hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14090 from hmac/splat-flow-4

Browse Source 
Ruby: More splat flow (alternative)
This commit is contained in:
Harry Maclean
2023-09-27 10:22:57 +01:00
committed by GitHub
parent f7daa863e2 4168245fc0
commit dc2acf5a39
8 changed files with 1369 additions and 130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
View File

@@ -472,7 +472,6 @@ private module Cached {
exists(Parameter p | p.getPosition() = pos and p instanceof SplatParameter)
} or
TSynthSplatParameterPosition() or
TSynthArgSplatParameterPosition() or
TAnyParameterPosition() or
TAnyKeywordParameterPosition()
}
@@ -1302,9 +1301,6 @@ class ParameterPosition extends TParameterPosition {
predicate isSynthSplat() { this = TSynthSplatParameterPosition() }
// A fake position to indicate that this parameter node holds content from a synth arg splat node
predicate isSynthArgSplat() { this = TSynthArgSplatParameterPosition() }
predicate isSplat(int n) { this = TSplatParameterPosition(n) }
/**
@@ -1340,8 +1336,6 @@ class ParameterPosition extends TParameterPosition {
or
this.isSynthSplat() and result = "synthetic *"
or
this.isSynthArgSplat() and result = "synthetic * (from *args)"
or
exists(int pos | this.isSplat(pos) and result = "* (position " + pos + ")")
}
}
@@ -1441,9 +1435,8 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
or
ppos.isSplat(0) and apos.isSynthSplat()
or
ppos.isSynthSplat() and apos.isSplat(0)
or
apos.isSynthSplat() and ppos.isSynthArgSplat()
ppos.isSynthSplat() and
(apos.isSynthSplat() or apos.isSplat(0))
or
// Exact splat match
exists(int n | apos.isSplat(n) and ppos.isSplat(n))

