Ruby: use new features in ActionMailer

2026-04-26 17:25:19 +02:00 · 2023-06-19 12:05:57 +02:00
parent 1ae41484da
commit fbfa31937f
1 changed files with 17 additions and 25 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionMailer.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionMailer.qll
@@ -4,12 +4,26 @@

 private import codeql.ruby.AST
 private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
 private import codeql.ruby.frameworks.internal.Rails

 /**
 * Provides modeling for the `ActionMailer` library.
 */
 module ActionMailer {
+  private DataFlow::ClassNode actionMailerClass() {
+    result =
+      [
+        DataFlow::getConstant("ActionMailer").getConstant("Base"),
+        // In Rails applications `ApplicationMailer` typically extends
+        // `ActionMailer::Base`, but we treat it separately in case the
+        // `ApplicationMailer` definition is not in the database.
+        DataFlow::getConstant("ApplicationMailer")
+      ].getADescendentModule()
+  }
+
+  private API::Node actionMailerInstance() { result = actionMailerClass().trackInstance() }
+
  /**
   * A `ClassDeclaration` for a class that extends `ActionMailer::Base`.
   * For example,
@@ -21,33 +35,11 @@ module ActionMailer {
   * ```
   */
  class MailerClass extends ClassDeclaration {
-    MailerClass() {
-      this.getSuperclassExpr() =
-        [
-          API::getTopLevelMember("ActionMailer").getMember("Base"),
-          // In Rails applications `ApplicationMailer` typically extends
-          // `ActionMailer::Base`, but we treat it separately in case the
-          // `ApplicationMailer` definition is not in the database.
-          API::getTopLevelMember("ApplicationMailer")
-        ].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
-    }
-  }
-
-  /** A method call with a `self` receiver from within a mailer class */
-  private class ContextCall extends MethodCall {
-    private MailerClass mailerClass;
-
-    ContextCall() {
-      this.getReceiver() instanceof SelfVariableAccess and
-      this.getEnclosingModule() = mailerClass
-    }
-
-    /** Gets the mailer class containing this method. */
-    MailerClass getMailerClass() { result = mailerClass }
+    MailerClass() { this = actionMailerClass().getADeclaration() }
  }

  /** A call to `params` from within a mailer. */
-  class ParamsCall extends ContextCall, ParamsCallImpl {
-    ParamsCall() { this.getMethodName() = "params" }
+  class ParamsCall extends ParamsCallImpl {
+    ParamsCall() { this = actionMailerInstance().getAMethodCall("params").asExpr().getExpr() }
  }
 }