+| calls.rb:519:9:519:35 | self | calls.rb:518:15:520:7 | bar |
+| calls.rb:519:14:519:35 | "ProtectedMethods#bar" | calls.rb:518:15:520:7 | bar |
+| calls.rb:519:15:519:34 | ProtectedMethods#bar | calls.rb:518:15:520:7 | bar |
+| calls.rb:523:9:523:11 | call to foo | calls.rb:522:5:527:7 | baz |
+| calls.rb:523:9:523:11 | self | calls.rb:522:5:527:7 | baz |
+| calls.rb:524:9:524:11 | call to bar | calls.rb:522:5:527:7 | baz |
+| calls.rb:524:9:524:11 | self | calls.rb:522:5:527:7 | baz |
+| calls.rb:525:9:525:24 | ProtectedMethods | calls.rb:522:5:527:7 | baz |
+| calls.rb:525:9:525:28 | call to new | calls.rb:522:5:527:7 | baz |
+| calls.rb:525:9:525:32 | call to foo | calls.rb:522:5:527:7 | baz |
+| calls.rb:526:9:526:24 | ProtectedMethods | calls.rb:522:5:527:7 | baz |
+| calls.rb:526:9:526:28 | call to new | calls.rb:522:5:527:7 | baz |
+| calls.rb:526:9:526:32 | call to bar | calls.rb:522:5:527:7 | baz |
+| calls.rb:536:9:536:11 | call to foo | calls.rb:535:5:538:7 | baz |
+| calls.rb:536:9:536:11 | self | calls.rb:535:5:538:7 | baz |
+| calls.rb:537:9:537:27 | ProtectedMethodsSub | calls.rb:535:5:538:7 | baz |
+| calls.rb:537:9:537:31 | call to new | calls.rb:535:5:538:7 | baz |
+| calls.rb:537:9:537:35 | call to foo | calls.rb:535:5:538:7 | baz |
 | hello.rb:3:9:3:22 | return | hello.rb:2:5:4:7 | hello |
 | hello.rb:3:16:3:22 | "hello" | hello.rb:2:5:4:7 | hello |
 | hello.rb:3:17:3:21 | hello | hello.rb:2:5:4:7 | hello |
--- a/ruby/ql/test/library-tests/modules/modules.expected
+++ b/ruby/ql/test/library-tests/modules/modules.expected
--- a/ruby/ql/test/library-tests/modules/superclasses.expected
+++ b/ruby/ql/test/library-tests/modules/superclasses.expected
@@ -93,12 +93,16 @@ calls.rb:

 #  480| ExtendSingletonMethod

-#  490| ProtectedMethodInModule
+#  490| ExtendSingletonMethod2

-#  496| ProtectedMethods
+#  496| ExtendSingletonMethod3
+
+#  509| ProtectedMethodInModule
+
+#  515| ProtectedMethods
 #-----|  -> Object

-#  515| ProtectedMethodsSub
+#  534| ProtectedMethodsSub
 #-----|  -> ProtectedMethods

 hello.rb:
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.expected
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/MissingRegExpAnchor.expected
@@ -16,3 +16,5 @@
 | missing_regexp_anchor.rb:50:1:50:30 | /^good\\\\\\\\.com\|better\\\\\\\\.com/ | Misleading operator precedence. The subexpression '^good\\\\\\\\.com' is anchored at the beginning, but the other parts of this regular expression are not |
 | missing_regexp_anchor.rb:52:1:52:15 | /^foo\|bar\|baz$/ | Misleading operator precedence. The subexpression '^foo' is anchored at the beginning, but the other parts of this regular expression are not |
 | missing_regexp_anchor.rb:52:1:52:15 | /^foo\|bar\|baz$/ | Misleading operator precedence. The subexpression 'baz$' is anchored at the end, but the other parts of this regular expression are not |
+| missing_regexp_anchor.rb:60:20:60:39 | "http://example.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
+| missing_regexp_anchor.rb:61:19:61:38 | "http://example.com" | When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. |
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingRegExpAnchor/missing_regexp_anchor.rb
@@ -50,4 +50,12 @@ foo.sub!(/www\.example\.com/, "bar") # GOOD
 /^good\\\\.com|better\\\\.com/ # BAD

 /^foo|bar|baz$/ # BAD
-/^foo|%/ # OK
+/^foo|%/ # OK
+
+REGEXP = /foo/
+REGEXP.match? "http://example.com" # GOOD: the url is the text not the regexp
+REGEXP.match "http://example.com" # GOOD: the url is the text not the regexp
+"http://example.com".match? REGEXP  # GOOD: the url is the text not the regexp
+"http://example.com".match REGEXP  # GOOD: the url is the text not the regexp
+"some text".match? "http://example.com" # BAD
+"some text".match "http://example.com" # BAD
--- a/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected
+++ b/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected
@@ -2,7 +2,7 @@ edges
 | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  |
 | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  |
 | app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text |
-| app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name |
+| app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] |
@@ -29,7 +29,8 @@ nodes
 | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | semmle.label | call to raw_name |
 | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | semmle.label | call to handle |
 | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | semmle.label | call to raw_name |
-| app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | semmle.label | @other_user_raw_name |
+| app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | semmle.label | call to display_name |
+| app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | semmle.label | @other_user_raw_name |
 subpaths
 #select
 | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
@@ -43,4 +44,5 @@ subpaths
 | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | stored value |
 | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | stored value |
 | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | stored value |
-| app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name | stored value |
+| app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:80:5:80:22 | call to display_name | stored value |
+| app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name | stored value |
--- a/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
+++ b/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
@@ -77,7 +77,6 @@
 %>

 <%# BAD: Indirect to a database value without escaping %>
-<%# TODO: we do not detect that `display_name` can return a DB field %>
 <%= @user.display_name.html_safe %>

 <%# BAD: Indirect to a database value without escaping %>