Ruby: support CSV rows of form ;any;Method[foo]

2026-04-30 19:26:02 +02:00 · 2022-03-01 10:45:23 +01:00
parent 05ea33033b
commit df379809df
4 changed files with 56 additions and 0 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
@@ -53,6 +53,43 @@ API::Node getExtraNodeFromPath(string package, string type, AccessPath path, int
  type = "" and
  n = 0 and
  result = API::root()
+  or
+  // A row of form `;any;Method[foo]` should match any method named `foo`.
+  package = any(string s) and
+  type = "any" and
+  n = 1 and
+  exists(EntryPointFromAnyType entry |
+    methodMatchedByName(path, entry.getName()) and
+    result = entry.getNode()
+  )
+}
+
+/**
+ * Holds if `path` occurs in a CSV row with type `any`, meaning it can start
+ * matching anywhere, and the path begins with `Method[methodName]`.
+ */
+private predicate methodMatchedByName(AccessPath path, string methodName) {
+  isRelevantFullPath(_, "any", path) and
+  exists(AccessPathToken token |
+    token = path.getToken(0) and
+    token.getName() = "Method" and
+    methodName = token.getAnArgument()
+  )
+}
+
+/**
+ * An API graph entry point corresponding to a method name such as `foo` in `;any;Method[foo]`.
+ *
+ * This ensures that the API graph rooted in that method call is materialized.
+ */
+private class EntryPointFromAnyType extends API::EntryPoint {
+  string name;
+
+  EntryPointFromAnyType() { this = "AnyMethod[" + name + "]" and methodMatchedByName(_, name) }
+
+  override DataFlow::CallNode getACall() { result.getMethodName() = name }
+
+  string getName() { result = name }
 }

 /**
--- a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
+++ b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
@@ -25,6 +25,10 @@ edges
 | summaries.rb:26:31:26:37 | tainted :  | summaries.rb:26:12:26:38 | call to secondArg :  |
 | summaries.rb:30:24:30:30 | tainted :  | summaries.rb:30:6:30:42 | call to onlyWithBlock |
 | summaries.rb:31:27:31:33 | tainted :  | summaries.rb:31:6:31:34 | call to onlyWithoutBlock |
+| summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:41:24:41:24 | t :  |
+| summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:42:24:42:24 | t :  |
+| summaries.rb:41:24:41:24 | t :  | summaries.rb:41:8:41:25 | call to matchedByName |
+| summaries.rb:42:24:42:24 | t :  | summaries.rb:42:8:42:25 | call to matchedByName |
 nodes
 | summaries.rb:1:11:1:26 | call to identity :  | semmle.label | call to identity :  |
 | summaries.rb:1:20:1:26 | "taint" :  | semmle.label | "taint" :  |
@@ -53,6 +57,11 @@ nodes
 | summaries.rb:35:16:35:22 | tainted | semmle.label | tainted |
 | summaries.rb:36:21:36:27 | tainted | semmle.label | tainted |
 | summaries.rb:37:36:37:42 | tainted | semmle.label | tainted |
+| summaries.rb:40:7:40:13 | "taint" :  | semmle.label | "taint" :  |
+| summaries.rb:41:8:41:25 | call to matchedByName | semmle.label | call to matchedByName |
+| summaries.rb:41:24:41:24 | t :  | semmle.label | t :  |
+| summaries.rb:42:8:42:25 | call to matchedByName | semmle.label | call to matchedByName |
+| summaries.rb:42:24:42:24 | t :  | semmle.label | t :  |
 subpaths
 invalidSpecComponent
 invalidOutputSpecComponent
@@ -70,3 +79,5 @@ invalidOutputSpecComponent
 | summaries.rb:35:16:35:22 | tainted | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:35:16:35:22 | tainted | $@ | summaries.rb:1:20:1:26 | "taint" :  | "taint" :  |
 | summaries.rb:36:21:36:27 | tainted | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:36:21:36:27 | tainted | $@ | summaries.rb:1:20:1:26 | "taint" :  | "taint" :  |
 | summaries.rb:37:36:37:42 | tainted | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:37:36:37:42 | tainted | $@ | summaries.rb:1:20:1:26 | "taint" :  | "taint" :  |
+| summaries.rb:41:8:41:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:41:8:41:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
+| summaries.rb:42:8:42:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:42:8:42:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
--- a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
+++ b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
@@ -73,6 +73,7 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {
        ";;Member[Foo].Method[secondArg];Argument[1];ReturnValue;taint",
        ";;Member[Foo].Method[onlyWithoutBlock].WithoutBlock;Argument[0];ReturnValue;taint",
        ";;Member[Foo].Method[onlyWithBlock].WithBlock;Argument[0];ReturnValue;taint",
+        ";any;Method[matchedByName];Argument[0];ReturnValue;taint"
      ]
  }
 }
--- a/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
+++ b/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
@@ -35,3 +35,10 @@ Foo.new.method(tainted)
 Bar.new.method(tainted)
 Bar.new.next.method(tainted)
 Bar.new.next.next.next.next.method(tainted)
+
+def userDefinedFunction(x, y)
+  t = "taint"
+  sink(x.matchedByName(t))
+  sink(y.matchedByName(t))
+  sink(x.unmatchedName(t))
+end