194
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
View File

@@ -455,13 +455,9 @@ private module Cached {
exists(c.asCallable()) and // exclude library callables
isParameterNode(_, c, any(ParameterPosition p | p.isPositional(_)))
} or
TSynthSplatArgParameterNode(DataFlowCallable c) {
exists(c.asCallable()) and // exclude library callables
isParameterNode(_, c, any(ParameterPosition p | p.isSplat(_)))
} or
TSynthSplatParameterElementNode(DataFlowCallable c, int n) {
exists(c.asCallable()) and // exclude library callables
isParameterNode(_, c, any(ParameterPosition p | p.isSplat(_))) and
isParameterNode(_, c, any(ParameterPosition p | p.isSplat(any(int i | i > 0)))) and
n in [0 .. 10]
} or
TExprPostUpdateNode(CfgNodes::ExprCfgNode n) {
@@ -479,15 +475,19 @@ private module Cached {
or
c.getAnArgument() instanceof CfgNodes::ExprNodes::PairCfgNode
} or
TSynthSplatArgumentNode(CfgNodes::ExprNodes::CallCfgNode c) {
exists(Argument arg, ArgumentPosition pos | pos.isPositional(_) | arg.isArgumentOf(c, pos)) and
not exists(Argument arg, ArgumentPosition pos | pos.isSplat(_) | arg.isArgumentOf(c, pos))
TSynthSplatArgumentNode(CfgNodes::ExprNodes::CallCfgNode c) or
TSynthSplatArgumentElementNode(CfgNodes::ExprNodes::CallCfgNode c, int n) {
// we use -1 to represent data at an unknown index
n in [-1 .. 10] and
exists(Argument arg, ArgumentPosition pos |
pos.isSplat(any(int p | p > 0)) and arg.isArgumentOf(c, pos)
)
} or
TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn)
class TSourceParameterNode =
TNormalParameterNode or TBlockParameterNode or TSelfParameterNode or
TSynthHashSplatParameterNode or TSynthSplatParameterNode or TSynthSplatArgParameterNode;
TSynthHashSplatParameterNode or TSynthSplatParameterNode;
cached
Location getLocation(NodeImpl n) { result = n.getLocationImpl() }
@@ -695,8 +695,6 @@ predicate nodeIsHidden(Node n) {
or
n instanceof SynthSplatArgumentNode
or
n instanceof SynthSplatArgParameterNode
or
n instanceof SynthSplatParameterElementNode
or
n instanceof LambdaSelfReferenceNode
@@ -1026,19 +1024,23 @@ private module ParameterNodes {
* For example, in the following code:
*
* ```rb
* def foo(x, y); end
* def foo(x, y, z); end
*
* foo(*[a, b])
* foo(a, *[b, c])
* ```
*
* We want `a` to flow to `x` and `b` to flow to `y`. We do this by constructing
* We want `b` to flow to `y` and `c` to flow to `z`. We do this by constructing
* a `SynthSplatParameterNode` for the method `foo`, and matching the splat argument to this
* parameter node via `parameterMatch/2`. We then add read steps from this node to parameters
* `x` and `y`, for content at indices 0 and 1 respectively (see `readStep`).
* `y` and `z`, for content at indices 0 and 1 respectively (see `readStep`).
*
* We don't yet correctly handle cases where the splat argument is not the first argument, e.g. in
* This node stores the index of the splat argument it is matched to, which allows us to shift
* indices correctly when adding read steps. Without this, in the example above we would erroneously
* get a read step to `x` at index 0 and `y` at index 1 etc.
*
* We don't yet correctly handle cases where a positional argument follows the splat argument, e.g. in
* ```rb
* foo(a, *[b])
* foo(a, *[b], c)
* ```
*/
class SynthSplatParameterNode extends ParameterNodeImpl, TSynthSplatParameterNode {
@@ -1047,16 +1049,16 @@ private module ParameterNodes {
SynthSplatParameterNode() { this = TSynthSplatParameterNode(callable) }
/**
* Gets a parameter which will contain the value given by `c`, assuming
* that the method was called with a single splat argument.
* For example, if the synth splat parameter is for the following method
* Gets a parameter which will contain the value given by `c`.
* For example, if the synth splat parameter is for the following method and method call:
*
* ```rb
* def foo(x, y, a:, *rest)
* end
* def foo(x, y, a:, *rest); end
*
* foo(arg1, *args)
* ```
*
* Then `getAParameter(element 0) = x` and `getAParameter(element 1) = y`.
* then `getAParameter(element 0) = y`.
*/
ParameterNode getAParameter(ContentSet c) {
exists(int n |
@@ -1084,31 +1086,6 @@ private module ParameterNodes {
final override string toStringImpl() { result = "synthetic *args" }
}
/**
* A node that holds all positional arguments passed in a call to `c`.
* This is a mirror of the `SynthSplatArgumentNode` on the callable side.
* See `SynthSplatArgumentNode` for more information.
*/
class SynthSplatArgParameterNode extends ParameterNodeImpl, TSynthSplatArgParameterNode {
private DataFlowCallable callable;
SynthSplatArgParameterNode() { this = TSynthSplatArgParameterNode(callable) }
final override Parameter getParameter() { none() }
final override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
c = callable and pos.isSynthArgSplat()
}
final override CfgScope getCfgScope() { result = callable.asCallable() }
final override DataFlowCallable getEnclosingCallable() { result = callable }
final override Location getLocationImpl() { result = callable.getLocation() }
final override string toStringImpl() { result = "synthetic *args" }
}
/**
* A node that holds the content of a specific positional argument.
* See `SynthSplatArgumentNode` for more information.
@@ -1127,12 +1104,7 @@ private module ParameterNodes {
int getStorePosition() { result = pos }
int getReadPosition() {
exists(int splatPos |
exists(this.getSplatParameterNode(splatPos)) and
result = pos + splatPos
)
}
int getReadPosition() { result = pos }
final override CfgScope getCfgScope() { result = callable.asCallable() }
@@ -1246,7 +1218,7 @@ module ArgumentNodes {
* part of the method signature, such that those cannot end up in the hash-splat
* parameter.
*/
class SynthHashSplatArgumentNode extends ArgumentNode, TSynthHashSplatArgumentNode {
class SynthHashSplatArgumentNode extends ArgumentNode, NodeImpl, TSynthHashSplatArgumentNode {
CfgNodes::ExprNodes::CallCfgNode c;
SynthHashSplatArgumentNode() { this = TSynthHashSplatArgumentNode(c) }
@@ -1259,12 +1231,6 @@ module ArgumentNodes {
call = c and
pos.isHashSplat()
}
}
private class SynthHashSplatArgumentNodeImpl extends NodeImpl, TSynthHashSplatArgumentNode {
CfgNodes::ExprNodes::CallCfgNode c;
SynthHashSplatArgumentNodeImpl() { this = TSynthHashSplatArgumentNode(c) }
override CfgScope getCfgScope() { result = c.getExpr().getCfgScope() }
@@ -1287,9 +1253,9 @@ module ArgumentNodes {
*
* 1. We want `3` to flow to `z[0]` and `4` to flow to `z[1]`. We model this by first storing all arguments
* in a synthetic argument node `SynthSplatArgumentNode` (see `storeStepCommon`).
* 2. We match this to an analogous parameter node `SynthSplatArgParameterNode` on the callee side
* 2. We match this to an analogous parameter node `SynthSplatParameterNode` on the callee side
* (see `parameterMatch`).
* 3. For each content element stored in the `SynthSplatArgParameterNode`, we add a read step to a separate
* 3. For each content element stored in the `SynthSplatParameterNode`, we add a read step to a separate
* `SynthSplatParameterElementNode`, which is parameterized by the element index (see `readStep`).
* 4. Finally, we add store steps from these `SynthSplatParameterElementNode`s to the real splat parameter node
* (see `storeStep`).
@@ -1317,6 +1283,33 @@ module ArgumentNodes {
override string toStringImpl() { result = "*" }
}
/**
* A data-flow node that holds data from values inside splat arguments.
* For example, in the following call
*
* ```rb
* foo(1, 2, *[3, 4])
* ```
*
* We add read steps such that `3` flows into `SynthSplatArgumentElementNode(2)` and `4` flows into `SynthSplatArgumentElementNode(3)`.
*/
class SynthSplatArgumentElementNode extends NodeImpl, TSynthSplatArgumentElementNode {
CfgNodes::ExprNodes::CallCfgNode c;
int n;
SynthSplatArgumentElementNode() { this = TSynthSplatArgumentElementNode(c, n) }
CfgNodes::ExprNodes::CallCfgNode getCall() { result = c }
int getPosition() { result = n }
override CfgScope getCfgScope() { result = c.getExpr().getCfgScope() }
override Location getLocationImpl() { result = c.getLocation() }
override string toStringImpl() { result = "*[" + n + "]" }
}
}
import ArgumentNodes
@@ -1556,6 +1549,33 @@ predicate storeStepCommon(Node node1, ContentSet c, Node node2) {
)
}
/**
* Holds if data can flow from a `SynthSplatArgumentElementNode` into a `SynthSplatArgumentNode` via a store step.
* For example in
*
* ```rb
* foo(1, 2, *[3, 4])
* ```
*
* We have flow from `3` into `SynthSplatArgumentElementNode(2)`. This step stores the value from this node into element `2` of the `SynthSplatArgumentNode`.
*
* This allows us to match values inside splat arguments to the correct parameter in the callable.
*/
predicate synthSplatArgumentElementStoreStep(
SynthSplatArgumentElementNode node1, ContentSet c, SynthSplatArgumentNode node2
) {
exists(CfgNodes::ExprNodes::CallCfgNode call, int n |
node2 = TSynthSplatArgumentNode(call) and
node1 = TSynthSplatArgumentElementNode(call, n) and
(
c = getPositionalContent(n)
or
n = -1 and
c.isSingleton(TUnknownElementContent())
)
)
}
/**
* Holds if data can flow from `node1` to `node2` via an assignment to
* content `c`.
@@ -1587,11 +1607,13 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
FlowSummaryImpl::Private::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(), c,
node2.(FlowSummaryNode).getSummaryNode())
or
node1 =
any(SynthSplatParameterElementNode elemNode |
node2 = elemNode.getSplatParameterNode(_) and
c = getPositionalContent(elemNode.getStorePosition())
)
exists(SynthSplatParameterElementNode elemNode, int splatPos |
node1 = elemNode and
node2 = elemNode.getSplatParameterNode(splatPos) and
c = getPositionalContent(elemNode.getStorePosition() - splatPos)
)
or
synthSplatArgumentElementStoreStep(node1, c, node2)
or
storeStepCommon(node1, c, node2)
or
@@ -1608,6 +1630,34 @@ predicate readStepCommon(Node node1, ContentSet c, Node node2) {
node2 = node1.(SynthSplatParameterNode).getAParameter(c)
}
/**
* Holds if data can flow from a splat argument to a `SynthSplatArgumentElementNode` via a read step.
* For example in
* ```rb
* foo(x, y, *[1, 2])
* ```
*
* we read `1` into `SynthSplatArgumentElementNode(2)` and `2` into `SynthSplatArgumentElementNode(3)`.
*/
predicate synthSplatArgumentElementReadStep(
Node node1, ContentSet c, SynthSplatArgumentElementNode node2
) {
exists(int splatPos, CfgNodes::ExprNodes::CallCfgNode call |
node1.asExpr().(Argument).isArgumentOf(call, any(ArgumentPosition p | p.isSplat(splatPos))) and
splatPos > 0 and
node2.getCall() = call and
(
exists(int n |
node2.getPosition() = n + splatPos and
c = getPositionalContent(n)
)
or
node2.getPosition() = -1 and
c.isSingleton(TUnknownElementContent())
)
)
}
/**
* Holds if there is a read step of content `c` from `node1` to `node2`.
*/
@@ -1638,14 +1688,16 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
FlowSummaryImpl::Private::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), c,
node2.(FlowSummaryNode).getSummaryNode())
or
// Read from SynthSplatArgParameterNode into SynthSplatParameterElementNode
VariableCapture::readStep(node1, any(Content::CapturedVariableContent v | c.isSingleton(v)), node2)
or
// Read from SynthSplatParameterNode into SynthSplatParameterElementNode
node2 =
any(SynthSplatParameterElementNode e |
node1.(SynthSplatArgParameterNode).isParameterOf(e.getEnclosingCallable(), _) and
node1.(SynthSplatParameterNode).isParameterOf(e.getEnclosingCallable(), _) and
c = getPositionalContent(e.getReadPosition())
)
or
VariableCapture::readStep(node1, any(Content::CapturedVariableContent v | c.isSingleton(v)), node2)
synthSplatArgumentElementReadStep(node1, c, node2)
or
readStepCommon(node1, c, node2)
}

9
ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
View File

@@ -334,13 +334,16 @@ predicate readStoreStepIntoSourceNode(
Node nodeFrom, Node nodeTo, DataFlow::ContentSet loadContent, DataFlow::ContentSet storeContent
) {
exists(DataFlowPrivate::SynthSplatParameterElementNode mid |
nodeFrom
.(DataFlowPrivate::SynthSplatArgParameterNode)
.isParameterOf(mid.getEnclosingCallable(), _) and
nodeFrom.(DataFlowPrivate::SynthSplatParameterNode).isParameterOf(mid.getEnclosingCallable(), _) and
loadContent = DataFlowPrivate::getPositionalContent(mid.getReadPosition()) and
nodeTo = mid.getSplatParameterNode(_) and
storeContent = DataFlowPrivate::getPositionalContent(mid.getStorePosition())
)
or
exists(DataFlowPrivate::SynthSplatArgumentElementNode mid |
DataFlowPrivate::synthSplatArgumentElementReadStep(nodeFrom, loadContent, mid) and
DataFlowPrivate::synthSplatArgumentElementStoreStep(mid, storeContent, nodeTo)
)
}
/**

