mirror of
https://github.com/github/codeql.git
synced 2026-04-30 19:26:02 +02:00
Ruby: Make most of ActionDispatch private
Any classes/predicates not used externally or in tests are now private. Also fix some typos.
This commit is contained in:
Harry Maclean
@@ -64,7 +64,7 @@ module ActionDispatch {
|
||||
* the route defined by the call to `get` has the full path `/admin/dashboard`.
|
||||
* We track these contributions via `getPathComponent` and `getControllerComponent`.
|
||||
*/
|
||||
abstract class RouteBlock extends TRouteBlock {
|
||||
abstract private class RouteBlock extends TRouteBlock {
|
||||
/**
|
||||
* Gets the name of a primary CodeQL class to which this route block belongs.
|
||||
*/
|
||||
@@ -228,7 +228,7 @@ module ActionDispatch {
|
||||
* ```
|
||||
* https://api.rubyonrails.org/classes/ActionDispatch/Routing/Mapper/Resources.html#method-i-resources
|
||||
*/
|
||||
class ResourcesRouteBlock extends NestedRouteBlock, TResourcesRouteBlock {
|
||||
private class ResourcesRouteBlock extends NestedRouteBlock, TResourcesRouteBlock {
|
||||
private MethodCall call;
|
||||
private Block block;
|
||||
|
||||
@@ -267,7 +267,7 @@ module ActionDispatch {
|
||||
* We ignore the condition and analyze both branches to obtain as
|
||||
* much routing information as possible.
|
||||
*/
|
||||
class ConditionalRouteBlock extends NestedRouteBlock, TConditionalRouteBlock {
|
||||
private class ConditionalRouteBlock extends NestedRouteBlock, TConditionalRouteBlock {
|
||||
private ConditionalExpr e;
|
||||
|
||||
ConditionalRouteBlock() { this = TConditionalRouteBlock(parent, e) }
|
||||
@@ -294,7 +294,7 @@ module ActionDispatch {
|
||||
* ```
|
||||
* https://api.rubyonrails.org/classes/ActionDispatch/Routing/Mapper/Scoping.html#method-i-namespace
|
||||
*/
|
||||
class NamespaceRouteBlock extends NestedRouteBlock, TNamespaceRouteBlock {
|
||||
private class NamespaceRouteBlock extends NestedRouteBlock, TNamespaceRouteBlock {
|
||||
private MethodCall call;
|
||||
private Block block;
|
||||
|
||||
@@ -494,7 +494,7 @@ module ActionDispatch {
|
||||
* put "/photos/:id", to: "photos#update"
|
||||
* ```
|
||||
*/
|
||||
class ExplicitRoute extends Route, TExplicitRoute {
|
||||
private class ExplicitRoute extends Route, TExplicitRoute {
|
||||
RouteBlock parentBlock;
|
||||
|
||||
ExplicitRoute() { this = TExplicitRoute(parentBlock, method) }
|
||||
@@ -593,7 +593,7 @@ module ActionDispatch {
|
||||
* get "/photos/:photo_id/foo", to: "photos#foo"
|
||||
* ```
|
||||
*/
|
||||
class ResourcesRoute extends Route, TResourcesRoute {
|
||||
private class ResourcesRoute extends Route, TResourcesRoute {
|
||||
RouteBlock parent;
|
||||
string resource;
|
||||
string action;
|
||||
@@ -628,7 +628,7 @@ module ActionDispatch {
|
||||
* resource :account
|
||||
* ```
|
||||
*/
|
||||
class SingularResourceRoute extends Route, TResourceRoute {
|
||||
private class SingularResourceRoute extends Route, TResourceRoute {
|
||||
RouteBlock parent;
|
||||
string resource;
|
||||
string action;
|
||||
@@ -666,7 +666,7 @@ module ActionDispatch {
|
||||
* match 'photos/:id', controller: 'photos', action: 'show', via: :get
|
||||
* ```
|
||||
*/
|
||||
class MatchRoute extends Route, TMatchRoute {
|
||||
private class MatchRoute extends Route, TMatchRoute {
|
||||
private RouteBlock parent;
|
||||
|
||||
MatchRoute() { this = TMatchRoute(parent, method) }
|
||||
@@ -704,7 +704,7 @@ module ActionDispatch {
|
||||
* - `except:` removes the given actions from the set.
|
||||
*/
|
||||
bindingset[action]
|
||||
predicate applyActionFilters(MethodCall m, string action) {
|
||||
private predicate applyActionFilters(MethodCall m, string action) {
|
||||
// Respect the `only` keyword argument, which restricts the set of actions.
