From db056aae1bcda7f911a3f4a8edd38c981fffeb94 Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Thu, 6 Oct 2022 10:14:28 +0200
Subject: [PATCH] add some more meta queries for Ruby evaluations

---
 ruby/ql/src/queries/meta/TaintSteps.ql        | 17 +++++++++++
 ruby/ql/src/queries/meta/TaintedNodes.ql      | 28 +++++++++++++++++++
 .../queries/meta/internal/TaintMetrics.qll    |  7 +++++
 3 files changed, 52 insertions(+)
 create mode 100644 ruby/ql/src/queries/meta/TaintSteps.ql
 create mode 100644 ruby/ql/src/queries/meta/TaintedNodes.ql

diff --git a/ruby/ql/src/queries/meta/TaintSteps.ql b/ruby/ql/src/queries/meta/TaintSteps.ql
new file mode 100644
index 00000000000..c93322500c3
--- /dev/null
+++ b/ruby/ql/src/queries/meta/TaintSteps.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Taint steps
+ * @description The number of default taint steps.
+ * @kind metric
+ * @metricType project
+ * @metricAggregate sum
+ * @tags meta
+ * @id rb/meta/taint-steps
+ */
+
+import ruby
+import internal.TaintMetrics
+import codeql.ruby.dataflow.internal.TaintTrackingPublic
+
+predicate relevantStep(DataFlow::Node pred, DataFlow::Node succ) { localTaintStep(pred, succ) }
+
+select projectRoot(), count(DataFlow::Node pred, DataFlow::Node succ | relevantStep(pred, succ))
diff --git a/ruby/ql/src/queries/meta/TaintedNodes.ql b/ruby/ql/src/queries/meta/TaintedNodes.ql
new file mode 100644
index 00000000000..18997cfaaee
--- /dev/null
+++ b/ruby/ql/src/queries/meta/TaintedNodes.ql
@@ -0,0 +1,28 @@
+/**
+ * @name Tainted nodes
+ * @description Nodes reachable from a remote flow source via default taint-tracking steps.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id rb/meta/tainted-nodes
+ * @tags meta
+ * @precision very-low
+ */
+
+import internal.TaintMetrics
+import codeql.ruby.DataFlow
+import codeql.ruby.TaintTracking
+
+class BasicTaintConfiguration extends TaintTracking::Configuration {
+  BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node = relevantTaintSource(_) }
+
+  override predicate isSink(DataFlow::Node node) {
+    // To reduce noise from synthetic nodes, only count nodes that have an associated expression.
+    exists(node.asExpr().getExpr())
+  }
+}
+
+from DataFlow::Node node
+where any(BasicTaintConfiguration cfg).hasFlow(_, node)
+select node, "Tainted node"
diff --git a/ruby/ql/src/queries/meta/internal/TaintMetrics.qll b/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
index 19e25f3a94b..19d26103cb9 100644
--- a/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
+++ b/ruby/ql/src/queries/meta/internal/TaintMetrics.qll
@@ -36,3 +36,10 @@ DataFlow::Node relevantTaintSink(string kind) {
     kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
   )
 }
+
+/**
+ * Gets the root folder of the snapshot.
+ *
+ * This is selected as the location for project-wide metrics.
+ */
+Folder projectRoot() { result.getRelativePath() = "" }