31
ruby/ql/test/library-tests/dataflow/local/Nodes.expected
View File

@@ -1234,21 +1234,34 @@ arg
| local_dataflow.rb:9:10:9:10 | 1 | local_dataflow.rb:9:9:9:15 | call to [] | position 0 |
| local_dataflow.rb:9:12:9:12 | 2 | local_dataflow.rb:9:9:9:15 | call to [] | position 1 |
| local_dataflow.rb:9:14:9:14 | 3 | local_dataflow.rb:9:9:9:15 | call to [] | position 2 |
| local_dataflow.rb:10:5:13:3 | * | local_dataflow.rb:10:5:13:3 | call to each | synthetic * |
| local_dataflow.rb:10:5:13:3 | { ... } | local_dataflow.rb:10:5:13:3 | call to each | block |
| local_dataflow.rb:10:9:10:9 | * | local_dataflow.rb:10:9:10:9 | [false] ! ... | synthetic * |
| local_dataflow.rb:10:9:10:9 | * | local_dataflow.rb:10:9:10:9 | [true] ! ... | synthetic * |
| local_dataflow.rb:10:9:10:9 | * | local_dataflow.rb:10:9:10:9 | defined? ... | synthetic * |
| local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [false] ! ... | self |
| local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [true] ! ... | self |
| local_dataflow.rb:10:9:10:9 | x | local_dataflow.rb:10:9:10:9 | defined? ... | self |
| local_dataflow.rb:10:14:10:18 | array | local_dataflow.rb:10:5:13:3 | call to each | self |
| local_dataflow.rb:11:1:11:2 | * | local_dataflow.rb:11:1:11:2 | call to do | synthetic * |
| local_dataflow.rb:11:1:11:2 | self | local_dataflow.rb:11:1:11:2 | call to do | self |
| local_dataflow.rb:12:3:12:5 | * | local_dataflow.rb:12:3:12:5 | call to p | synthetic * |
| local_dataflow.rb:12:3:12:5 | self | local_dataflow.rb:12:3:12:5 | call to p | self |
| local_dataflow.rb:12:5:12:5 | x | local_dataflow.rb:12:3:12:5 | call to p | position 0 |
| local_dataflow.rb:15:1:17:3 | * | local_dataflow.rb:15:1:17:3 | call to each | synthetic * |
| local_dataflow.rb:15:1:17:3 | { ... } | local_dataflow.rb:15:1:17:3 | call to each | block |
| local_dataflow.rb:15:5:15:5 | * | local_dataflow.rb:15:5:15:5 | [false] ! ... | synthetic * |
| local_dataflow.rb:15:5:15:5 | * | local_dataflow.rb:15:5:15:5 | [true] ! ... | synthetic * |
| local_dataflow.rb:15:5:15:5 | * | local_dataflow.rb:15:5:15:5 | defined? ... | synthetic * |
| local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [false] ! ... | self |
| local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [true] ! ... | self |
| local_dataflow.rb:15:5:15:5 | x | local_dataflow.rb:15:5:15:5 | defined? ... | self |
| local_dataflow.rb:15:10:15:14 | array | local_dataflow.rb:15:1:17:3 | call to each | self |
| local_dataflow.rb:19:1:21:3 | * | local_dataflow.rb:19:1:21:3 | call to each | synthetic * |
| local_dataflow.rb:19:1:21:3 | { ... } | local_dataflow.rb:19:1:21:3 | call to each | block |
| local_dataflow.rb:19:5:19:5 | * | local_dataflow.rb:19:5:19:5 | [false] ! ... | synthetic * |
| local_dataflow.rb:19:5:19:5 | * | local_dataflow.rb:19:5:19:5 | [true] ! ... | synthetic * |
| local_dataflow.rb:19:5:19:5 | * | local_dataflow.rb:19:5:19:5 | defined? ... | synthetic * |
| local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [false] ! ... | self |
| local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [true] ! ... | self |
| local_dataflow.rb:19:5:19:5 | x | local_dataflow.rb:19:5:19:5 | defined? ... | self |
@@ -1262,6 +1275,7 @@ arg
| local_dataflow.rb:42:6:42:6 | x | local_dataflow.rb:42:6:42:11 | ... == ... | self |
| local_dataflow.rb:42:6:42:11 | * | local_dataflow.rb:42:6:42:11 | ... == ... | synthetic * |
| local_dataflow.rb:42:11:42:11 | 4 | local_dataflow.rb:42:6:42:11 | ... == ... | position 0 |
| local_dataflow.rb:49:1:53:3 | * | local_dataflow.rb:49:1:53:3 | call to m | synthetic * |
| local_dataflow.rb:49:1:53:3 | self | local_dataflow.rb:49:1:53:3 | call to m | self |
| local_dataflow.rb:49:3:53:3 | do ... end | local_dataflow.rb:49:1:53:3 | call to m | block |
| local_dataflow.rb:50:18:50:18 | x | local_dataflow.rb:50:18:50:22 | ... < ... | self |
@@ -1393,6 +1407,7 @@ arg
| local_dataflow.rb:112:8:112:16 | * | local_dataflow.rb:112:8:112:16 | call to source | synthetic * |
| local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup | self |
| local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:112:8:112:16 | call to source | self |
| local_dataflow.rb:112:8:112:20 | * | local_dataflow.rb:112:8:112:20 | call to dup | synthetic * |
| local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:3:112:21 | call to sink | position 0 |
| local_dataflow.rb:112:15:112:15 | 1 | local_dataflow.rb:112:8:112:16 | call to source | position 0 |
| local_dataflow.rb:113:3:113:25 | * | local_dataflow.rb:113:3:113:25 | call to sink | synthetic * |
@@ -1400,7 +1415,9 @@ arg
| local_dataflow.rb:113:8:113:16 | * | local_dataflow.rb:113:8:113:16 | call to source | synthetic * |
| local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup | self |
| local_dataflow.rb:113:8:113:16 | self | local_dataflow.rb:113:8:113:16 | call to source | self |
| local_dataflow.rb:113:8:113:20 | * | local_dataflow.rb:113:8:113:20 | call to dup | synthetic * |
| local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup | self |
| local_dataflow.rb:113:8:113:24 | * | local_dataflow.rb:113:8:113:24 | call to dup | synthetic * |
| local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:3:113:25 | call to sink | position 0 |
| local_dataflow.rb:113:15:113:15 | 1 | local_dataflow.rb:113:8:113:16 | call to source | position 0 |
| local_dataflow.rb:117:3:117:24 | * | local_dataflow.rb:117:3:117:24 | call to sink | synthetic * |
@@ -1408,12 +1425,14 @@ arg
| local_dataflow.rb:117:8:117:16 | * | local_dataflow.rb:117:8:117:16 | call to source | synthetic * |
| local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap | self |
| local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:117:8:117:16 | call to source | self |
| local_dataflow.rb:117:8:117:23 | * | local_dataflow.rb:117:8:117:23 | call to tap | synthetic * |
| local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:3:117:24 | call to sink | position 0 |
| local_dataflow.rb:117:15:117:15 | 1 | local_dataflow.rb:117:8:117:16 | call to source | position 0 |
