Merge pull request #10685 from asgerf/rb/splat-and-local-field-step

Ruby: summarize unary splat operators and add local field step

Author: asgerf

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -522,7 +522,8 @@ module API {
       or
       exists(TypeTrackerSpecific::TypeTrackerContent c |
         TypeTrackerSpecific::basicLoadStep(node, ref, c) and
-        lbl = Label::content(c.getAStoreContent())
+        lbl = Label::content(c.getAStoreContent()) and
+        not c.isSingleton(any(DataFlow::Content::AttributeNameContent k))
       )
       // note: method calls are not handled here as there is no DataFlow::Node for the intermediate MkMethodAccessNode API node
     }
@@ -638,7 +639,10 @@ module API {
       isUse(src) and
       t.start()
       or
-      exists(TypeTracker t2 | result = trackUseNode(src, t2).track(t2, t))
+      exists(TypeTracker t2 |
+        result = trackUseNode(src, t2).track(t2, t) and
+        not result instanceof DataFlowPrivate::SelfParameterNode
+      )
     }
 
     /**
@@ -657,7 +661,11 @@ module API {
       isDef(rhs) and
       result = rhs.getALocalSource()
       or
-      exists(TypeBackTracker t2 | result = trackDefNode(rhs, t2).backtrack(t2, t))
+      exists(TypeBackTracker t2, DataFlow::LocalSourceNode mid |
+        mid = trackDefNode(rhs, t2) and
+        not mid instanceof DataFlowPrivate::SelfParameterNode and
+        result = mid.backtrack(t2, t)
+      )
     }
 
     /** Gets a data flow node reaching the RHS of the given def node. */

ruby/ql/lib/codeql/ruby/frameworks/Core.qll

@@ -58,7 +58,7 @@ class SubshellHeredocExecution extends SystemCommandExecution::Range {
 private class SplatSummary extends SummarizedCallable {
   SplatSummary() { this = "*(splat)" }
 
-  override SplatExpr getACall() { any() }
+  override SplatExpr getACallSimple() { any() }
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (

ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll

@@ -102,7 +102,67 @@ private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
 }
 
 /** Holds if there is a level step from `nodeFrom` to `nodeTo`. */
-predicate levelStep(Node nodeFrom, Node nodeTo) { summarizedLocalStep(nodeFrom, nodeTo) }
+predicate levelStep(Node nodeFrom, Node nodeTo) {
+  summarizedLocalStep(nodeFrom, nodeTo)
+  or
+  localFieldStep(nodeFrom, nodeTo)
+}
+
+/**
+ * Gets a method of `mod`, with `instance` indicating if this is an instance method.
+ *
+ * Does not take inheritance or the various forms of inclusion into account.
+ */
+pragma[nomagic]
+private MethodBase getAMethod(ModuleBase mod, boolean instance) {
+  not mod instanceof SingletonClass and
+  result = mod.getAMethod() and
+  if result instanceof SingletonMethod then instance = false else instance = true
+  or
+  exists(SingletonClass cls |
+    cls.getValue().(SelfVariableAccess).getCfgScope() = mod and
+    result = cls.getAMethod().(Method) and
+    instance = false
+  )
+}
+
+/**
+ * Gets a value flowing into `field` in `mod`, with `instance` indicating if it's
+ * a field on an instance of `mod` (as opposed to the module object itself).
+ */
+pragma[nomagic]
+private Node fieldPredecessor(ModuleBase mod, boolean instance, string field) {
+  exists(InstanceVariableWriteAccess access, AssignExpr assign |
+    access.getReceiver().getCfgScope() = getAMethod(mod, instance) and
+    field = access.getVariable().getName() and
+    assign.getLeftOperand() = access and
+    result.asExpr().getExpr() = assign.getRightOperand()
+  )
+}
+
+/**
+ * Gets a reference to `field` in `mod`, with `instance` indicating if it's
+ * a field on an instance of `mod` (as opposed to the module object itself).
+ */
+pragma[nomagic]
+private Node fieldSuccessor(ModuleBase mod, boolean instance, string field) {
+  exists(InstanceVariableReadAccess access |
+    access.getReceiver().getCfgScope() = getAMethod(mod, instance) and
+    result.asExpr().getExpr() = access and
+    field = access.getVariable().getName()
+  )
+}
+
+/**
+ * Holds if `pred -> succ` should be used a level step, from a field assignment to
+ * a read within the same class.
+ */
+private predicate localFieldStep(Node pred, Node succ) {
+  exists(ModuleBase mod, boolean instance, string field |
+    pred = fieldPredecessor(mod, instance, field) and
+    succ = fieldSuccessor(mod, instance, field)
+  )
+}
 
 pragma[noinline]
 private predicate argumentPositionMatch(
@@ -325,9 +385,18 @@ private predicate hasStoreSummary(
   SummarizedCallable callable, DataFlow::ContentSet contents, SummaryComponentStack input,
   SummaryComponentStack output
 ) {
-  callable.propagatesFlow(input, push(SummaryComponent::content(contents), output), true) and
   not isNonLocal(input.head()) and
-  not isNonLocal(output.head())
+  not isNonLocal(output.head()) and
+  (
+    callable.propagatesFlow(input, push(SummaryComponent::content(contents), output), true)
+    or
+    // Allow the input to start with an arbitrary WithoutContent[X].
+    // Since type-tracking only tracks one content deep, and we're about to store into another content,
+    // we're already preventing the input from being in a content.
+    callable
+        .propagatesFlow(push(SummaryComponent::withoutContent(_), input),
+          push(SummaryComponent::content(contents), output), true)
+  )
 }
 
