From c975ae5231c92bc5a22b953835aefb4dccbc48a1 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 16 Dec 2025 13:49:04 +0100 Subject: [PATCH] Ruby: Adapt to changes in `FlowSummaryImpl` --- ruby/ql/docs/flow_summaries.md | 2 +- .../lib/codeql/ruby/dataflow/FlowSummary.qll | 114 +++++----- .../dataflow/internal/DataFlowDispatch.qll | 4 +- .../dataflow/internal/FlowSummaryImpl.qll | 2 + .../ruby/frameworks/ActionController.qll | 10 +- .../codeql/ruby/frameworks/ActiveSupport.qll | 38 ++-- ruby/ql/lib/codeql/ruby/frameworks/Arel.qll | 4 +- ruby/ql/lib/codeql/ruby/frameworks/Core.qll | 4 +- ruby/ql/lib/codeql/ruby/frameworks/Erb.qll | 2 +- ruby/ql/lib/codeql/ruby/frameworks/Files.qll | 4 +- ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll | 4 +- ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll | 4 +- ruby/ql/lib/codeql/ruby/frameworks/Pg.qll | 2 +- ruby/ql/lib/codeql/ruby/frameworks/Rails.qll | 6 +- ruby/ql/lib/codeql/ruby/frameworks/Sequel.qll | 2 +- .../ql/lib/codeql/ruby/frameworks/Sinatra.qll | 4 +- .../ql/lib/codeql/ruby/frameworks/Sqlite3.qll | 2 +- .../codeql/ruby/frameworks/Translation.qll | 2 +- .../lib/codeql/ruby/frameworks/core/Array.qll | 200 +++++++++--------- .../codeql/ruby/frameworks/core/Base64.qll | 2 +- .../lib/codeql/ruby/frameworks/core/Hash.qll | 48 ++--- .../codeql/ruby/frameworks/core/Kernel.qll | 4 +- .../codeql/ruby/frameworks/core/Object.qll | 2 +- .../codeql/ruby/frameworks/core/String.qll | 64 +++--- .../ruby/frameworks/data/ModelsAsData.qll | 10 +- .../ruby/frameworks/rack/internal/Utils.qll | 2 +- .../internal/TypeTrackingImpl.qll | 2 +- .../dataflow/flow-summaries/semantics.ql | 2 +- .../dataflow/regressions/Regressions.ql | 2 +- .../dataflow/summaries/Summaries.ql | 6 +- 30 files changed, 282 insertions(+), 272 deletions(-) diff --git a/ruby/ql/docs/flow_summaries.md b/ruby/ql/docs/flow_summaries.md index 5f39e158588..bb5fe5d7178 100644 --- a/ruby/ql/docs/flow_summaries.md +++ b/ruby/ql/docs/flow_summaries.md @@ -19,7 +19,7 @@ to be tainted in the call to `system`. have no source code, so we include a flow summary for it: ```ql -private class ChompSummary extends SimpleSummarizedCallable { +private class ChompSummary extends SummarizedCallable::RangeSimple { ChompSummary() { this = "chomp" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll b/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll index 73e4ca8dfec..3ec9a9d87dc 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll @@ -15,65 +15,64 @@ private module Summaries { private import codeql.ruby.frameworks.data.ModelsAsData } -deprecated class SummaryComponent = Impl::Private::SummaryComponent; +class Provenance = Impl::Public::Provenance; -deprecated module SummaryComponent = Impl::Private::SummaryComponent; +/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */ +module SummarizedCallable { + /** A callable with a flow summary, identified by a unique string. */ + abstract class Range extends LibraryCallable, Impl::Public::SummarizedCallable { + bindingset[this] + Range() { any() } -deprecated class SummaryComponentStack = Impl::Private::SummaryComponentStack; + override predicate propagatesFlow( + string input, string output, boolean preservesValue, Provenance p, boolean isExact, + string model + ) { + this.propagatesFlow(input, output, preservesValue) and + p = "manual" and + isExact = true and + model = "" + } -deprecated module SummaryComponentStack = Impl::Private::SummaryComponentStack; + /** + * Holds if data may flow from `input` to `output` through this callable. + * + * `preservesValue` indicates whether this is a value-preserving step or a taint-step. + */ + predicate propagatesFlow(string input, string output, boolean preservesValue) { none() } + + /** + * Gets the synthesized parameter that results from an input specification + * that starts with `Argument[s]` for this library callable. + */ + DataFlow::ParameterNode getParameter(string s) { + exists(ParameterPosition pos | + DataFlowImplCommon::parameterNode(result, TLibraryCallable(this), pos) and + s = Impl::Input::encodeParameterPosition(pos) + ) + } + } + + /** + * A callable with a flow summary, identified by a unique string, where all + * calls to a method with the same name are considered relevant. + */ + abstract class RangeSimple extends Range { + MethodCall mc; + + bindingset[this] + RangeSimple() { mc.getMethodName() = this } + + final override MethodCall getACallSimple() { result = mc } + } +} + +final private class SummarizedCallableFinal = SummarizedCallable::Range; /** A callable with a flow summary, identified by a unique string. */ -abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable { - bindingset[this] - SummarizedCallable() { any() } - - /** - * DEPRECATED: Use `propagatesFlow` instead. - */ - deprecated predicate propagatesFlowExt(string input, string output, boolean preservesValue) { - this.propagatesFlow(input, output, preservesValue, _) - } - - override predicate propagatesFlow( - string input, string output, boolean preservesValue, string model - ) { - this.propagatesFlow(input, output, preservesValue) and model = "" - } - - /** - * Holds if data may flow from `input` to `output` through this callable. - * - * `preservesValue` indicates whether this is a value-preserving step or a taint-step. - */ - predicate propagatesFlow(string input, string output, boolean preservesValue) { none() } - - /** - * Gets the synthesized parameter that results from an input specification - * that starts with `Argument[s]` for this library callable. - */ - DataFlow::ParameterNode getParameter(string s) { - exists(ParameterPosition pos | - DataFlowImplCommon::parameterNode(result, TLibraryCallable(this), pos) and - s = Impl::Input::encodeParameterPosition(pos) - ) - } -} - -/** - * A callable with a flow summary, identified by a unique string, where all - * calls to a method with the same name are considered relevant. - */ -abstract class SimpleSummarizedCallable extends SummarizedCallable { - MethodCall mc; - - bindingset[this] - SimpleSummarizedCallable() { mc.getMethodName() = this } - - final override MethodCall getACallSimple() { result = mc } -} - -deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack; +final class SummarizedCallable extends SummarizedCallableFinal, + Impl::Public::RelevantSummarizedCallable +{ } /** * Provides a set of special flow summaries to ensure that callbacks passed into @@ -103,7 +102,7 @@ private module LibraryCallbackSummaries { ) } - private class LibraryLambdaMethod extends SummarizedCallable { + private class LibraryLambdaMethod extends SummarizedCallable::Range { LibraryLambdaMethod() { this = "" } final override MethodCall getACall() { @@ -114,7 +113,8 @@ private module LibraryCallbackSummaries { } override predicate propagatesFlow( - string input, string output, boolean preservesValue, string model + string input, string output, boolean preservesValue, Provenance p, boolean isExact, + string model ) { ( input = "Argument[block]" and @@ -127,6 +127,8 @@ private module LibraryCallbackSummaries { ) ) and preservesValue = true and + p = "hq-generated" and + isExact = true and model = "heuristic-callback" } } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll index 62253587e7a..70c761e411c 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll @@ -240,7 +240,9 @@ class NormalCall extends DataFlowCall, TNormalCall { module ViewComponentRenderModeling { private import codeql.ruby.frameworks.ViewComponent - private class RenderMethod extends SummarizedCallable, LibraryCallableToIncludeInTypeTracking { + private class RenderMethod extends SummarizedCallable::Range, + LibraryCallableToIncludeInTypeTracking + { RenderMethod() { this = "render view component" } override MethodCall getACallSimple() { result.getMethodName() = "render" } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll index f8e3894a833..d7326d9594b 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll @@ -18,6 +18,8 @@ module Input implements InputSig { class SinkBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { none() } + ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() } ReturnKind getStandardReturnValueKind() { result instanceof NormalReturnKind } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll index 5a1cf3f5318..a1d56e5fe15 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll @@ -545,7 +545,7 @@ private module ParamsSummaries { * A flow summary for methods on `ActionController::Parameters` which * propagate taint from receiver to return value. */ - private class MethodsReturningParamsInstanceSummary extends SummarizedCallable { + private class MethodsReturningParamsInstanceSummary extends SummarizedCallable::Range { MethodsReturningParamsInstanceSummary() { this = "ActionController::Parameters#" } override MethodCall getACall() { @@ -566,7 +566,7 @@ private module ParamsSummaries { * `#with_defaults` * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash. */ - private class MergeSummary extends SummarizedCallable { + private class MergeSummary extends SummarizedCallable::Range { MergeSummary() { this = "ActionController::Parameters#merge" } override MethodCall getACall() { @@ -590,7 +590,7 @@ private module ParamsSummaries { * `#reverse_update` * Returns a new ActionController::Parameters with all keys from current hash merged into other_hash. */ - private class MergeBangSummary extends SummarizedCallable { + private class MergeBangSummary extends SummarizedCallable::Range { MergeBangSummary() { this = "ActionController::Parameters#merge!" } override MethodCall getACall() { @@ -609,7 +609,7 @@ private module ParamsSummaries { /** Flow summaries for `ActiveDispatch::Http::UploadedFile`, which can be an field of `ActionController::Parameters`. */ module UploadedFileSummaries { /** Flow summary for various string attributes of `UploadedFile`, including `original_filename`, `content_type`, and `headers`. */ - private class UploadedFileStringAttributeSummary extends SummarizedCallable { + private class UploadedFileStringAttributeSummary extends SummarizedCallable::Range { UploadedFileStringAttributeSummary() { this = "ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers]" } @@ -632,7 +632,7 @@ private module ParamsSummaries { * Flow summary for `ActiveDispatch::Http::UploadedFile#read`, * which propagates taint from the receiver to the return value or to the second (out string) argument */ - private class UploadedFileReadSummary extends SummarizedCallable { + private class UploadedFileReadSummary extends SummarizedCallable::Range { UploadedFileReadSummary() { this = "ActionDispatch::Http::UploadedFile#read" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll index 349a17bbeac..ccfbdf67f11 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll @@ -45,7 +45,7 @@ module ActiveSupport { /** * Flow summary for methods which transform the receiver in some way, possibly preserving taint. */ - private class StringTransformSummary extends SummarizedCallable { + private class StringTransformSummary extends SummarizedCallable::Range { // We're modeling a lot of different methods, so we make up a name for this summary. StringTransformSummary() { this = "ActiveSupportStringTransform" } @@ -72,7 +72,7 @@ module ActiveSupport { */ module Object { /** Flow summary for methods which can return the receiver. */ - private class IdentitySummary extends SimpleSummarizedCallable { + private class IdentitySummary extends SummarizedCallable::RangeSimple { IdentitySummary() { this = ["presence", "deep_dup"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -106,7 +106,7 @@ module ActiveSupport { } /** Flow summary for `Object#to_json`, which serializes the receiver as a JSON string. */ - private class ToJsonSummary extends SimpleSummarizedCallable { + private class ToJsonSummary extends SummarizedCallable::RangeSimple { ToJsonSummary() { this = "to_json" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -124,7 +124,7 @@ module ActiveSupport { /** * Flow summary for `reverse_merge`, and its alias `with_defaults`. */ - private class ReverseMergeSummary extends SimpleSummarizedCallable { + private class ReverseMergeSummary extends SummarizedCallable::RangeSimple { ReverseMergeSummary() { this = ["reverse_merge", "with_defaults"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -137,7 +137,7 @@ module ActiveSupport { /** * Flow summary for `reverse_merge!`, and its aliases `with_defaults!` and `reverse_update`. */ - private class ReverseMergeBangSummary extends SimpleSummarizedCallable { + private class ReverseMergeBangSummary extends SummarizedCallable::RangeSimple { ReverseMergeBangSummary() { this = ["reverse_merge!", "with_defaults!", "reverse_update"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -147,7 +147,7 @@ module ActiveSupport { } } - private class TransformSummary extends SimpleSummarizedCallable { + private class TransformSummary extends SummarizedCallable::RangeSimple { TransformSummary() { this = [ @@ -188,7 +188,7 @@ module ActiveSupport { * mentioned in the arguments to an element in `self`, including elements * at unknown keys. */ - private class ExtractSummary extends SummarizedCallable { + private class ExtractSummary extends SummarizedCallable::Range { MethodCall mc; ExtractSummary() { @@ -232,7 +232,7 @@ module ActiveSupport { ArrayIndex() { this = any(DataFlow::Content::KnownElementContent c).getIndex().getInt() } } - private class CompactBlankSummary extends SimpleSummarizedCallable { + private class CompactBlankSummary extends SummarizedCallable::RangeSimple { CompactBlankSummary() { this = "compact_blank" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -242,7 +242,7 @@ module ActiveSupport { } } - private class ExcludingSummary extends SimpleSummarizedCallable { + private class ExcludingSummary extends SummarizedCallable::RangeSimple { ExcludingSummary() { this = ["excluding", "without"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -252,7 +252,7 @@ module ActiveSupport { } } - private class InOrderOfSummary extends SimpleSummarizedCallable { + private class InOrderOfSummary extends SummarizedCallable::RangeSimple { InOrderOfSummary() { this = "in_order_of" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -265,7 +265,7 @@ module ActiveSupport { /** * Like `Array#push` but doesn't update the receiver. */ - private class IncludingSummary extends SimpleSummarizedCallable { + private class IncludingSummary extends SummarizedCallable::RangeSimple { IncludingSummary() { this = "including" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -287,7 +287,7 @@ module ActiveSupport { } } - private class IndexBySummary extends SimpleSummarizedCallable { + private class IndexBySummary extends SummarizedCallable::RangeSimple { IndexBySummary() { this = "index_by" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -297,7 +297,7 @@ module ActiveSupport { } } - private class IndexWithSummary extends SimpleSummarizedCallable { + private class IndexWithSummary extends SummarizedCallable::RangeSimple { IndexWithSummary() { this = "index_with" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -316,7 +316,7 @@ module ActiveSupport { result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize() } - private class PickSingleSummary extends SummarizedCallable { + private class PickSingleSummary extends SummarizedCallable::Range { private MethodCall mc; private string key; @@ -336,7 +336,7 @@ module ActiveSupport { } } - private class PickMultipleSummary extends SummarizedCallable { + private class PickMultipleSummary extends SummarizedCallable::Range { private MethodCall mc; PickMultipleSummary() { @@ -370,7 +370,7 @@ module ActiveSupport { } } - private class PluckSingleSummary extends SummarizedCallable { + private class PluckSingleSummary extends SummarizedCallable::Range { private MethodCall mc; private string key; @@ -390,7 +390,7 @@ module ActiveSupport { } } - private class PluckMultipleSummary extends SummarizedCallable { + private class PluckMultipleSummary extends SummarizedCallable::Range { private MethodCall mc; PluckMultipleSummary() { @@ -424,7 +424,7 @@ module ActiveSupport { } } - private class SoleSummary extends SimpleSummarizedCallable { + private class SoleSummary extends SummarizedCallable::RangeSimple { SoleSummary() { this = "sole" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -458,7 +458,7 @@ module ActiveSupport { * `ActiveSupport::ERB::Util` */ module Util { - private class JsonEscapeSummary extends SimpleSummarizedCallable { + private class JsonEscapeSummary extends SummarizedCallable::RangeSimple { JsonEscapeSummary() { this = "json_escape" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll index d4336cd35c5..ae0b37cf78f 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll @@ -18,7 +18,7 @@ module Arel { * Flow summary for `Arel.sql`. This method wraps a SQL string, marking it as * safe. */ - private class SqlSummary extends SummarizedCallable { + private class SqlSummary extends SummarizedCallable::Range { SqlSummary() { this = "Arel.sql" } override MethodCall getACall() { @@ -44,7 +44,7 @@ module Arel { * Flow summary for `Arel::Nodes::SqlLiteral.new`. This method wraps a SQL string, marking it as * safe. */ - private class SqlLiteralNewSummary extends SummarizedCallable { + private class SqlLiteralNewSummary extends SummarizedCallable::Range { SqlLiteralNewSummary() { this = "Arel::Nodes::SqlLiteral.new" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll index e409e042e6b..c14abdbb2c3 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll @@ -57,7 +57,7 @@ class SubshellHeredocExecution extends SystemCommandExecution::Range { override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() } } -private class SplatSummary extends SummarizedCallable { +private class SplatSummary extends SummarizedCallable::Range { SplatSummary() { this = "*(splat)" } override SplatExpr getACallSimple() { any() } @@ -76,7 +76,7 @@ private class SplatSummary extends SummarizedCallable { } } -private class HashSplatSummary extends SummarizedCallable { +private class HashSplatSummary extends SummarizedCallable::Range { HashSplatSummary() { this = "**(hash-splat)" } override HashSplatExpr getACallSimple() { any() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll b/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll index d29eda88e40..954f21726c4 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Erb.qll @@ -13,7 +13,7 @@ module Erb { /** * Flow summary for `ERB.new`. This method wraps a template string, compiling it. */ - private class TemplateSummary extends SummarizedCallable { + private class TemplateSummary extends SummarizedCallable::Range { TemplateSummary() { this = "ERB.new" } override MethodCall getACall() { result = any(ErbTemplateNewCall c).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Files.qll b/ruby/ql/lib/codeql/ruby/frameworks/Files.qll index b908e3da8f9..1639dac7b60 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Files.