| local_dataflow.rb:117:22:117:23 | { ... } | local_dataflow.rb:117:8:117:23 | call to tap | block |
| local_dataflow.rb:118:3:118:11 | * | local_dataflow.rb:118:3:118:11 | call to source | synthetic * |
| local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap | self |
| local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:118:3:118:11 | call to source | self |
| local_dataflow.rb:118:3:118:31 | * | local_dataflow.rb:118:3:118:31 | call to tap | synthetic * |
| local_dataflow.rb:118:10:118:10 | 1 | local_dataflow.rb:118:3:118:11 | call to source | position 0 |
| local_dataflow.rb:118:17:118:31 | { ... } | local_dataflow.rb:118:3:118:31 | call to tap | block |
| local_dataflow.rb:118:23:118:29 | * | local_dataflow.rb:118:23:118:29 | call to sink | synthetic * |
@@ -1424,7 +1443,9 @@ arg
| local_dataflow.rb:119:8:119:16 | * | local_dataflow.rb:119:8:119:16 | call to source | synthetic * |
| local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap | self |
| local_dataflow.rb:119:8:119:16 | self | local_dataflow.rb:119:8:119:16 | call to source | self |
| local_dataflow.rb:119:8:119:23 | * | local_dataflow.rb:119:8:119:23 | call to tap | synthetic * |
| local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap | self |
| local_dataflow.rb:119:8:119:30 | * | local_dataflow.rb:119:8:119:30 | call to tap | synthetic * |
| local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:3:119:31 | call to sink | position 0 |
| local_dataflow.rb:119:15:119:15 | 1 | local_dataflow.rb:119:8:119:16 | call to source | position 0 |
| local_dataflow.rb:119:22:119:23 | { ... } | local_dataflow.rb:119:8:119:23 | call to tap | block |
@@ -1434,14 +1455,18 @@ arg
| local_dataflow.rb:123:8:123:16 | * | local_dataflow.rb:123:8:123:16 | call to source | synthetic * |
| local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup | self |
| local_dataflow.rb:123:8:123:16 | self | local_dataflow.rb:123:8:123:16 | call to source | self |
| local_dataflow.rb:123:8:123:20 | * | local_dataflow.rb:123:8:123:20 | call to dup | synthetic * |
| local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap | self |
| local_dataflow.rb:123:8:123:45 | * | local_dataflow.rb:123:8:123:45 | call to tap | synthetic * |
| local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup | self |
| local_dataflow.rb:123:8:123:49 | * | local_dataflow.rb:123:8:123:49 | call to dup | synthetic * |
| local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:3:123:50 | call to sink | position 0 |
| local_dataflow.rb:123:15:123:15 | 1 | local_dataflow.rb:123:8:123:16 | call to source | position 0 |
| local_dataflow.rb:123:26:123:45 | { ... } | local_dataflow.rb:123:8:123:45 | call to tap | block |
| local_dataflow.rb:123:32:123:43 | * | local_dataflow.rb:123:32:123:43 | call to puts | synthetic * |
| local_dataflow.rb:123:32:123:43 | self | local_dataflow.rb:123:32:123:43 | call to puts | self |
| local_dataflow.rb:123:37:123:43 | "hello" | local_dataflow.rb:123:32:123:43 | call to puts | position 0 |
| local_dataflow.rb:127:3:127:8 | * | local_dataflow.rb:127:3:127:8 | call to rand | synthetic * |
| local_dataflow.rb:127:3:127:8 | self | local_dataflow.rb:127:3:127:8 | call to rand | self |
| local_dataflow.rb:132:6:132:11 | * | local_dataflow.rb:132:6:132:11 | call to use | synthetic * |
| local_dataflow.rb:132:6:132:11 | self | local_dataflow.rb:132:6:132:11 | call to use | self |
@@ -1471,6 +1496,8 @@ arg
| local_dataflow.rb:137:10:137:26 | * | local_dataflow.rb:137:10:137:26 | [false] ... && ... | synthetic * |
| local_dataflow.rb:137:10:137:26 | * | local_dataflow.rb:137:10:137:26 | [true] ... && ... | synthetic * |
| local_dataflow.rb:137:14:137:14 | x | local_dataflow.rb:137:10:137:15 | call to use | position 0 |
| local_dataflow.rb:137:20:137:26 | * | local_dataflow.rb:137:20:137:26 | [false] ! ... | synthetic * |
| local_dataflow.rb:137:20:137:26 | * | local_dataflow.rb:137:20:137:26 | [true] ! ... | synthetic * |
| local_dataflow.rb:137:20:137:26 | [false] ! ... | local_dataflow.rb:137:10:137:26 | [false] ... && ... | position 0 |
| local_dataflow.rb:137:20:137:26 | [true] ! ... | local_dataflow.rb:137:10:137:26 | [true] ... && ... | position 0 |
| local_dataflow.rb:137:21:137:26 | * | local_dataflow.rb:137:21:137:26 | call to use | synthetic * |
@@ -1478,6 +1505,8 @@ arg
| local_dataflow.rb:137:21:137:26 | call to use | local_dataflow.rb:137:20:137:26 | [true] ! ... | self |
| local_dataflow.rb:137:21:137:26 | self | local_dataflow.rb:137:21:137:26 | call to use | self |
| local_dataflow.rb:137:25:137:25 | x | local_dataflow.rb:137:21:137:26 | call to use | position 0 |
| local_dataflow.rb:141:8:141:14 | * | local_dataflow.rb:141:8:141:14 | [false] ! ... | synthetic * |
| local_dataflow.rb:141:8:141:14 | * | local_dataflow.rb:141:8:141:14 | [true] ! ... | synthetic * |
| local_dataflow.rb:141:8:141:14 | [false] ! ... | local_dataflow.rb:141:8:141:37 | [false] ... \|\| ... | self |
| local_dataflow.rb:141:8:141:14 | [false] ! ... | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... | self |
| local_dataflow.rb:141:8:141:14 | [true] ! ... | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... | self |
@@ -1497,6 +1526,8 @@ arg
| local_dataflow.rb:141:20:141:36 | * | local_dataflow.rb:141:20:141:36 | [false] ... && ... | synthetic * |
| local_dataflow.rb:141:20:141:36 | * | local_dataflow.rb:141:20:141:36 | [true] ... && ... | synthetic * |
| local_dataflow.rb:141:24:141:24 | x | local_dataflow.rb:141:20:141:25 | call to use | position 0 |
| local_dataflow.rb:141:30:141:36 | * | local_dataflow.rb:141:30:141:36 | [false] ! ... | synthetic * |
| local_dataflow.rb:141:30:141:36 | * | local_dataflow.rb:141:30:141:36 | [true] ! ... | synthetic * |
| local_dataflow.rb:141:30:141:36 | [false] ! ... | local_dataflow.rb:141:20:141:36 | [false] ... && ... | position 0 |
| local_dataflow.rb:141:30:141:36 | [true] ! ... | local_dataflow.rb:141:20:141:36 | [true] ... && ... | position 0 |
| local_dataflow.rb:141:31:141:36 | * | local_dataflow.rb:141:31:141:36 | call to use | synthetic * |

