Merge pull request #7048 from hvitved/ruby/remove-node-predicates

Ruby: Remove `Node::getEnclosingCallable` and `ParameterNode::isParameterOf`
This commit is contained in:
Tom Hvitved
2021-11-03 17:46:16 +01:00
committed by GitHub
4 changed files with 12 additions and 16 deletions

View File

@@ -450,7 +450,7 @@ DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
*/
predicate exprNodeReturnedFrom(DataFlow::ExprNode e, Callable c) {
exists(ReturningNode r |
r.getEnclosingCallable().asCallable() = c and
nodeGetEnclosingCallable(r).asCallable() = c and
(
r.(ExplicitReturnNode).getReturningNode().getReturnedValueNode() = e.asExpr() or
r.(ExprReturnNode) = e

View File

@@ -7,12 +7,16 @@ private import SsaImpl as SsaImpl
private import FlowSummaryImpl as FlowSummaryImpl
/** Gets the callable in which this node occurs. */
DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.getEnclosingCallable() }
DataFlowCallable nodeGetEnclosingCallable(NodeImpl n) { result = n.getEnclosingCallable() }
/** Holds if `p` is a `ParameterNode` of `c` with position `pos`. */
predicate isParameterNode(ParameterNode p, DataFlowCallable c, int pos) { p.isParameterOf(c, pos) }
predicate isParameterNode(ParameterNodeImpl p, DataFlowCallable c, int pos) {
p.isParameterOf(c, pos)
}
abstract class NodeImpl extends Node {
DataFlowCallable getEnclosingCallable() { result = TCfgScope(this.getCfgScope()) }
/** Do not call: use `getEnclosingCallable()` instead. */
abstract CfgScope getCfgScope();
@@ -312,7 +316,7 @@ private module ParameterNodes {
abstract class ParameterNodeImpl extends ParameterNode, NodeImpl {
abstract predicate isSourceParameterOf(Callable c, int i);
override predicate isParameterOf(DataFlowCallable c, int i) {
predicate isParameterOf(DataFlowCallable c, int i) {
this.isSourceParameterOf(c.asCallable(), i)
}
}
@@ -802,7 +806,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
)
or
receiver = call.(SummaryCall).getReceiver() and
if receiver.(ParameterNode).isParameterOf(_, -2)
if receiver.(ParameterNodeImpl).isParameterOf(_, -2)
then kind = TYieldCallKind()
else kind = TLambdaCallKind()
}

View File

@@ -25,8 +25,6 @@ class Node extends TNode {
// TODO: cache
final Location getLocation() { result = this.(NodeImpl).getLocationImpl() }
DataFlowCallable getEnclosingCallable() { result = TCfgScope(this.(NodeImpl).getCfgScope()) }
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
@@ -85,12 +83,6 @@ class ExprNode extends Node, TExprNode {
class ParameterNode extends Node, TParameterNode {
/** Gets the parameter corresponding to this node, if any. */
Parameter getParameter() { none() }
/**
* Holds if this node is the parameter of callable `c` at the specified
* (zero-based) position.
*/
predicate isParameterOf(DataFlowCallable c, int i) { none() }
}
/**

View File

@@ -57,9 +57,9 @@ module UrlRedirect {
this = e.getRedirectLocation() and
// As a rough heuristic, assume that methods with these names are handlers for POST/PUT/PATCH/DELETE requests,
// which are not as vulnerable to URL redirection because browsers will not initiate them from clicking a link.
not this.getEnclosingCallable()
.asCallable()
.(Method)
not this.asExpr()
.getExpr()
.getEnclosingMethod()
.getName()
.regexpMatch(".*(create|update|destroy).*")
)