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Files.qll @@ -103,7 +103,7 @@ module File { * A flow summary for several methods on the `File` class that propagate taint * from their first argument to the return value. */ - class FilePathConversionSummary extends SummarizedCallable { + class FilePathConversionSummary extends SummarizedCallable::Range { string methodName; FilePathConversionSummary() { @@ -126,7 +126,7 @@ module File { * A flow summary for `File.join`, which propagates taint from every argument to * its return value. */ - class FileJoinSummary extends SummarizedCallable { + class FileJoinSummary extends SummarizedCallable::Range { FileJoinSummary() { this = "File.join" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll b/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll index f3f12bbd55b..e3f9cd727f7 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Ldap.qll @@ -14,7 +14,7 @@ module NetLdap { /** * Flow summary for `Net::LDAP.new`. This method establishes a connection to a LDAP server. */ - private class LdapConnSummary extends SummarizedCallable { + private class LdapConnSummary extends SummarizedCallable::Range { LdapConnSummary() { this = "Net::LDAP.new" } override MethodCall getACall() { result = any(NetLdapConnection l).asExpr().getExpr() } @@ -27,7 +27,7 @@ module NetLdap { /** * Flow summary for `Net::LDAP.Filter`. */ - private class LdapFilterSummary extends SummarizedCallable { + private class LdapFilterSummary extends SummarizedCallable::Range { LdapFilterSummary() { this = "Net::LDAP::Filter" } override MethodCall getACall() { result = any(NetLdapFilter l).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll b/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll index efd295c44e7..baca5bba95f 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll @@ -13,7 +13,7 @@ module Mysql2 { /** * Flow summary for `Mysql2::Client.new()`. */ - private class SqlSummary extends SummarizedCallable { + private class SqlSummary extends SummarizedCallable::Range { SqlSummary() { this = "Mysql2::Client.new()" } override MethodCall getACall() { result = any(Mysql2Connection c).asExpr().getExpr() } @@ -61,7 +61,7 @@ module Mysql2 { /** * Flow summary for `Mysql2::Client.escape()`. */ - private class EscapeSummary extends SummarizedCallable { + private class EscapeSummary extends SummarizedCallable::Range { EscapeSummary() { this = "Mysql2::Client.escape()" } override MethodCall getACall() { result = any(Mysql2EscapeSanitization c).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll b/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll index 2c3007cd20b..0c56b6eeb43 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Pg.qll @@ -13,7 +13,7 @@ module Pg { /** * Flow summary for `PG.new()`. This method initializes a database connection. */ - private class SqlSummary extends SummarizedCallable { + private class SqlSummary extends SummarizedCallable::Range { SqlSummary() { this = "PG.new()" } override MethodCall getACall() { result = any(PgConnection c).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll index 8b657c17ec7..4a9f7fa9c87 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Rails.qll @@ -330,7 +330,7 @@ private class LocalAssignsHashSyntheticGlobal extends string { } /** A summary for `render` calls linked to some specific ERB file. */ -private class RenderLocalsSummary extends SummarizedCallable { +private class RenderLocalsSummary extends SummarizedCallable::Range { private LocalAssignsHashSyntheticGlobal glob; RenderLocalsSummary() { this = "rails_render_locals()" + glob.getId() } @@ -345,7 +345,7 @@ private class RenderLocalsSummary extends SummarizedCallable { } /** A summary for calls to `local_assigns` in a view to access a `render` call `locals` hash. */ -private class AccessLocalsSummary extends SummarizedCallable { +private class AccessLocalsSummary extends SummarizedCallable::Range { private LocalAssignsHashSyntheticGlobal glob; AccessLocalsSummary() { this = "rails_local_assigns()" + glob.getId() } @@ -366,7 +366,7 @@ private string getAMethodNameFromErbFile(ErbFile f) { result = any(MethodCall c | c.getLocation().getFile() = f).getMethodName() } -private class AccessLocalsKeySummary extends SummarizedCallable { +private class AccessLocalsKeySummary extends SummarizedCallable::Range { private LocalAssignsHashSyntheticGlobal glob; private string methodName; diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Sequel.qll b/ruby/ql/lib/codeql/ruby/frameworks/Sequel.qll index 65d091e8229..9a39e80128e 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Sequel.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Sequel.qll @@ -14,7 +14,7 @@ private import codeql.ruby.Concepts */ module Sequel { /** Flow Summary for `Sequel`. */ - private class SqlSummary extends SummarizedCallable { + private class SqlSummary extends SummarizedCallable::Range { SqlSummary() { this = "Sequel.connect" } override MethodCall getACall() { result = any(SequelConnection c).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Sinatra.qll b/ruby/ql/lib/codeql/ruby/frameworks/Sinatra.qll index 5b6bb33edf3..eabee2ea513 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Sinatra.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Sinatra.qll @@ -167,7 +167,7 @@ module Sinatra { * from the `locals` keyword argument to variables in the ERB template. The * second half is modeled by `ErbLocalsAccessSummary`. */ - private class ErbLocalsSummary extends SummarizedCallable { + private class ErbLocalsSummary extends SummarizedCallable::Range { ErbLocalsSummary() { this = "Sinatra::Base#erb" } override MethodCall getACall() { result = any(ErbCall c).asExpr().getExpr() } @@ -191,7 +191,7 @@ module Sinatra { * keyword argument to variables in the ERB template. * The first half is modeled by `ErbLocalsSummary`. */ - private class ErbLocalsAccessSummary extends SummarizedCallable { + private class ErbLocalsAccessSummary extends SummarizedCallable::Range { private ErbLocalsHashSyntheticGlobal global; private string local; diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll b/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll index abb7eec297d..f3e7626f733 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll @@ -89,7 +89,7 @@ module Sqlite3 { /** * Flow summary for `SQLite3::Database.quote()`. */ - private class QuoteSummary extends SummarizedCallable { + private class QuoteSummary extends SummarizedCallable::Range { QuoteSummary() { this = "SQLite3::Database.quote()" } override MethodCall getACall() { result = any(SQLite3QuoteSanitization c).asExpr().getExpr() } diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Translation.qll b/ruby/ql/lib/codeql/ruby/frameworks/Translation.qll index cf3f0aa77c4..62e67188d07 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/Translation.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/Translation.qll @@ -35,7 +35,7 @@ private MethodCall getControllerHelperTranslateCall() { } /** Flow summary for translation methods. */ -private class TranslateSummary extends SummarizedCallable { +private class TranslateSummary extends SummarizedCallable::Range { TranslateSummary() { this = "I18n.translate" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll index 2da521e54a1..ec21ffc7475 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll @@ -41,7 +41,7 @@ module Array { not e instanceof RangeLiteral } - private class ArrayLiteralSummary extends SummarizedCallable { + private class ArrayLiteralSummary extends SummarizedCallable::Range { ArrayLiteralSummary() { this = "Array.[]" } override MethodCall getACallSimple() { result = getAStaticArrayCall("[]") } @@ -55,7 +55,7 @@ module Array { } } - private class NewSummary extends SummarizedCallable { + private class NewSummary extends SummarizedCallable::Range { NewSummary() { this = "Array.new" } override MethodCall getACallSimple() { result = getAStaticArrayCall("new") } @@ -75,7 +75,7 @@ module Array { } } - private class TryConvertSummary extends SummarizedCallable { + private class TryConvertSummary extends SummarizedCallable::Range { TryConvertSummary() { this = "Array.try_convert" } override MethodCall getACallSimple() { result = getAStaticArrayCall("try_convert") } @@ -87,7 +87,7 @@ module Array { } } - private class SetIntersectionSummary extends SummarizedCallable { + private class SetIntersectionSummary extends SummarizedCallable::Range { SetIntersectionSummary() { this = "&" } override BitwiseAndExpr getACallSimple() { any() } @@ -99,7 +99,7 @@ module Array { } } - private class SetUnionSummary extends SummarizedCallable { + private class SetUnionSummary extends SummarizedCallable::Range { SetUnionSummary() { this = "|" } override BitwiseOrExpr getACallSimple() { any() } @@ -111,7 +111,7 @@ module Array { } } - private class RepetitionSummary extends SummarizedCallable { + private class RepetitionSummary extends SummarizedCallable::Range { RepetitionSummary() { this = "*" } override MulExpr getACallSimple() { any() } @@ -123,7 +123,7 @@ module Array { } } - private class ConcatenationSummary extends SummarizedCallable { + private class ConcatenationSummary extends SummarizedCallable::Range { ConcatenationSummary() { this = "+" } override AddExpr getACallSimple() { any() } @@ -140,7 +140,7 @@ module Array { } } - abstract private class DifferenceSummaryShared extends SummarizedCallable { + abstract private class DifferenceSummaryShared extends SummarizedCallable::Range { bindingset[this] DifferenceSummaryShared() { any() } @@ -158,7 +158,7 @@ module Array { } /** Flow summary for `Array#<<`. For `Array#append`, see `PushSummary`. */ - private class AppendOperatorSummary extends SummarizedCallable { + private class AppendOperatorSummary extends SummarizedCallable::Range { AppendOperatorSummary() { this = "<<" } override LShiftExpr getACallSimple() { any() } @@ -180,7 +180,7 @@ module Array { } /** A call to `[]`, or its alias, `slice`. */ - abstract private class ElementReferenceReadSummary extends SummarizedCallable { + abstract private class ElementReferenceReadSummary extends SummarizedCallable::Range { MethodCall mc; ElementReferenceReadMethodName methodName; // adding this as a field helps give a better join order @@ -306,7 +306,7 @@ module Array { } /** A call to `[]=`. */ - abstract private class ElementReferenceStoreSummary extends SummarizedCallable { + abstract private class ElementReferenceStoreSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -381,7 +381,7 @@ module Array { } } - private class AssocSummary extends SimpleSummarizedCallable { + private class AssocSummary extends SummarizedCallable::RangeSimple { AssocSummary() { this = ["assoc", "rassoc"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -391,7 +391,7 @@ module Array { } } - abstract private class AtSummary extends SummarizedCallable { + abstract private class AtSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -430,7 +430,7 @@ module Array { } } - private class BSearchSummary extends SimpleSummarizedCallable { + private class BSearchSummary extends SummarizedCallable::RangeSimple { BSearchSummary() { this = "bsearch" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -440,7 +440,7 @@ module Array { } } - private class BSearchIndexSummary extends SimpleSummarizedCallable { + private class BSearchIndexSummary extends SummarizedCallable::RangeSimple { BSearchIndexSummary() { this = "bsearch_index" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -450,7 +450,7 @@ module Array { } } - private class ClearSummary extends SimpleSummarizedCallable { + private class ClearSummary extends SummarizedCallable::RangeSimple { ClearSummary() { this = "clear" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -460,7 +460,7 @@ module Array { } } - private class CollectBangSummary extends SimpleSummarizedCallable { + private class CollectBangSummary extends SummarizedCallable::RangeSimple { // `map!` is an alias of `collect!`. CollectBangSummary() { this = ["collect!", "map!"] } @@ -475,7 +475,7 @@ module Array { } } - private class CombinationSummary extends SimpleSummarizedCallable { + private class CombinationSummary extends SummarizedCallable::RangeSimple { CombinationSummary() { this = "combination" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -489,7 +489,7 @@ module Array { } } - private class CompactBangSummary extends SimpleSummarizedCallable { + private class CompactBangSummary extends SummarizedCallable::RangeSimple { CompactBangSummary() { this = "compact!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -499,7 +499,7 @@ module Array { } } - private class ConcatSummary extends SimpleSummarizedCallable { + private class ConcatSummary extends SummarizedCallable::RangeSimple { ConcatSummary() { this = "concat" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -509,7 +509,7 @@ module Array { } } - private class DeconstructSummary extends SimpleSummarizedCallable { + private class DeconstructSummary extends SummarizedCallable::RangeSimple { DeconstructSummary() { this = "deconstruct" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -522,7 +522,7 @@ module Array { } } - abstract private class DeleteSummary extends SummarizedCallable { + abstract private class DeleteSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -604,7 +604,7 @@ module Array { } } - abstract private class DeleteAtSummary extends SummarizedCallable { + abstract private class DeleteAtSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -667,7 +667,7 @@ module Array { } } - private class DeleteIfSummary extends SummarizedCallable { + private class DeleteIfSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -691,7 +691,7 @@ module Array { } } - private class DifferenceSummary extends DifferenceSummaryShared, SimpleSummarizedCallable { + private class DifferenceSummary extends DifferenceSummaryShared, SummarizedCallable::RangeSimple { DifferenceSummary() { this = "difference" } } @@ -728,7 +728,7 @@ module Array { ) } - private class DigSummary extends SummarizedCallable { + private class DigSummary extends SummarizedCallable::Range { private RelevantDigMethodCall dig; DigSummary() { @@ -750,7 +750,7 @@ module Array { } } - private class EachSummary extends SummarizedCallable { + private class EachSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -776,7 +776,7 @@ module Array { } } - private class EachIndexSummary extends SimpleSummarizedCallable { + private class EachIndexSummary extends SummarizedCallable::RangeSimple { EachIndexSummary() { this = ["each_index", "each_key"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -786,7 +786,7 @@ module Array { } } - abstract private class FetchSummary extends SummarizedCallable { + abstract private class FetchSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -839,7 +839,7 @@ module Array { } } - abstract private class FillSummary extends SummarizedCallable { + abstract private class FillSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -882,7 +882,7 @@ module Array { * Note that we model flow from elements up to 3 levels of nesting * (`[[[1],[2]]]`), but not beyond that. */ - private class FlattenSummary extends SimpleSummarizedCallable { + private class FlattenSummary extends SummarizedCallable::RangeSimple { FlattenSummary() { this = "flatten" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -898,7 +898,7 @@ module Array { } } - private class FlattenBangSummary extends SimpleSummarizedCallable { + private class FlattenBangSummary extends SummarizedCallable::RangeSimple { FlattenBangSummary() { this = "flatten!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -917,7 +917,7 @@ module Array { } } - private class IndexSummary extends SimpleSummarizedCallable { + private class IndexSummary extends SummarizedCallable::RangeSimple { IndexSummary() { this = ["index", "rindex"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -927,7 +927,7 @@ module Array { } } - abstract private class InsertSummary extends SummarizedCallable { + abstract private class InsertSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -995,7 +995,7 @@ module Array { } } - private class IntersectionSummary extends SummarizedCallable { + private class IntersectionSummary extends SummarizedCallable::Range { MethodCall mc; IntersectionSummary() { this = "intersection" and mc.getMethodName() = this } @@ -1015,7 +1015,7 @@ module Array { override MethodCall getACallSimple() { result = mc } } - private class KeepIfSummary extends SummarizedCallable { + private class KeepIfSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -1042,7 +1042,7 @@ module Array { } } - abstract private class LastSummary extends SummarizedCallable { + abstract private class LastSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1071,7 +1071,7 @@ module Array { } } - private class PackSummary extends SimpleSummarizedCallable { + private class PackSummary extends SummarizedCallable::RangeSimple { PackSummary() { this = "pack" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1081,7 +1081,7 @@ module Array { } } - private class PermutationSummary extends SimpleSummarizedCallable { + private class PermutationSummary extends SummarizedCallable::RangeSimple { PermutationSummary() { this = ["permutation", "repeated_combination", "repeated_permutation"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1096,7 +1096,7 @@ module Array { } } - abstract private class PopSummary extends SummarizedCallable { + abstract private class PopSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1131,7 +1131,7 @@ module Array { } } - private class PrependSummary extends SummarizedCallable { + private class PrependSummary extends SummarizedCallable::Range { private MethodCall mc; // `unshift` is an alias for `prepend` @@ -1169,7 +1169,7 @@ module Array { } } - private class ProductSummary extends SimpleSummarizedCallable { + private class ProductSummary extends SummarizedCallable::RangeSimple { ProductSummary() { this = "product" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1185,7 +1185,7 @@ module Array { } } - private class JoinSummary extends SimpleSummarizedCallable { + private class JoinSummary extends SummarizedCallable::RangeSimple { JoinSummary() { this = ["join"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1195,7 +1195,7 @@ module Array { } } - private class PushSummary extends SimpleSummarizedCallable { + private class PushSummary extends SummarizedCallable::RangeSimple { // `append` is an alias for `push` PushSummary() { this = ["push", "append"] } @@ -1213,7 +1213,7 @@ module Array { } } - private class RejectBangSummary extends SummarizedCallable { + private class RejectBangSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -1237,7 +1237,7 @@ module Array { } } - private class ReplaceSummary extends SimpleSummarizedCallable { + private class ReplaceSummary extends SummarizedCallable::RangeSimple { ReplaceSummary() { this = "replace" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1251,7 +1251,7 @@ module Array { } } - private class ReverseSummary extends SimpleSummarizedCallable { + private class ReverseSummary extends SummarizedCallable::RangeSimple { ReverseSummary() { this = "reverse" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1261,7 +1261,7 @@ module Array { } } - private class ReverseBangSummary extends SimpleSummarizedCallable { + private class ReverseBangSummary extends SummarizedCallable::RangeSimple { ReverseBangSummary() { this = "reverse!