Merge pull request #10700 from hmac/activesupport

Ruby: Model some ActiveSupport methods

Author: hmac

ruby/ql/lib/change-notes/2022-10-18-activesupport-flow.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Taint flow is now tracked through extension methods on `Hash`, `String` and
+  `Object` provided by `ActiveSupport`.

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -24,14 +24,17 @@ module ActiveSupport {
      */
     module String {
       /**
-       * A call to `String#constantize`, which tries to find a declared constant with the given name.
-       * Passing user input to this method may result in instantiation of arbitrary Ruby classes.
+       * A call to `String#constantize` or `String#safe_constantize`, which
+       * tries to find a declared constant with the given name.
+       * Passing user input to this method may result in instantiation of
+       * arbitrary Ruby classes.
        */
       class Constantize extends CodeExecution::Range, DataFlow::CallNode {
         // We treat this an `UnknownMethodCall` in order to match every call to `constantize` that isn't overridden.
         // We can't (yet) rely on API Graphs or dataflow to tell us that the receiver is a String.
         Constantize() {
-          this.asExpr().getExpr().(UnknownMethodCall).getMethodName() = "constantize"
+          this.asExpr().getExpr().(UnknownMethodCall).getMethodName() =
+            ["constantize", "safe_constantize"]
         }
 
         override DataFlow::Node getCode() { result = this.getReceiver() }
@@ -49,9 +52,11 @@ module ActiveSupport {
         override MethodCall getACall() {
           result.getMethodName() =
             [
-              "camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
-              "foreign_key", "humanize", "indent", "parameterize", "pluralize", "singularize",
-              "squish", "strip_heredoc", "tableize", "titlecase", "titleize", "underscore",
+              "at", "camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
+              "first", "foreign_key", "from", "html_safe", "humanize", "indent", "indent!",
+              "inquiry", "last", "mb_chars", "parameterize", "pluralize", "remove", "remove!",
+              "singularize", "squish", "squish!", "strip_heredoc", "tableize", "titlecase",
+              "titleize", "to", "truncate", "truncate_bytes", "truncate_words", "underscore",
               "upcase_first"
             ]
         }
@@ -62,6 +67,112 @@ module ActiveSupport {
       }
     }
 
+    /**
+     * Extensions to the `Object` class.
+     */
+    module Object {
+      /** Flow summary for methods which can return the receiver. */
+      private class IdentitySummary extends SimpleSummarizedCallable {
+        IdentitySummary() { this = ["presence", "deep_dup"] }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self]" and
+          output = "ReturnValue" and
+          preservesValue = true
+        }
+      }
+    }
+
+    /**
+     * Extensions to the `Hash` class.
+     */
+    module Hash {
+      private class WithIndifferentAccessSummary extends SimpleSummarizedCallable {
+        WithIndifferentAccessSummary() { this = "with_indifferent_access" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[any]" and
+          preservesValue = true
+        }
+      }
+
+      private class TransformSummary extends SimpleSummarizedCallable {
+        TransformSummary() {
+          this =
+            [
+              "stringify_keys", "to_options", "symbolize_keys", "deep_stringify_keys",
+              "deep_symbolize_keys", "with_indifferent_access"
+            ]
+        }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      private string getExtractComponent(MethodCall mc, int i) {
+        mc.getMethodName() = "extract!" and
+        result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
+      }
+
+      /**
+       * A flow summary for `Hash#extract!`. This method removes the key/value pairs
+       * matching the given keys from the receiver and returns them (as a Hash).
+       *
+       * Example:
+       *
+       * ```rb
+       *  hash = { a: 1, b: 2, c: 3, d: 4 }
+       *  hash.extract!(:a, :b) # => {:a=>1, :b=>2}
+       *  hash                  # => {:c=>3, :d=>4}
+       * ```
+       *
+       * There is value flow from elements corresponding to keys in the
+       * arguments (`:a` and `:b` in the example) to elements in
+       * the return value.
+       * There is also value flow from any element corresponding to a key _not_
+       * mentioned in the arguments to an element in `self`, including elements
+       * at unknown keys.
+       */
+      private class ExtractSummary extends SummarizedCallable {
+        MethodCall mc;
+
+        ExtractSummary() {
+          mc.getMethodName() = "extract!" and
+          this =
+            "extract!(" +
+              concat(int i, string s | s = getExtractComponent(mc, i) | s, "," order by i) + ")"
+        }
+
+        final override MethodCall getACall() { result = mc }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          (
+            exists(string s | s = getExtractComponent(mc, _) |
+              input = "Argument[self].Element[" + s + "!]" and
+              output = "ReturnValue.Element[" + s + "!]"
+            )
+            or
+            // Argument[self].WithoutElement[:a!, :b!].WithElement[any] means
+            // "an element of self whose key is not :a or :b, including elements
+            // with unknown keys"
+            input =
+              "Argument[self]" +
+                concat(int i, string s |
+                  s = getExtractComponent(mc, i)
+                |
+                  ".WithoutElement[" + s + "!]" order by i
+                ) + ".WithElement[any]" and
+            output = "Argument[self]"
+          ) and
+          preservesValue = true
+        }
+      }
+    }
+
     /**
      * Extensions to the `Enumerable` module.
      */

ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll

@@ -244,18 +244,20 @@ module Hash {
   }
 
   private string getExceptComponent(MethodCall mc, int i) {
-    mc.getMethodName() = "except" and
+    mc.getMethodName() = ["except", "except!"] and
     result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
   }
 
   private class ExceptSummary extends SummarizedCallable {
     MethodCall mc;
 
     ExceptSummary() {
-      mc.getMethodName() = "except" and
+      // except! is an ActiveSupport extension
+      // https://api.rubyonrails.org/classes/Hash.html#method-i-except-21
+      mc.getMethodName() = ["except", "except!"] and
       this =
-        "except(" + concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) +
-          ")"
+        mc.getMethodName() + "(" +
+          concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) + ")"
     }
 
     final override MethodCall getACallSimple() { result = mc }
@@ -268,7 +270,11 @@ module Hash {
           |
             ".WithoutElement[" + s + "!]" order by i
           ) + ".WithElement[any]" and
-      output = "ReturnValue" and
+      (
+        if mc.getMethodName() = "except!"
+        then output = ["ReturnValue", "Argument[self]"]
+        else output = "ReturnValue"
+      ) and
       preservesValue = true
     }
   }
@@ -331,7 +337,11 @@ private class FetchValuesUnknownSummary extends FetchValuesSummary {
 }
 
 private class MergeSummary extends SimpleSummarizedCallable {
-  MergeSummary() { this = "merge" }
+  MergeSummary() {
+    // deep_merge is an ActiveSupport extension
+    // https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge
+    this = ["merge", "deep_merge"]
+  }
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (
@@ -346,7 +356,11 @@ private class MergeSummary extends SimpleSummarizedCallable {
 }
 
 private class MergeBangSummary extends SimpleSummarizedCallable {
-  MergeBangSummary() { this = ["merge!", "update"] }
+  MergeBangSummary() {
+    // deep_merge! is an ActiveSupport extension
+    // https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge-21
+    this = ["merge!", "deep_merge!", "update"]
+  }
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (

ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.ql

@@ -1 +1,6 @@
+// This test flags any difference in flow between the type-tracking and dataflow
+// libraries. New results in this query do not necessarily indicate a problem,
+// only that type-tracking cannot follow the flow in your test. If the dataflow
+// test (`array-flow.ql`) shows no failures, then that may be sufficient
+// (depending on your use case).
 import TestUtilities.InlineTypeTrackingFlowTest