1095
ruby/ql/test/library-tests/dataflow/params/TypeTracker.expected
View File

File diff suppressed because it is too large Load Diff

130
ruby/ql/test/library-tests/dataflow/params/params-flow.expected
View File

@@ -40,7 +40,12 @@ edges
| params_flow.rb:41:13:41:21 | call to taint | params_flow.rb:16:18:16:19 | p2 |
| params_flow.rb:41:24:41:29 | ** ... [element :p1] | params_flow.rb:16:13:16:14 | p1 |
| params_flow.rb:41:26:41:29 | args [element :p1] | params_flow.rb:41:24:41:29 | ** ... [element :p1] |
| params_flow.rb:43:1:43:4 | args [element 0] | params_flow.rb:44:24:44:27 | args [element 0] |
| params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:43:1:43:4 | args [element 0] |
| params_flow.rb:44:1:44:28 | *[1] | params_flow.rb:9:20:9:21 | p2 |
| params_flow.rb:44:12:44:20 | call to taint | params_flow.rb:9:16:9:17 | p1 |
| params_flow.rb:44:23:44:27 | * ... [element 0] | params_flow.rb:44:1:44:28 | *[1] |
| params_flow.rb:44:24:44:27 | args [element 0] | params_flow.rb:44:23:44:27 | * ... [element 0] |
| params_flow.rb:46:1:46:4 | args [element 0] | params_flow.rb:47:13:47:16 | args [element 0] |
| params_flow.rb:46:1:46:4 | args [element 1] | params_flow.rb:47:13:47:16 | args [element 1] |
| params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:46:1:46:4 | args [element 0] |
@@ -57,13 +62,19 @@ edges
| params_flow.rb:55:20:55:28 | call to taint | params_flow.rb:49:17:49:24 | *posargs [element 0] |
| params_flow.rb:57:1:57:4 | args [element 0] | params_flow.rb:58:21:58:24 | args [element 0] |
| params_flow.rb:57:9:57:17 | call to taint | params_flow.rb:57:1:57:4 | args [element 0] |
| params_flow.rb:58:1:58:25 | *[1] | params_flow.rb:49:17:49:24 | *posargs [element 0] |
| params_flow.rb:58:9:58:17 | call to taint | params_flow.rb:49:13:49:14 | p1 |
| params_flow.rb:58:20:58:24 | * ... [element 0] | params_flow.rb:49:17:49:24 | *posargs [element 0] |
| params_flow.rb:58:20:58:24 | * ... [element 0] | params_flow.rb:58:1:58:25 | *[1] |
| params_flow.rb:58:21:58:24 | args [element 0] | params_flow.rb:58:20:58:24 | * ... [element 0] |
| params_flow.rb:60:1:60:4 | args [element 0] | params_flow.rb:61:10:61:13 | args [element 0] |
| params_flow.rb:60:1:60:4 | args [element 1] | params_flow.rb:61:10:61:13 | args [element 1] |
| params_flow.rb:60:9:60:17 | call to taint | params_flow.rb:60:1:60:4 | args [element 0] |
| params_flow.rb:60:20:60:28 | call to taint | params_flow.rb:60:1:60:4 | args [element 1] |
| params_flow.rb:61:9:61:13 | * ... [element 0] | params_flow.rb:49:13:49:14 | p1 |
| params_flow.rb:61:9:61:13 | * ... [element 1] | params_flow.rb:49:17:49:24 | *posargs [element 0] |
| params_flow.rb:61:10:61:13 | args [element 0] | params_flow.rb:61:9:61:13 | * ... [element 0] |
| params_flow.rb:61:10:61:13 | args [element 1] | params_flow.rb:61:9:61:13 | * ... [element 1] |
| params_flow.rb:63:1:63:4 | args | params_flow.rb:67:13:67:16 | args |
| params_flow.rb:63:8:63:16 | call to taint | params_flow.rb:63:1:63:4 | args |
| params_flow.rb:64:16:64:17 | *x [element 0] | params_flow.rb:65:10:65:10 | x [element 0] |
@@ -78,20 +89,67 @@ edges
| params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:69:17:69:17 | y |
| params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:69:24:69:24 | w |
| params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:69:27:69:27 | r |
| params_flow.rb:80:1:80:4 | args [element 0] | params_flow.rb:81:22:81:25 | args [element 0] |
| params_flow.rb:80:1:80:4 | args [element 2] | params_flow.rb:81:22:81:25 | args [element 2] |
| params_flow.rb:80:1:80:4 | args [element 3] | params_flow.rb:81:22:81:25 | args [element 3] |
| params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:80:1:80:4 | args [element 0] |
| params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:80:1:80:4 | args [element 2] |
| params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:80:1:80:4 | args [element 3] |
| params_flow.rb:81:1:81:37 | *[1] | params_flow.rb:69:17:69:17 | y |
| params_flow.rb:81:1:81:37 | *[3] | params_flow.rb:69:24:69:24 | w |
| params_flow.rb:81:1:81:37 | *[4] | params_flow.rb:69:27:69:27 | r |
| params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:69:14:69:14 | x |
| params_flow.rb:81:21:81:25 | * ... [element 0] | params_flow.rb:81:1:81:37 | *[1] |
| params_flow.rb:81:21:81:25 | * ... [element 2] | params_flow.rb:81:1:81:37 | *[3] |
| params_flow.rb:81:21:81:25 | * ... [element 3] | params_flow.rb:81:1:81:37 | *[4] |
| params_flow.rb:81:22:81:25 | args [element 0] | params_flow.rb:81:21:81:25 | * ... [element 0] |
| params_flow.rb:81:22:81:25 | args [element 2] | params_flow.rb:81:21:81:25 | * ... [element 2] |
| params_flow.rb:81:22:81:25 | args [element 3] | params_flow.rb:81:21:81:25 | * ... [element 3] |
| params_flow.rb:83:14:83:14 | t | params_flow.rb:84:10:84:10 | t |
| params_flow.rb:83:17:83:17 | u | params_flow.rb:85:10:85:10 | u |
| params_flow.rb:83:20:83:20 | v | params_flow.rb:86:10:86:10 | v |
| params_flow.rb:83:23:83:23 | w | params_flow.rb:87:10:87:10 | w |
| params_flow.rb:83:26:83:26 | x | params_flow.rb:88:10:88:10 | x |
| params_flow.rb:83:29:83:29 | y | params_flow.rb:89:10:89:10 | y |
| params_flow.rb:93:1:93:4 | args [element 0] | params_flow.rb:94:33:94:36 | args [element 0] |
| params_flow.rb:93:1:93:4 | args [element 1] | params_flow.rb:94:33:94:36 | args [element 1] |
| params_flow.rb:93:1:93:4 | args [element 2] | params_flow.rb:94:33:94:36 | args [element 2] |
| params_flow.rb:93:1:93:4 | args [element 3] | params_flow.rb:94:33:94:36 | args [element 3] |
| params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:93:1:93:4 | args [element 0] |
| params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:93:1:93:4 | args [element 1] |
| params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:93:1:93:4 | args [element 2] |
| params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:93:1:93:4 | args [element 3] |
| params_flow.rb:94:1:94:48 | *[2] | params_flow.rb:83:20:83:20 | v |
| params_flow.rb:94:1:94:48 | *[3] | params_flow.rb:83:23:83:23 | w |
| params_flow.rb:94:1:94:48 | *[4] | params_flow.rb:83:26:83:26 | x |
| params_flow.rb:94:1:94:48 | *[5] | params_flow.rb:83:29:83:29 | y |
| params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:83:14:83:14 | t |
| params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:83:17:83:17 | u |
| params_flow.rb:94:32:94:36 | * ... [element 0] | params_flow.rb:94:1:94:48 | *[2] |
| params_flow.rb:94:32:94:36 | * ... [element 1] | params_flow.rb:94:1:94:48 | *[3] |
| params_flow.rb:94:32:94:36 | * ... [element 2] | params_flow.rb:94:1:94:48 | *[4] |
| params_flow.rb:94:32:94:36 | * ... [element 3] | params_flow.rb:94:1:94:48 | *[5] |
| params_flow.rb:94:33:94:36 | args [element 0] | params_flow.rb:94:32:94:36 | * ... [element 0] |
| params_flow.rb:94:33:94:36 | args [element 1] | params_flow.rb:94:32:94:36 | * ... [element 1] |
| params_flow.rb:94:33:94:36 | args [element 2] | params_flow.rb:94:32:94:36 | * ... [element 2] |
| params_flow.rb:94:33:94:36 | args [element 3] | params_flow.rb:94:32:94:36 | * ... [element 3] |
| params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:83:23:83:23 | w |
| params_flow.rb:96:1:96:88 | *[3] | params_flow.rb:69:24:69:24 | w |
| params_flow.rb:96:1:96:88 | *[4] | params_flow.rb:69:27:69:27 | r |
| params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:69:14:69:14 | x |