|
||||
(
|
||||
not exists(m.getKeywordArgument("only"))
|
||||
@@ -727,7 +727,9 @@ module ActionDispatch {
|
||||
* Holds if the (resource, method, path, action) combination would be generated by a call to `resources :<resource>`.
|
||||
*/
|
||||
bindingset[resource]
|
||||
predicate isDefaultResourceRoute(string resource, string method, string path, string action) {
|
||||
private predicate isDefaultResourceRoute(
|
||||
string resource, string method, string path, string action
|
||||
) {
|
||||
action = "create" and
|
||||
(method = "post" and path = "/" + resource)
|
||||
or
|
||||
@@ -754,7 +756,7 @@ module ActionDispatch {
|
||||
* Holds if the (resource, method, path, action) combination would be generated by a call to `resource :<resource>`.
|
||||
*/
|
||||
bindingset[resource]
|
||||
predicate isDefaultSingularResourceRoute(
|
||||
private predicate isDefaultSingularResourceRoute(
|
||||
string resource, string method, string path, string action
|
||||
) {
|
||||
action = "create" and
|
||||
@@ -780,9 +782,10 @@ module ActionDispatch {
|
||||
* Extract the controller from a Rails routing string
|
||||
* ```
|
||||
* extractController("posts#show") = "posts"
|
||||
* ```
|
||||
*/
|
||||
bindingset[input]
|
||||
string extractController(string input) { result = input.regexpCapture("([^#]+)#.+", 1) }
|
||||
private string extractController(string input) { result = input.regexpCapture("([^#]+)#.+", 1) }
|
||||
|
||||
/**
|
||||
* Extract the action from a Rails routing string
|
||||
@@ -790,7 +793,7 @@ module ActionDispatch {
|
||||
* extractController("posts#show") = "show"
|
||||
*/
|
||||
bindingset[input]
|
||||
string extractAction(string input) { result = input.regexpCapture("[^#]+#(.+)", 1) }
|
||||
private string extractAction(string input) { result = input.regexpCapture("[^#]+#(.+)", 1) }
|
||||
|
||||
/**
|
||||
* A basic pluralizer for English strings.
|
||||
@@ -799,7 +802,7 @@ module ActionDispatch {
|
||||
* TODO: remove?
|
||||
*/
|
||||
bindingset[input]
|
||||
string pluralize(string input) {
|
||||
private string pluralize(string input) {
|
||||
exists(string prefix | prefix = input.regexpCapture("(.*)y", 1) | result = prefix + "ies")
|
||||
or
|
||||
not input.regexpMatch(".*y") and
|
||||
@@ -813,7 +816,7 @@ module ActionDispatch {
|
||||
* not_plural => not_plural
|
||||
*/
|
||||
bindingset[input]
|
||||
string singularize(string input) {
|
||||
private string singularize(string input) {
|
||||
exists(string prefix | prefix = input.regexpCapture("(.*)ies", 1) | result = prefix + "y")
|
||||
or
|
||||
not input.regexpMatch(".*ies") and
|
||||
@@ -890,13 +893,15 @@ module ActionDispatch {
|
||||
* Convert the first character of the string to lowercase.
|
||||
*/
|
||||
bindingset[input]
|
||||
string decapitalize(string input) { result = input.charAt(0).toLowerCase() + input.suffix(1) }
|
||||
private string decapitalize(string input) {
|
||||
result = input.charAt(0).toLowerCase() + input.suffix(1)
|
||||
}
|
||||
|
||||
/**
|
||||
* Strip leading and trailing forward slashes from the string.
|
||||
*/
|
||||
bindingset[input]
|
||||
string stripSlashes(string input) {
|
||||
private string stripSlashes(string input) {
|
||||
result = input.regexpReplaceAll("^/+(.+)$", "$1").regexpReplaceAll("^(.*[^/])/+$", "$1")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -62,7 +62,7 @@ module UrlRedirect {
|
||||
// redirection as browsers will not initiate them from clicking a link.
|
||||
method = this.asExpr().getExpr().getEnclosingMethod() and
|
||||
(
|
||||
// If there's a Rails GET route to this handler, we can be certain that it is a candiate.
|
||||
// If there's a Rails GET route to this handler, we can be certain that it is a candidate.
|
||||
method.(ActionControllerActionMethod).getARoute().getHTTPMethod() = "get"
|
||||
or
|
||||
// Otherwise, we have to rely on a heuristic to filter out invulnerable handlers.
|
||||
|
||||
Reference in New Issue
Block a user