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1271,7 +1271,7 @@ module Array { } } - abstract private class RotateSummary extends SummarizedCallable { + abstract private class RotateSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1322,7 +1322,7 @@ module Array { } } - abstract private class RotateBangSummary extends SummarizedCallable { + abstract private class RotateBangSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1382,7 +1382,7 @@ module Array { } } - private class SelectBangSummary extends SummarizedCallable { + private class SelectBangSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -1414,7 +1414,7 @@ module Array { } } - abstract private class ShiftSummary extends SummarizedCallable { + abstract private class ShiftSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1502,7 +1502,7 @@ module Array { } } - private class ShuffleSummary extends SimpleSummarizedCallable { + private class ShuffleSummary extends SummarizedCallable::RangeSimple { ShuffleSummary() { this = "shuffle" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1512,7 +1512,7 @@ module Array { } } - private class ShuffleBangSummary extends SimpleSummarizedCallable { + private class ShuffleBangSummary extends SummarizedCallable::RangeSimple { ShuffleBangSummary() { this = "shuffle!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1522,7 +1522,7 @@ module Array { } } - abstract private class SliceBangSummary extends SummarizedCallable { + abstract private class SliceBangSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1684,7 +1684,7 @@ module Array { } } - private class SortBangSummary extends SimpleSummarizedCallable { + private class SortBangSummary extends SummarizedCallable::RangeSimple { SortBangSummary() { this = "sort!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1702,7 +1702,7 @@ module Array { } } - private class SortByBangSummary extends SimpleSummarizedCallable { + private class SortByBangSummary extends SummarizedCallable::RangeSimple { SortByBangSummary() { this = "sort_by!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1717,7 +1717,7 @@ module Array { } } - private class TransposeSummary extends SimpleSummarizedCallable { + private class TransposeSummary extends SummarizedCallable::RangeSimple { TransposeSummary() { this = "transpose" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1742,7 +1742,7 @@ module Array { } } - private class UniqBangSummary extends SimpleSummarizedCallable { + private class UniqBangSummary extends SummarizedCallable::RangeSimple { UniqBangSummary() { this = "uniq!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1757,7 +1757,7 @@ module Array { } } - private class UnionSummary extends SimpleSummarizedCallable { + private class UnionSummary extends SummarizedCallable::RangeSimple { UnionSummary() { this = "union" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1773,7 +1773,7 @@ module Array { } } - abstract private class ValuesAtSummary extends SummarizedCallable { + abstract private class ValuesAtSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1829,7 +1829,7 @@ module Array { * https://docs.ruby-lang.org/en/3.1/Enumerable.html */ module Enumerable { - private class ChunkSummary extends SimpleSummarizedCallable { + private class ChunkSummary extends SummarizedCallable::RangeSimple { ChunkSummary() { this = "chunk" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1839,7 +1839,7 @@ module Enumerable { } } - private class ChunkWhileSummary extends SimpleSummarizedCallable { + private class ChunkWhileSummary extends SummarizedCallable::RangeSimple { ChunkWhileSummary() { this = "chunk_while" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1849,7 +1849,7 @@ module Enumerable { } } - private class CollectSummary extends SimpleSummarizedCallable { + private class CollectSummary extends SummarizedCallable::RangeSimple { // `map` is an alias of `collect`. CollectSummary() { this = ["collect", "map"] } @@ -1865,7 +1865,7 @@ module Enumerable { } } - private class CollectConcatSummary extends SimpleSummarizedCallable { + private class CollectConcatSummary extends SummarizedCallable::RangeSimple { // `flat_map` is an alias of `collect_concat`. CollectConcatSummary() { this = ["collect_concat", "flat_map"] } @@ -1880,7 +1880,7 @@ module Enumerable { } } - private class CompactSummary extends SimpleSummarizedCallable { + private class CompactSummary extends SummarizedCallable::RangeSimple { CompactSummary() { this = "compact" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1897,7 +1897,7 @@ module Enumerable { } } - private class CountSummary extends SimpleSummarizedCallable { + private class CountSummary extends SummarizedCallable::RangeSimple { CountSummary() { this = "count" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1907,7 +1907,7 @@ module Enumerable { } } - private class CycleSummary extends SimpleSummarizedCallable { + private class CycleSummary extends SummarizedCallable::RangeSimple { CycleSummary() { this = "cycle" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1917,7 +1917,7 @@ module Enumerable { } } - private class DetectSummary extends SimpleSummarizedCallable { + private class DetectSummary extends SummarizedCallable::RangeSimple { // `find` is an alias of `detect`. DetectSummary() { this = ["detect", "find"] } @@ -1933,7 +1933,7 @@ module Enumerable { } } - abstract private class DropSummary extends SummarizedCallable { + abstract private class DropSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -1978,7 +1978,7 @@ module Enumerable { } } - private class DropWhileSummary extends SimpleSummarizedCallable { + private class DropWhileSummary extends SummarizedCallable::RangeSimple { DropWhileSummary() { this = "drop_while" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1988,7 +1988,7 @@ module Enumerable { } } - private class EachConsSummary extends SimpleSummarizedCallable { + private class EachConsSummary extends SummarizedCallable::RangeSimple { EachConsSummary() { this = "each_cons" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -1998,7 +1998,7 @@ module Enumerable { } } - private class EachEntrySummary extends SimpleSummarizedCallable { + private class EachEntrySummary extends SummarizedCallable::RangeSimple { EachEntrySummary() { this = "each_entry" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2013,7 +2013,7 @@ module Enumerable { } } - private class EachSliceSummary extends SimpleSummarizedCallable { + private class EachSliceSummary extends SummarizedCallable::RangeSimple { EachSliceSummary() { this = "each_slice" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2028,7 +2028,7 @@ module Enumerable { } } - private class EachWithIndexSummary extends SimpleSummarizedCallable { + private class EachWithIndexSummary extends SummarizedCallable::RangeSimple { EachWithIndexSummary() { this = "each_with_index" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2043,7 +2043,7 @@ module Enumerable { } } - private class EachWithObjectSummary extends SimpleSummarizedCallable { + private class EachWithObjectSummary extends SummarizedCallable::RangeSimple { EachWithObjectSummary() { this = "each_with_object" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2058,7 +2058,7 @@ module Enumerable { } } - private class FilterMapSummary extends SimpleSummarizedCallable { + private class FilterMapSummary extends SummarizedCallable::RangeSimple { FilterMapSummary() { this = "filter_map" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2072,7 +2072,7 @@ module Enumerable { } } - private class FindIndexSummary extends SimpleSummarizedCallable { + private class FindIndexSummary extends SummarizedCallable::RangeSimple { FindIndexSummary() { this = "find_index" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2082,7 +2082,7 @@ module Enumerable { } } - abstract private class FirstSummary extends SummarizedCallable { + abstract private class FirstSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -2141,7 +2141,7 @@ module Enumerable { GrepMethodName() { this = ["grep", "grep_v"] } } - abstract private class GrepSummary extends SummarizedCallable { + abstract private class GrepSummary extends SummarizedCallable::Range { MethodCall mc; GrepMethodName methodName; // adding this as a field helps give a better join order @@ -2176,7 +2176,7 @@ module Enumerable { } } - private class GroupBySummary extends SimpleSummarizedCallable { + private class GroupBySummary extends SummarizedCallable::RangeSimple { GroupBySummary() { this = "group_by" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2192,7 +2192,7 @@ module Enumerable { InjectMethodName() { this = ["inject", "reduce"] } } - abstract private class InjectSummary extends SummarizedCallable { + abstract private class InjectSummary extends SummarizedCallable::Range { MethodCall mc; InjectMethodName methodName; // adding this as a field helps give a better join order @@ -2245,7 +2245,7 @@ module Enumerable { MinOrMaxByMethodName() { this = ["min_by", "max_by"] } } - abstract private class MinOrMaxBySummary extends SummarizedCallable { + abstract private class