| params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:69:17:69:17 | y |
| params_flow.rb:96:32:96:65 | * ... [element 1] | params_flow.rb:96:1:96:88 | *[3] |
| params_flow.rb:96:32:96:65 | * ... [element 2] | params_flow.rb:96:1:96:88 | *[4] |
| params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 1] |
| params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 2] |
| params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:69:24:69:24 | w |
| params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:69:27:69:27 | r |
| params_flow.rb:98:19:98:19 | a | params_flow.rb:99:10:99:10 | a |
| params_flow.rb:98:31:98:31 | b | params_flow.rb:102:10:102:10 | b |
| params_flow.rb:105:1:105:49 | *[2] | params_flow.rb:98:31:98:31 | b |
| params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:98:19:98:19 | a |
| params_flow.rb:105:26:105:48 | * ... [element 1] | params_flow.rb:105:1:105:49 | *[2] |
| params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:105:26:105:48 | * ... [element 1] |
| params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:98:19:98:19 | a |
| params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:98:31:98:31 | b |
| params_flow.rb:108:37:108:37 | a | params_flow.rb:109:10:109:10 | a |
@@ -167,7 +225,12 @@ nodes
| params_flow.rb:41:13:41:21 | call to taint | semmle.label | call to taint |
| params_flow.rb:41:24:41:29 | ** ... [element :p1] | semmle.label | ** ... [element :p1] |
| params_flow.rb:41:26:41:29 | args [element :p1] | semmle.label | args [element :p1] |
| params_flow.rb:43:1:43:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:43:9:43:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:44:1:44:28 | *[1] | semmle.label | *[1] |
| params_flow.rb:44:12:44:20 | call to taint | semmle.label | call to taint |
| params_flow.rb:44:23:44:27 | * ... [element 0] | semmle.label | * ... [element 0] |
| params_flow.rb:44:24:44:27 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:46:1:46:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:46:1:46:4 | args [element 1] | semmle.label | args [element 1] |
| params_flow.rb:46:9:46:17 | call to taint | semmle.label | call to taint |
@@ -186,13 +249,18 @@ nodes
| params_flow.rb:55:20:55:28 | call to taint | semmle.label | call to taint |
| params_flow.rb:57:1:57:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:57:9:57:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:58:1:58:25 | *[1] | semmle.label | *[1] |
| params_flow.rb:58:9:58:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:58:20:58:24 | * ... [element 0] | semmle.label | * ... [element 0] |
| params_flow.rb:58:21:58:24 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:60:1:60:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:60:1:60:4 | args [element 1] | semmle.label | args [element 1] |
| params_flow.rb:60:9:60:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:60:20:60:28 | call to taint | semmle.label | call to taint |
| params_flow.rb:61:9:61:13 | * ... [element 0] | semmle.label | * ... [element 0] |
| params_flow.rb:61:9:61:13 | * ... [element 1] | semmle.label | * ... [element 1] |
| params_flow.rb:61:10:61:13 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:61:10:61:13 | args [element 1] | semmle.label | args [element 1] |
| params_flow.rb:63:1:63:4 | args | semmle.label | args |
| params_flow.rb:63:8:63:16 | call to taint | semmle.label | call to taint |
| params_flow.rb:64:16:64:17 | *x [element 0] | semmle.label | *x [element 0] |
@@ -212,25 +280,75 @@ nodes
| params_flow.rb:78:21:78:29 | call to taint | semmle.label | call to taint |
| params_flow.rb:78:43:78:51 | call to taint | semmle.label | call to taint |
| params_flow.rb:78:54:78:62 | call to taint | semmle.label | call to taint |
| params_flow.rb:80:1:80:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:80:1:80:4 | args [element 2] | semmle.label | args [element 2] |
| params_flow.rb:80:1:80:4 | args [element 3] | semmle.label | args [element 3] |
| params_flow.rb:80:9:80:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:80:31:80:39 | call to taint | semmle.label | call to taint |
| params_flow.rb:80:42:80:50 | call to taint | semmle.label | call to taint |
| params_flow.rb:81:1:81:37 | *[1] | semmle.label | *[1] |
| params_flow.rb:81:1:81:37 | *[3] | semmle.label | *[3] |
| params_flow.rb:81:1:81:37 | *[4] | semmle.label | *[4] |
| params_flow.rb:81:10:81:18 | call to taint | semmle.label | call to taint |
| params_flow.rb:81:21:81:25 | * ... [element 0] | semmle.label | * ... [element 0] |
| params_flow.rb:81:21:81:25 | * ... [element 2] | semmle.label | * ... [element 2] |
| params_flow.rb:81:21:81:25 | * ... [element 3] | semmle.label | * ... [element 3] |
| params_flow.rb:81:22:81:25 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:81:22:81:25 | args [element 2] | semmle.label | args [element 2] |
| params_flow.rb:81:22:81:25 | args [element 3] | semmle.label | args [element 3] |
| params_flow.rb:83:14:83:14 | t | semmle.label | t |
| params_flow.rb:83:17:83:17 | u | semmle.label | u |
| params_flow.rb:83:20:83:20 | v | semmle.label | v |
| params_flow.rb:83:23:83:23 | w | semmle.label | w |
| params_flow.rb:83:26:83:26 | x | semmle.label | x |
| params_flow.rb:83:29:83:29 | y | semmle.label | y |
| params_flow.rb:84:10:84:10 | t | semmle.label | t |
| params_flow.rb:85:10:85:10 | u | semmle.label | u |
| params_flow.rb:86:10:86:10 | v | semmle.label | v |
| params_flow.rb:87:10:87:10 | w | semmle.label | w |
| params_flow.rb:88:10:88:10 | x | semmle.label | x |
| params_flow.rb:89:10:89:10 | y | semmle.label | y |
| params_flow.rb:93:1:93:4 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:93:1:93:4 | args [element 1] | semmle.label | args [element 1] |
| params_flow.rb:93:1:93:4 | args [element 2] | semmle.label | args [element 2] |
| params_flow.rb:93:1:93:4 | args [element 3] | semmle.label | args [element 3] |
| params_flow.rb:93:9:93:17 | call to taint | semmle.label | call to taint |
| params_flow.rb:93:20:93:28 | call to taint | semmle.label | call to taint |
| params_flow.rb:93:31:93:39 | call to taint | semmle.label | call to taint |
| params_flow.rb:93:42:93:50 | call to taint | semmle.label | call to taint |
| params_flow.rb:94:1:94:48 | *[2] | semmle.label | *[2] |
| params_flow.rb:94:1:94:48 | *[3] | semmle.label | *[3] |
| params_flow.rb:94:1:94:48 | *[4] | semmle.label | *[4] |
| params_flow.rb:94:1:94:48 | *[5] | semmle.label | *[5] |
| params_flow.rb:94:10:94:18 | call to taint | semmle.label | call to taint |
| params_flow.rb:94:21:94:29 | call to taint | semmle.label | call to taint |
| params_flow.rb:94:32:94:36 | * ... [element 0] | semmle.label | * ... [element 0] |
| params_flow.rb:94:32:94:36 | * ... [element 1] | semmle.label | * ... [element 1] |
| params_flow.rb:94:32:94:36 | * ... [element 2] | semmle.label | * ... [element 2] |
| params_flow.rb:94:32:94:36 | * ... [element 3] | semmle.label | * ... [element 3] |
| params_flow.rb:94:33:94:36 | args [element 0] | semmle.label | args [element 0] |
| params_flow.rb:94:33:94:36 | args [element 1] | semmle.label | args [element 1] |
| params_flow.rb:94:33:94:36 | args [element 2] | semmle.label | args [element 2] |
| params_flow.rb:94:33:94:36 | args [element 3] | semmle.label | args [element 3] |