 pragma[nomagic]
@@ -460,6 +529,9 @@ private predicate dependsOnSummaryComponentStack(
     callable.propagatesFlow(stack, _, true)
     or
     callable.propagatesFlow(_, stack, true)
+    or
+    // include store summaries as they may skip an initial step at the input
+    hasStoreSummary(callable, _, stack, _)
   )
   or
   dependsOnSummaryComponentStackCons(callable, _, stack)

ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.expected

@@ -1,6 +1,3 @@
-| array_flow.rb:3:16:3:35 | # $ hasValueFlow=0.1 | Missing result:hasValueFlow=0.1 |
-| array_flow.rb:5:16:5:35 | # $ hasValueFlow=0.1 | Missing result:hasValueFlow=0.1 |
-| array_flow.rb:83:13:83:30 | # $ hasValueFlow=9 | Missing result:hasValueFlow=9 |
 | array_flow.rb:107:10:107:13 | ...[...] | Unexpected result: hasValueFlow=11.2 |
 | array_flow.rb:179:28:179:46 | # $ hasValueFlow=19 | Missing result:hasValueFlow=19 |
 | array_flow.rb:180:28:180:46 | # $ hasValueFlow=19 | Missing result:hasValueFlow=19 |

ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected

@@ -16,11 +16,16 @@ track
 | type_tracker.rb:2:5:5:7 | self in field= | type tracker with call steps | type_tracker.rb:7:5:9:7 | self in field |
 | type_tracker.rb:2:5:5:7 | self in field= | type tracker without call steps | type_tracker.rb:2:5:5:7 | self in field= |
 | type_tracker.rb:2:16:2:18 | val | type tracker with call steps | type_tracker.rb:2:16:2:18 | val |
+| type_tracker.rb:2:16:2:18 | val | type tracker with call steps | type_tracker.rb:8:9:8:14 | @field |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:5:5:7 | return return in field= |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val |
+| type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:3:14:3:23 | call to field |
+| type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:7:5:9:7 | return return in field |
+| type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:8:9:8:14 | @field |
 | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:14:5:14:13 | call to field= |
+| type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:15:10:15:18 | call to field |
 | type_tracker.rb:3:9:3:23 | call to puts | type tracker without call steps | type_tracker.rb:3:9:3:23 | call to puts |
 | type_tracker.rb:3:14:3:23 | call to field | type tracker without call steps | type_tracker.rb:3:14:3:23 | call to field |
 | type_tracker.rb:4:9:4:14 | @field | type tracker without call steps | type_tracker.rb:4:9:4:14 | @field |
@@ -55,6 +60,7 @@ track
 | type_tracker.rb:14:5:14:13 | call to field= | type tracker without call steps | type_tracker.rb:14:5:14:13 | call to field= |
 | type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps | type_tracker.rb:2:16:2:18 | val |
+| type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps | type_tracker.rb:8:9:8:14 | @field |
 | type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps with content attribute field | type_tracker.rb:7:5:9:7 | self (field) |
 | type_tracker.rb:14:17:14:23 | "hello" | type tracker with call steps with content attribute field | type_tracker.rb:7:5:9:7 | self in field |
 | type_tracker.rb:14:17:14:23 | "hello" | type tracker without call steps | type_tracker.rb:14:5:14:13 | call to field= |
@@ -368,11 +374,16 @@ trackEnd
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val |
+| type_tracker.rb:2:16:2:18 | val | type_tracker.rb:3:14:3:23 | call to field |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:4:9:4:20 | ... = ... |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:4:9:4:20 | ... = ... |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:4:18:4:20 | val |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:4:18:4:20 | val |
+| type_tracker.rb:2:16:2:18 | val | type_tracker.rb:7:5:9:7 | return return in field |
+| type_tracker.rb:2:16:2:18 | val | type_tracker.rb:8:9:8:14 | @field |
+| type_tracker.rb:2:16:2:18 | val | type_tracker.rb:8:9:8:14 | @field |
 | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:14:5:14:13 | call to field= |
+| type_tracker.rb:2:16:2:18 | val | type_tracker.rb:15:10:15:18 | call to field |
 | type_tracker.rb:3:9:3:23 | call to puts | type_tracker.rb:3:9:3:23 | call to puts |
 | type_tracker.rb:3:14:3:23 | call to field | type_tracker.rb:3:14:3:23 | call to field |
 | type_tracker.rb:4:9:4:14 | @field | type_tracker.rb:4:9:4:14 | @field |
@@ -424,6 +435,7 @@ trackEnd
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:2:16:2:18 | val |
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:4:9:4:20 | ... = ... |
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:4:18:4:20 | val |
+| type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:8:9:8:14 | @field |
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:14:5:14:13 | __synth__0 |
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:14:5:14:13 | call to field= |
 | type_tracker.rb:14:17:14:23 | "hello" | type_tracker.rb:14:5:14:23 | ... |