MinOrMaxBySummary extends SummarizedCallable::Range { MethodCall mc; MinOrMaxByMethodName methodName; // adding this as a field helps give a better join order @@ -2285,7 +2285,7 @@ module Enumerable { MinOrMaxMethodName() { this = ["min", "max"] } } - abstract private class MinOrMaxSummary extends SummarizedCallable { + abstract private class MinOrMaxSummary extends SummarizedCallable::Range { MethodCall mc; MinOrMaxMethodName methodName; // adding this as a field helps give a better join order @@ -2352,7 +2352,7 @@ module Enumerable { } } - abstract private class MinmaxSummary extends SummarizedCallable { + abstract private class MinmaxSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -2388,7 +2388,7 @@ module Enumerable { } } - private class MinmaxBySummary extends SimpleSummarizedCallable { + private class MinmaxBySummary extends SummarizedCallable::RangeSimple { MinmaxBySummary() { this = "minmax_by" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2398,7 +2398,7 @@ module Enumerable { } } - private class PartitionSummary extends SimpleSummarizedCallable { + private class PartitionSummary extends SummarizedCallable::RangeSimple { PartitionSummary() { this = "partition" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2408,7 +2408,7 @@ module Enumerable { } } - private class QuerySummary extends SummarizedCallable { + private class QuerySummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -2428,7 +2428,7 @@ module Enumerable { } } - private class RejectSummary extends SummarizedCallable { + private class RejectSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -2452,7 +2452,7 @@ module Enumerable { } } - private class SelectSummary extends SummarizedCallable { + private class SelectSummary extends SummarizedCallable::Range { MethodCall mc; int lastBlockParam; @@ -2481,7 +2481,7 @@ module Enumerable { } } - private class SliceBeforeAfterSummary extends SimpleSummarizedCallable { + private class SliceBeforeAfterSummary extends SummarizedCallable::RangeSimple { SliceBeforeAfterSummary() { this = ["slice_before", "slice_after"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2491,7 +2491,7 @@ module Enumerable { } } - private class SliceWhenSummary extends SimpleSummarizedCallable { + private class SliceWhenSummary extends SummarizedCallable::RangeSimple { SliceWhenSummary() { this = "slice_when" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2501,7 +2501,7 @@ module Enumerable { } } - private class SortSummary extends SimpleSummarizedCallable { + private class SortSummary extends SummarizedCallable::RangeSimple { SortSummary() { this = "sort" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2512,7 +2512,7 @@ module Enumerable { } } - private class SortBySummary extends SimpleSummarizedCallable { + private class SortBySummary extends SummarizedCallable::RangeSimple { SortBySummary() { this = "sort_by" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2522,7 +2522,7 @@ module Enumerable { } } - private class SumSummary extends SimpleSummarizedCallable { + private class SumSummary extends SummarizedCallable::RangeSimple { SumSummary() { this = "sum" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2532,7 +2532,7 @@ module Enumerable { } } - abstract private class TakeSummary extends SummarizedCallable { + abstract private class TakeSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -2579,7 +2579,7 @@ module Enumerable { } } - private class TakeWhileSummary extends SimpleSummarizedCallable { + private class TakeWhileSummary extends SummarizedCallable::RangeSimple { TakeWhileSummary() { this = "take_while" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2596,7 +2596,7 @@ module Enumerable { } } - private class ToASummary extends SimpleSummarizedCallable { + private class ToASummary extends SummarizedCallable::RangeSimple { // `entries` is an alias of `to_a`. // `to_ary` works a bit like `to_a` (close enough for our purposes). ToASummary() { this = ["to_a", "entries", "to_ary"] } @@ -2608,7 +2608,7 @@ module Enumerable { } } - private class UniqSummary extends SimpleSummarizedCallable { + private class UniqSummary extends SummarizedCallable::RangeSimple { UniqSummary() { this = "uniq" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -2618,7 +2618,7 @@ module Enumerable { } } - abstract private class ZipSummary extends SummarizedCallable { + abstract private class ZipSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll index fbf7470847e..b9abf7cba4c 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Base64.qll @@ -6,7 +6,7 @@ private import ruby private import codeql.ruby.dataflow.FlowSummary private import codeql.ruby.ApiGraphs -private class Base64Decode extends SummarizedCallable { +private class Base64Decode extends SummarizedCallable::Range { Base64Decode() { this = "Base64.decode64()" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll index 38a9a70f0d3..36d7bd2cc75 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll @@ -26,7 +26,7 @@ module Hash { resolveConstantReadAccess(result.getReceiver()) = TResolved("Hash") } - private class HashLiteralSummary extends SummarizedCallable { + private class HashLiteralSummary extends SummarizedCallable::Range { HashLiteralSummary() { this = "Hash.[]" } final override MethodCall getACallSimple() { result = getAStaticHashCall("[]") } @@ -54,7 +54,7 @@ module Hash { * Hash[ [ [:foo, 0], [:bar, 1] ] ] # => {:foo=>0, :bar=>1} * ``` */ - private class HashNewSummary extends SummarizedCallable { + private class HashNewSummary extends SummarizedCallable::Range { HashNewSummary() { this = "Hash[]" } final override MethodCall getACallSimple() { @@ -83,7 +83,7 @@ module Hash { * Hash[:foo, 0, :bar, 1] # => {:foo=>0, :bar=>1} * ``` */ - private class HashNewSuccessivePairsSummary extends SummarizedCallable { + private class HashNewSuccessivePairsSummary extends SummarizedCallable::Range { private int i; private ConstantValue key; @@ -110,7 +110,7 @@ module Hash { } } - private class TryConvertSummary extends SummarizedCallable { + private class TryConvertSummary extends SummarizedCallable::Range { TryConvertSummary() { this = "Hash.try_convert" } override MethodCall getACallSimple() { result = getAStaticHashCall("try_convert") } @@ -122,7 +122,7 @@ module Hash { } } - abstract private class StoreSummary extends SummarizedCallable { + abstract private class StoreSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -173,7 +173,7 @@ module Hash { } } - abstract private class AssocSummary extends SummarizedCallable { + abstract private class AssocSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -199,7 +199,7 @@ module Hash { } } - private class AssocUnknownSummary extends SummarizedCallable { + private class AssocUnknownSummary extends SummarizedCallable::Range { AssocUnknownSummary() { this = "assoc-unknown-arg" } override MethodCall getACallSimple() { @@ -215,7 +215,7 @@ module Hash { } } - private class EachPairSummary extends SimpleSummarizedCallable { + private class EachPairSummary extends SummarizedCallable::RangeSimple { EachPairSummary() { this = "each_pair" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -230,7 +230,7 @@ module Hash { } } - private class EachValueSummary extends SimpleSummarizedCallable { + private class EachValueSummary extends SummarizedCallable::RangeSimple { EachValueSummary() { this = "each_value" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -250,7 +250,7 @@ module Hash { result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize() } - private class ExceptSummary extends SummarizedCallable { + private class ExceptSummary extends SummarizedCallable::Range { MethodCall mc; ExceptSummary() { @@ -282,7 +282,7 @@ module Hash { } } -abstract private class FetchValuesSummary extends SummarizedCallable { +abstract private class FetchValuesSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -338,7 +338,7 @@ private class FetchValuesUnknownSummary extends FetchValuesSummary { } } -private class MergeSummary extends SimpleSummarizedCallable { +private class MergeSummary extends SummarizedCallable::RangeSimple { MergeSummary() { // deep_merge is an ActiveSupport extension // https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge @@ -357,7 +357,7 @@ private class MergeSummary extends SimpleSummarizedCallable { } } -private class MergeBangSummary extends SimpleSummarizedCallable { +private class MergeBangSummary extends SummarizedCallable::RangeSimple { MergeBangSummary() { // deep_merge! is an ActiveSupport extension // https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge-21 @@ -376,7 +376,7 @@ private class MergeBangSummary extends SimpleSummarizedCallable { } } -private class RassocSummary extends SimpleSummarizedCallable { +private class RassocSummary extends SummarizedCallable::RangeSimple { RassocSummary() { this = "rassoc" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -386,7 +386,7 @@ private class RassocSummary extends SimpleSummarizedCallable { } } -abstract private class SliceSummary extends SummarizedCallable { +abstract private class SliceSummary extends SummarizedCallable::Range { MethodCall mc; bindingset[this] @@ -424,7 +424,7 @@ private class SliceUnknownSummary extends SliceSummary { } } -private class ToASummary extends SimpleSummarizedCallable { +private class ToASummary extends SummarizedCallable::RangeSimple { ToASummary() { this = "to_a" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -434,7 +434,7 @@ private class ToASummary extends SimpleSummarizedCallable { } } -private class ToHWithoutBlockSummary extends SimpleSummarizedCallable { +private class ToHWithoutBlockSummary extends SummarizedCallable::RangeSimple { ToHWithoutBlockSummary() { this = ["to_h", "to_hash"] and not exists(mc.getBlock()) } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -444,7 +444,7 @@ private class ToHWithoutBlockSummary extends SimpleSummarizedCallable { } } -private class ToHWithBlockSummary extends SimpleSummarizedCallable { +private class ToHWithBlockSummary extends SummarizedCallable::RangeSimple { ToHWithBlockSummary() { this = "to_h" and exists(mc.getBlock()) } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -459,7 +459,7 @@ private class ToHWithBlockSummary extends SimpleSummarizedCallable { } } -private class TransformKeysSummary extends SimpleSummarizedCallable { +private class TransformKeysSummary extends SummarizedCallable::RangeSimple { TransformKeysSummary() { this = "transform_keys" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -469,7 +469,7 @@ private class TransformKeysSummary extends SimpleSummarizedCallable { } } -private class TransformKeysBangSummary extends SimpleSummarizedCallable { +private class TransformKeysBangSummary extends SummarizedCallable::RangeSimple { TransformKeysBangSummary() { this = "transform_keys!