| params_flow.rb:94:39:94:47 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:1:96:88 | *[3] | semmle.label | *[3] |
| params_flow.rb:96:1:96:88 | *[4] | semmle.label | *[4] |
| params_flow.rb:96:10:96:18 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:21:96:29 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:32:96:65 | * ... [element 1] | semmle.label | * ... [element 1] |
| params_flow.rb:96:32:96:65 | * ... [element 2] | semmle.label | * ... [element 2] |
| params_flow.rb:96:45:96:53 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:56:96:64 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:68:96:76 | call to taint | semmle.label | call to taint |
| params_flow.rb:96:79:96:87 | call to taint | semmle.label | call to taint |
| params_flow.rb:98:19:98:19 | a | semmle.label | a |
| params_flow.rb:98:31:98:31 | b | semmle.label | b |
| params_flow.rb:99:10:99:10 | a | semmle.label | a |
| params_flow.rb:102:10:102:10 | b | semmle.label | b |
| params_flow.rb:105:1:105:49 | *[2] | semmle.label | *[2] |
| params_flow.rb:105:15:105:23 | call to taint | semmle.label | call to taint |
| params_flow.rb:105:26:105:48 | * ... [element 1] | semmle.label | * ... [element 1] |
| params_flow.rb:105:39:105:47 | call to taint | semmle.label | call to taint |
| params_flow.rb:106:15:106:23 | call to taint | semmle.label | call to taint |
| params_flow.rb:106:37:106:45 | call to taint | semmle.label | call to taint |
| params_flow.rb:108:37:108:37 | a | semmle.label | a |
@@ -268,6 +386,7 @@ subpaths
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:46:9:46:17 | call to taint | call to taint |
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:43:9:43:17 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:46:20:46:28 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:46:20:46:28 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
| params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint | call to taint |
@@ -290,24 +409,35 @@ subpaths
| params_flow.rb:50:10:50:11 | p1 | params_flow.rb:60:9:60:17 | call to taint | params_flow.rb:50:10:50:11 | p1 | $@ | params_flow.rb:60:9:60:17 | call to taint | call to taint |
| params_flow.rb:51:10:51:21 | ( ... ) | params_flow.rb:55:20:55:28 | call to taint | params_flow.rb:51:10:51:21 | ( ... ) | $@ | params_flow.rb:55:20:55:28 | call to taint | call to taint |
| params_flow.rb:51:10:51:21 | ( ... ) | params_flow.rb:57:9:57:17 | call to taint | params_flow.rb:51:10:51:21 | ( ... ) | $@ | params_flow.rb:57:9:57:17 | call to taint | call to taint |
| params_flow.rb:51:10:51:21 | ( ... ) | params_flow.rb:60:20:60:28 | call to taint | params_flow.rb:51:10:51:21 | ( ... ) | $@ | params_flow.rb:60:20:60:28 | call to taint | call to taint |
| params_flow.rb:65:10:65:13 | ...[...] | params_flow.rb:63:8:63:16 | call to taint | params_flow.rb:65:10:65:13 | ...[...] | $@ | params_flow.rb:63:8:63:16 | call to taint | call to taint |
| params_flow.rb:70:10:70:10 | x | params_flow.rb:78:10:78:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:78:10:78:18 | call to taint | call to taint |
| params_flow.rb:70:10:70:10 | x | params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:81:10:81:18 | call to taint | call to taint |
| params_flow.rb:70:10:70:10 | x | params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:96:10:96:18 | call to taint | call to taint |
| params_flow.rb:71:10:71:10 | y | params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:78:21:78:29 | call to taint | call to taint |
| params_flow.rb:71:10:71:10 | y | params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:80:9:80:17 | call to taint | call to taint |
| params_flow.rb:71:10:71:10 | y | params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:96:21:96:29 | call to taint | call to taint |
| params_flow.rb:74:10:74:10 | w | params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:78:43:78:51 | call to taint | call to taint |
| params_flow.rb:74:10:74:10 | w | params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:80:31:80:39 | call to taint | call to taint |
| params_flow.rb:74:10:74:10 | w | params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:45:96:53 | call to taint | call to taint |
| params_flow.rb:74:10:74:10 | w | params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:68:96:76 | call to taint | call to taint |
| params_flow.rb:75:10:75:10 | r | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:78:54:78:62 | call to taint | call to taint |
| params_flow.rb:75:10:75:10 | r | params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:80:42:80:50 | call to taint | call to taint |
| params_flow.rb:75:10:75:10 | r | params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:56:96:64 | call to taint | call to taint |
| params_flow.rb:75:10:75:10 | r | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:79:96:87 | call to taint | call to taint |
| params_flow.rb:84:10:84:10 | t | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:94:10:94:18 | call to taint | call to taint |
| params_flow.rb:84:10:84:10 | t | params_flow.rb:130:9:130:17 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:130:9:130:17 | call to taint | call to taint |
| params_flow.rb:85:10:85:10 | u | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:94:21:94:29 | call to taint | call to taint |
| params_flow.rb:85:10:85:10 | u | params_flow.rb:130:20:130:28 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:130:20:130:28 | call to taint | call to taint |
| params_flow.rb:85:10:85:10 | u | params_flow.rb:131:17:131:25 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:131:17:131:25 | call to taint | call to taint |
| params_flow.rb:86:10:86:10 | v | params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:86:10:86:10 | v | $@ | params_flow.rb:93:9:93:17 | call to taint | call to taint |
| params_flow.rb:87:10:87:10 | w | params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:93:20:93:28 | call to taint | call to taint |
| params_flow.rb:87:10:87:10 | w | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:94:39:94:47 | call to taint | call to taint |
| params_flow.rb:88:10:88:10 | x | params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:88:10:88:10 | x | $@ | params_flow.rb:93:31:93:39 | call to taint | call to taint |
| params_flow.rb:89:10:89:10 | y | params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:89:10:89:10 | y | $@ | params_flow.rb:93:42:93:50 | call to taint | call to taint |
| params_flow.rb:99:10:99:10 | a | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:105:15:105:23 | call to taint | call to taint |
| params_flow.rb:99:10:99:10 | a | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:106:15:106:23 | call to taint | call to taint |
| params_flow.rb:102:10:102:10 | b | params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:105:39:105:47 | call to taint | call to taint |
| params_flow.rb:102:10:102:10 | b | params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:106:37:106:45 | call to taint | call to taint |
| params_flow.rb:109:10:109:10 | a | params_flow.rb:114:33:114:41 | call to taint | params_flow.rb:109:10:109:10 | a | $@ | params_flow.rb:114:33:114:41 | call to taint | call to taint |
| params_flow.rb:110:10:110:13 | ...[...] | params_flow.rb:114:44:114:52 | call to taint | params_flow.rb:110:10:110:13 | ...[...] | $@ | params_flow.rb:114:44:114:52 | call to taint | call to taint |

22
ruby/ql/test/library-tests/dataflow/params/params_flow.rb
View File

@@ -8,7 +8,7 @@ end
def positional(p1, p2)
sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18 $ hasValueFlow=61
sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ MISSING: hasValueFlow=17
sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ hasValueFlow=17
end
positional(taint(1), taint(2))
@@ -48,7 +48,7 @@ positional(*args)
def posargs(p1, *posargs)
sink p1 # $ hasValueFlow=20 $ hasValueFlow=23 $ hasValueFlow=24
sink (posargs[0]) # $ hasValueFlow=22 $ hasValueFlow=21 $ MISSING: hasValueFlow=25
sink (posargs[0]) # $ hasValueFlow=22 $ hasValueFlow=21 $ hasValueFlow=25
sink (posargs[1])
end
@@ -68,11 +68,11 @@ splatstuff(*args)
def splatmid(x, y, *z, w, r)
sink x # $ hasValueFlow=27 $ hasValueFlow=32 $ hasValueFlow=45
sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ MISSING: hasValueFlow=33
sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ hasValueFlow=33
sink z[0] # MISSING: $ hasValueFlow=47 $ hasValueFlow=29 $ hasValueFlow=34
sink z[1] # $ MISSING: hasValueFlow=48 $ hasValueFlow=35
sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36
sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37
sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36 $ SPURIOUS: hasValueFlow=35 $ hasValueFlow=48
sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37 $ SPURIOUS: hasValueFlow=36 $ hasValueFlow=49
end
splatmid(taint(27), taint(28), taint(29), taint(30), taint(31))
@@ -83,10 +83,10 @@ splatmid(taint(32), *args, taint(37))
def pos_many(t, u, v, w, x, y, z)
sink t # $ hasValueFlow=38 $ hasValueFlow=66
sink u # $ hasValueFlow=39 $ hasValueFlow=67 $ SPURIOUS: hasValueFlow=68
sink v # $ MISSING: hasValueFlow=40
sink w # $ MISSING: hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
sink x # $ MISSING: hasValueFlow=42
sink y # $ MISSING: hasValueFlow=43
sink v # $ hasValueFlow=40
sink w # $ hasValueFlow=41 $ SPURIOUS: hasValueFlow=44
sink x # $ hasValueFlow=42
sink y # $ hasValueFlow=43
sink z # $ MISSING: hasValueFlow=44
end
@@ -98,8 +98,8 @@ splatmid(taint(45), taint(46), *[taint(47), taint(48), taint(49)], taint(50), ta
def splatmidsmall(a, *splats, b)
sink a # $ hasValueFlow=52 $ hasValueFlow=55
sink splats[0] # $ MISSING: hasValueFlow=53
sink splats[1] # $ MISSING: hasValueFlow=54
sink b # $ hasValueFlow=57
sink splats[1]
sink b # $ hasValueFlow=57 $ hasValueFlow=54
end
splatmidsmall(taint(52), *[taint(53), taint(54)])

7
ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected
View File

@@ -39,11 +39,13 @@ track
| type_tracker.rb:13:11:13:23 | call to new | type tracker without call steps | type_tracker.rb:13:11:13:23 | call to new |
| type_tracker.rb:14:5:14:7 | [post] var | type tracker with call steps | type_tracker.rb:7:5:9:7 | self in field |
| type_tracker.rb:14:5:14:7 | [post] var | type tracker without call steps | type_tracker.rb:14:5:14:7 | [post] var |
| type_tracker.rb:14:5:14:13 | * | type tracker with call steps | type_tracker.rb:2:5:5:7 | synthetic *args |
| type_tracker.rb:14:5:14:13 | * | type tracker without call steps | type_tracker.rb:14:5:14:13 | * |
| type_tracker.rb:14:5:14:13 | call to field= | type tracker without call steps | type_tracker.rb:14:5:14:13 | call to field= |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps | type_tracker.rb:2:16:2:18 | val |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps | type_tracker.rb:8:9:8:14 | @field |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps with content attribute field | type_tracker.rb:7:5:9:7 | self in field |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps with content element 0 | type_tracker.rb:2:5:5:7 | synthetic *args |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker without call steps | type_tracker.rb:14:5:14:13 | call to field= |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker without call steps | type_tracker.rb:14:17:14:23 | "hello" |
| type_tracker.rb:14:17:14:23 | "hello" | type tracker without call steps | type_tracker.rb:15:10:15:18 | call to field |
@@ -70,14 +72,17 @@ track
| type_tracker.rb:20:5:20:11 | * | type tracker without call steps | type_tracker.rb:20:5:20:11 | * |
| type_tracker.rb:20:5:20:11 | call to puts | type tracker without call steps | type_tracker.rb:20:5:20:11 | call to puts |
| type_tracker.rb:20:5:20:11 | call to puts | type tracker without call steps | type_tracker.rb:23:1:23:16 | call to positional |
| type_tracker.rb:23:1:23:16 | * | type tracker with call steps | type_tracker.rb:18:1:21:3 | synthetic *args |
| type_tracker.rb:23:1:23:16 | * | type tracker without call steps | type_tracker.rb:23:1:23:16 | * |
| type_tracker.rb:23:1:23:16 | call to positional | type tracker without call steps | type_tracker.rb:23:1:23:16 | call to positional |
| type_tracker.rb:23:12:23:12 | 1 | type tracker with call steps | type_tracker.rb:18:16:18:17 | p1 |
| type_tracker.rb:23:12:23:12 | 1 | type tracker with call steps with content element 0 | type_tracker.rb:18:1:21:3 | synthetic *args |
| type_tracker.rb:23:12:23:12 | 1 | type tracker with call steps with content element 0 | type_tracker.rb:19:5:19:11 | * |
| type_tracker.rb:23:12:23:12 | 1 | type tracker without call steps | type_tracker.rb:23:12:23:12 | 1 |
| type_tracker.rb:23:12:23:12 | 1 | type tracker without call steps with content element 0 | type_tracker.rb:23:1:23:16 | * |
| type_tracker.rb:23:15:23:15 | 2 | type tracker with call steps | type_tracker.rb:18:20:18:21 | p2 |
| type_tracker.rb:23:15:23:15 | 2 | type tracker with call steps with content element 0 | type_tracker.rb:20:5:20:11 | * |
| type_tracker.rb:23:15:23:15 | 2 | type tracker with call steps with content element 1 | type_tracker.rb:18:1:21:3 | synthetic *args |
| type_tracker.rb:23:15:23:15 | 2 | type tracker without call steps | type_tracker.rb:23:15:23:15 | 2 |
| type_tracker.rb:23:15:23:15 | 2 | type tracker without call steps with content element 1 | type_tracker.rb:23:1:23:16 | * |
| type_tracker.rb:25:1:28:3 | &block | type tracker without call steps | type_tracker.rb:25:1:28:3 | &block |
@@ -391,6 +396,7 @@ trackEnd
| type_tracker.rb:14:5:14:7 | [post] var | type_tracker.rb:8:9:8:14 | self |
| type_tracker.rb:14:5:14:7 | [post] var | type_tracker.rb:14:5:14:7 | [post] var |
| type_tracker.rb:14:5:14:7 | [post] var | type_tracker.rb:15:10:15:12 | var |
| type_tracker.rb:14:5:14:13 | * | type_tracker.rb:2:5:5:7 | synthetic *args |
| type_tracker.rb:14:5:14:13 | * | type_tracker.rb:14:5:14:13 | * |
| type_tracker.rb:14:5:14:13 | call to field= | type_tracker.rb:14:5:14:13 | call to field= |
| type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:2:16:2:18 | val |
@@ -429,6 +435,7 @@ trackEnd
| type_tracker.rb:20:5:20:11 | * | type_tracker.rb:20:5:20:11 | * |
| type_tracker.rb:20:5:20:11 | call to puts | type_tracker.rb:20:5:20:11 | call to puts |
| type_tracker.rb:20:5:20:11 | call to puts | type_tracker.rb:23:1:23:16 | call to positional |
| type_tracker.rb:23:1:23:16 | * | type_tracker.rb:18:1:21:3 | synthetic *args |
| type_tracker.rb:23:1:23:16 | * | type_tracker.rb:23:1:23:16 | * |
| type_tracker.rb:23:1:23:16 | call to positional | type_tracker.rb:23:1:23:16 | call to positional |
| type_tracker.rb:23:12:23:12 | 1 | type_tracker.rb:18:16:18:17 | p1 |