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -481,7 +481,7 @@ private class TransformKeysBangSummary extends SimpleSummarizedCallable { } } -private class TransformValuesSummary extends SimpleSummarizedCallable { +private class TransformValuesSummary extends SummarizedCallable::RangeSimple { TransformValuesSummary() { this = "transform_values" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -496,7 +496,7 @@ private class TransformValuesSummary extends SimpleSummarizedCallable { } } -private class TransformValuesBangSummary extends SimpleSummarizedCallable { +private class TransformValuesBangSummary extends SummarizedCallable::RangeSimple { TransformValuesBangSummary() { this = "transform_values!" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -514,7 +514,7 @@ private class TransformValuesBangSummary extends SimpleSummarizedCallable { } } -private class ValuesSummary extends SimpleSummarizedCallable { +private class ValuesSummary extends SummarizedCallable::RangeSimple { ValuesSummary() { this = "values" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -526,7 +526,7 @@ private class ValuesSummary extends SimpleSummarizedCallable { // We don't (yet) track data flow through hash keys, but this is still useful in cases where a // whole hash(like) object is tainted, such as `ActionController#params`. -private class KeysSummary extends SimpleSummarizedCallable { +private class KeysSummary extends SummarizedCallable::RangeSimple { KeysSummary() { this = "keys" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll index 0342932a614..d5857efad8a 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll @@ -195,7 +195,7 @@ module Kernel { override predicate runsArbitraryCode() { none() } } - private class TapSummary extends SimpleSummarizedCallable { + private class TapSummary extends SummarizedCallable::RangeSimple { TapSummary() { this = "tap" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -226,7 +226,7 @@ module Kernel { * A call to `Array()`, that converts it's singular argument to an array. * This summary is based on https://ruby-doc.org/3.2.1/Kernel.html#method-i-Array */ - private class KernelArraySummary extends SummarizedCallable { + private class KernelArraySummary extends SummarizedCallable::Range { KernelArraySummary() { this = "Array()" } override MethodCall getACallSimple() { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll index 5fbb1b6eff7..85afa6fc93f 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll @@ -33,7 +33,7 @@ module Object { ] } - private class DupSummary extends SimpleSummarizedCallable { + private class DupSummary extends SummarizedCallable::RangeSimple { DupSummary() { this = "dup" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll index 23a902c0019..ae77492e0c0 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll @@ -110,16 +110,16 @@ module String { } /** A `String` callable with a flow summary. */ - abstract class SummarizedCallable extends FlowSummary::SummarizedCallable { + abstract class SummarizedCallable extends FlowSummary::SummarizedCallable::Range { bindingset[this] SummarizedCallable() { any() } } - abstract private class SimpleSummarizedCallable extends SummarizedCallable, - FlowSummary::SimpleSummarizedCallable + abstract private class SummarizedCallableSimple extends SummarizedCallable, + FlowSummary::SummarizedCallable::RangeSimple { bindingset[this] - SimpleSummarizedCallable() { any() } + SummarizedCallableSimple() { any() } } private class NewSummary extends SummarizedCallable { @@ -154,7 +154,7 @@ module String { /** * A flow summary for the `String#%` method. */ - private class FormatSummary extends SimpleSummarizedCallable { + private class FormatSummary extends SummarizedCallableSimple { FormatSummary() { this = "%" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -168,7 +168,7 @@ module String { /** * A flow summary for the `String#b` method. */ - private class BSummary extends SimpleSummarizedCallable { + private class BSummary extends SummarizedCallableSimple { BSummary() { this = "b" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -179,7 +179,7 @@ module String { /** * A flow summary for the `String#byteslice` method. */ - private class BytesliceSummary extends SimpleSummarizedCallable { + private class BytesliceSummary extends SummarizedCallableSimple { BytesliceSummary() { this = "byteslice" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -190,7 +190,7 @@ module String { /** * A flow summary for `String#capitalize(!)`. */ - private class CapitalizeSummary extends SimpleSummarizedCallable { + private class CapitalizeSummary extends SummarizedCallableSimple { CapitalizeSummary() { this = ["capitalize", "capitalize!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -203,7 +203,7 @@ module String { /** * A flow summary for `String#center`, `String#ljust` and `String#rjust`. */ - private class CenterSummary extends SimpleSummarizedCallable { + private class CenterSummary extends SummarizedCallableSimple { CenterSummary() { this = ["center", "ljust", "rjust"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -218,7 +218,7 @@ module String { /** * A flow summary for the `String#chomp`, `String#chomp!`, `String#chop` and `String#chop!` methods. */ - private class ChompSummary extends SimpleSummarizedCallable { + private class ChompSummary extends SummarizedCallableSimple { ChompSummary() { this = ["chomp", "chomp!", "chop", "chop!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -236,7 +236,7 @@ module String { * We can't currently write this summary because there is no `DataFlow::Content` node to refer to (unlike with `Array#clear`). * We need a `DataFlow::Content` node in order to override `clearsContent`. */ - private class ClearSummary extends SimpleSummarizedCallable { + private class ClearSummary extends SummarizedCallableSimple { ClearSummary() { none() } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -247,7 +247,7 @@ module String { /** * A flow summary for `String#concat` and `String#prepend`. */ - private class ConcatSummary extends SimpleSummarizedCallable { + private class ConcatSummary extends SummarizedCallableSimple { ConcatSummary() { // `concat` and `prepend` omitted because they clash with the summaries for // `Array#concat` and `Array#prepend`. @@ -265,7 +265,7 @@ module String { /** * A flow summary for `String#delete(!)`, `String#delete_prefix(!)` and `String#delete_suffix(!)`. */ - private class DeleteSummary extends SimpleSummarizedCallable { + private class DeleteSummary extends SummarizedCallableSimple { DeleteSummary() { this = ["delete", "delete_prefix", "delete_suffix"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -276,7 +276,7 @@ module String { /** * A flow summary for `String#downcase(!)`, `String#upcase` and `String#swapcase(!)`. */ - private class DowncaseSummary extends SimpleSummarizedCallable { + private class DowncaseSummary extends SummarizedCallableSimple { DowncaseSummary() { this = ["downcase", "upcase", "swapcase"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -287,7 +287,7 @@ module String { /** * A flow summary for `String#dump` and `String#undump`. */ - private class DumpSummary extends SimpleSummarizedCallable { + private class DumpSummary extends SummarizedCallableSimple { DumpSummary() { this = ["dump", "undump"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -337,7 +337,7 @@ module String { /** * A flow summary for `String#encode(!)` and `String#unicode_normalize(!)`. */ - private class EncodeSummary extends SimpleSummarizedCallable { + private class EncodeSummary extends SummarizedCallableSimple { EncodeSummary() { this = ["encode", "unicode_normalize"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -348,7 +348,7 @@ module String { /** * A flow summary for `String#force_encoding`. */ - private class ForceEncodingSummary extends SimpleSummarizedCallable { + private class ForceEncodingSummary extends SummarizedCallableSimple { ForceEncodingSummary() { this = "force_encoding" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -359,7 +359,7 @@ module String { /** * A flow summary for `String#freeze`. */ - private class FreezeSummary extends SimpleSummarizedCallable { + private class FreezeSummary extends SummarizedCallableSimple { FreezeSummary() { this = "freeze" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -370,7 +370,7 @@ module String { /** * A flow summary for `String#gsub(!)` and `String#sub(!)`. */ - private class GsubSummary extends SimpleSummarizedCallable { + private class GsubSummary extends SummarizedCallableSimple { GsubSummary() { this = ["sub", "gsub"] + ["", "!"] } // str.gsub(pattern, replacement) -> new_str @@ -389,7 +389,7 @@ module String { /** * A flow summary for `String#insert`. */ - private class InsertSummary extends SimpleSummarizedCallable { + private class InsertSummary extends SummarizedCallableSimple { InsertSummary() { this = "insert" and // Disabled because it clashes with the summary for Array#insert. @@ -406,7 +406,7 @@ module String { /** * A flow summary for `String#inspect`. */ - private class InspectSummary extends SimpleSummarizedCallable { + private class InspectSummary extends SummarizedCallableSimple { InspectSummary() { this = "inspect" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -417,7 +417,7 @@ module String { /** * A flow summary for `String#strip(!)`, `String#lstrip(!)` and `String#rstrip(!)`. */ - private class StripSummary extends SimpleSummarizedCallable { + private class StripSummary extends SummarizedCallableSimple { StripSummary() { this = ["strip", "lstrip", "rstrip"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -428,7 +428,7 @@ module String { /** * A flow summary for `String#next(!)` and `String#succ(!)`. */ - private class NextSummary extends SimpleSummarizedCallable { + private class NextSummary extends SummarizedCallableSimple { NextSummary() { this = ["next", "succ"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -439,7 +439,7 @@ module String { /** * A flow summary for `String#partition` and `String#rpartition`. */ - private class PartitionSummary extends SimpleSummarizedCallable { + private class PartitionSummary extends SummarizedCallableSimple { PartitionSummary() { this = ["partition", "rpartition"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -452,7 +452,7 @@ module String { /** * A flow summary for `String#replace`. */ - private class ReplaceSummary extends SimpleSummarizedCallable { + private class ReplaceSummary extends SummarizedCallableSimple { ReplaceSummary() { this = "replace" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -466,7 +466,7 @@ module String { /** * A flow summary for `String#reverse(!)`. */ - private class ReverseSummary extends SimpleSummarizedCallable { + private class ReverseSummary extends SummarizedCallableSimple { ReverseSummary() { this = ["reverse", "reverse!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -560,7 +560,7 @@ module String { /** * A flow summary for `String#shellescape`. */ - private class ShellescapeSummary extends SimpleSummarizedCallable { + private class ShellescapeSummary extends SummarizedCallableSimple { ShellescapeSummary() { this = "shellescape" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -571,7 +571,7 @@ module String { /** * A flow summary for `String#shellsplit`. */ - private class ShellSplitSummary extends SimpleSummarizedCallable { + private class ShellSplitSummary extends SummarizedCallableSimple { ShellSplitSummary() { this = "shellsplit" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -584,7 +584,7 @@ module String { /** * A flow summary for `String#slice(!)`, `String#split` and `String#[]`. */ - private class SliceSummary extends SimpleSummarizedCallable { + private class SliceSummary extends SummarizedCallableSimple { SliceSummary() { this = ["slice", "slice!", "split", "[]"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -595,7 +595,7 @@ module String { /** * A flow summary for `String#squeeze(!)`. */ - private class SqueezeSummary extends SimpleSummarizedCallable { + private class SqueezeSummary extends SummarizedCallableSimple { SqueezeSummary() { this = ["squeeze", "squeeze!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -606,7 +606,7 @@ module String { /** * A flow summary for `String#to_s` and `String.to_str`. */ - private class ToStrSummary extends SimpleSummarizedCallable { + private class ToStrSummary extends SummarizedCallableSimple { ToStrSummary() { this = ["to_str", "to_s"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { @@ -617,7 +617,7 @@ module String { /** * A flow summary for `String#tr`. */ - private class TrSummary extends SimpleSummarizedCallable { + private class TrSummary extends SummarizedCallableSimple { TrSummary() { this = ["tr", "tr_s"] + ["", "!"] } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll index 4d57191dc1e..09580b98a28 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll @@ -32,7 +32,7 @@ private class RemoteFlowSourceFromCsv extends RemoteFlowSource::Range { override string getSourceType() { result = "Remote flow (from model)" } } -private class SummarizedCallableFromModel extends SummarizedCallable { +private class SummarizedCallableFromModel extends SummarizedCallable::Range { string type; string path; @@ -49,9 +49,13 @@ private class SummarizedCallableFromModel extends SummarizedCallable { } override predicate propagatesFlow( - string input, string output, boolean preservesValue, string model + string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model ) { - exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) | + exists(string kind | + ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) and + p = "manual" and + isExact = true + | kind = "value" and preservesValue = true or diff --git a/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Utils.qll b/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Utils.qll index c41c97b006f..f82fa46a4b2 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Utils.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/rack/internal/Utils.qll @@ -10,7 +10,7 @@ private import codeql.ruby.dataflow.FlowSummary */ module Utils { /** Flow summary for `Rack::Utils.parse_query`, which parses a query string. */ - private class ParseQuerySummary extends SummarizedCallable { + private class ParseQuerySummary extends SummarizedCallable::Range { ParseQuerySummary() { this = "Rack::Utils.parse_query" } override MethodCall getACall() { diff --git a/ruby/ql/lib/codeql/ruby/typetracking/internal/TypeTrackingImpl.qll b/ruby/ql/lib/codeql/ruby/typetracking/internal/TypeTrackingImpl.qll index cd556a67f4f..468a8971d94 100644 --- a/ruby/ql/lib/codeql/ruby/typetracking/internal/TypeTrackingImpl.qll +++ b/ruby/ql/lib/codeql/ruby/typetracking/internal/TypeTrackingImpl.qll @@ -223,7 +223,7 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input { predicate propagatesFlow( SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue ) { - super.propagatesFlow(input, output, preservesValue, _) + super.propagatesFlow(input, output, preservesValue, _, _, _) } } diff --git a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.ql b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.ql index 07a804beba5..45a278bf212 100644 --- a/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.ql +++ b/ruby/ql/test/library-tests/dataflow/flow-summaries/semantics.ql @@ -12,7 +12,7 @@ private import codeql.ruby.dataflow.FlowSummary /** * A convenience class for defining value (c.f. taint) flow summaries. */ -abstract private class Summary extends SimpleSummarizedCallable { +abstract private class Summary extends SummarizedCallable::RangeSimple { bindingset[this] Summary() { any() } diff --git a/ruby/ql/test/library-tests/dataflow/regressions/Regressions.ql b/ruby/ql/test/library-tests/dataflow/regressions/Regressions.ql index 2d6c879aa39..3a989e1a139 100644 --- a/ruby/ql/test/library-tests/dataflow/regressions/Regressions.ql +++ b/ruby/ql/test/library-tests/dataflow/regressions/Regressions.ql @@ -1,6 +1,6 @@ private import codeql.ruby.dataflow.FlowSummary -private class ReverseSummary extends SimpleSummarizedCallable { +private class ReverseSummary extends SummarizedCallable::RangeSimple { ReverseSummary() { this = "reverse" } override predicate propagatesFlow(string input, string output, boolean preservesValue) { diff --git a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql index 7b370496f0a..eebb30faf1c 100644 --- a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql +++ b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql @@ -18,7 +18,7 @@ query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c) query predicate warning = ModelOutput::getAWarning/0; -private class SummarizedCallableIdentity extends SummarizedCallable { +private class SummarizedCallableIdentity extends SummarizedCallable::Range { SummarizedCallableIdentity() { this = "identity" } override MethodCall getACall() { result.getMethodName() = this } @@ -30,7 +30,7 @@ private class SummarizedCallableIdentity extends SummarizedCallable { } } -private class SummarizedCallableApplyBlock extends SummarizedCallable { +private class SummarizedCallableApplyBlock extends SummarizedCallable::Range { SummarizedCallableApplyBlock() { this = "apply_block" } override MethodCall getACall() { result.getMethodName() = this } @@ -46,7 +46,7 @@ private class SummarizedCallableApplyBlock extends SummarizedCallable { } } -private class SummarizedCallableApplyLambda extends SummarizedCallable { +private class SummarizedCallableApplyLambda extends SummarizedCallable::Range { SummarizedCallableApplyLambda() { this = "apply_lambda" } override MethodCall getACall() { result.getMethodName() = this }