Add support for flow summaries

Author: hvitved

ql/lib/codeql/ruby/ast/Call.qll

@@ -53,10 +53,8 @@ class Call extends Expr, TCall {
 
   /** Gets a potential target of this call, if any. */
   final Callable getATarget() {
-    exists(DataFlowCall c | this = c.getExpr() |
-      result = viableCallable(c)
-      or
-      result = viableCallableLambda(c, _)
+    exists(DataFlowCall c | this = c.asCall().getExpr() |
+      TCfgScope(result) = [viableCallable(c), viableCallableLambda(c, _)]
     )
   }
 

ql/lib/codeql/ruby/dataflow/FlowSummary.qll

@@ -0,0 +1,123 @@
+/** Provides classes and predicates for defining flow summaries. */
+
+import ruby
+import codeql.ruby.DataFlow
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowDispatch
+
+// import all instances below
+private module Summaries { }
+
+class SummaryComponent = Impl::Public::SummaryComponent;
+
+/** Provides predicates for constructing summary components. */
+module SummaryComponent {
+  private import Impl::Public::SummaryComponent as SC
+
+  predicate parameter = SC::parameter/1;
+
+  predicate argument = SC::argument/1;
+
+  /** Gets a summary component that represents a qualifier. */
+  SummaryComponent qualifier() { result = argument(-1) }
+
+  /** Gets a summary component that represents a block argument. */
+  SummaryComponent block() { result = argument(-2) }
+
+  /** Gets a summary component that represents the return value of a call. */
+  SummaryComponent return() { result = SC::return(any(NormalReturnKind rk)) }
+}
+
+class SummaryComponentStack = Impl::Public::SummaryComponentStack;
+
+/** Provides predicates for constructing stacks of summary components. */
+module SummaryComponentStack {
+  private import Impl::Public::SummaryComponentStack as SCS
+
+  predicate singleton = SCS::singleton/1;
+
+  predicate push = SCS::push/2;
+
+  predicate argument = SCS::argument/1;
+
+  /** Gets a singleton stack representing a qualifier. */
+  SummaryComponentStack qualifier() { result = singleton(SummaryComponent::qualifier()) }
+
+  /** Gets a singleton stack representing a block argument. */
+  SummaryComponentStack block() { result = singleton(SummaryComponent::block()) }
+
+  /** Gets a singleton stack representing the return value of a call. */
+  SummaryComponentStack return() { result = singleton(SummaryComponent::return()) }
+}
+
+/** A callable with a flow summary, identified by a unique string. */
+abstract class SummarizedCallable extends LibraryCallable {
+  bindingset[this]
+  SummarizedCallable() { any() }
+
+  /**
+   * Holds if data may flow from `input` to `output` through this callable.
+   *
+   * `preservesValue` indicates whether this is a value-preserving step
+   * or a taint-step.
+   *
+   * Input specifications are restricted to stacks that end with
+   * `SummaryComponent::argument(_)`, preceded by zero or more
+   * `SummaryComponent::return()` or `SummaryComponent::content(_)` components.
+   *
+   * Output specifications are restricted to stacks that end with
+   * `SummaryComponent::return()` or `SummaryComponent::argument(_)`.
+   *
+   * Output stacks ending with `SummaryComponent::return()` can be preceded by zero
+   * or more `SummaryComponent::content(_)` components.
+   *
+   * Output stacks ending with `SummaryComponent::argument(_)` can be preceded by an
+   * optional `SummaryComponent::parameter(_)` component, which in turn can be preceded
+   * by zero or more `SummaryComponent::content(_)` components.
+   */
+  pragma[nomagic]
+  predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    none()
+  }
+
+  /**
+   * Same as
+   *
+   * ```rb
+   * propagatesFlow(
+   *   SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+   * )
+   * ```
+   *
+   * but uses an external (string) representation of the input and output stacks.
+   */
+  pragma[nomagic]
+  predicate propagatesFlowExt(string input, string output, string kind) { none() }
+
+  /**
+   * Holds if values stored inside `content` are cleared on objects passed as
+   * the `i`th argument to this callable.
+   */
+  pragma[nomagic]
+  predicate clearsContent(int i, DataFlow::Content content) { none() }
+}
+
+private class SummarizedCallableAdaptor extends Impl::Public::SummarizedCallable {
+  private SummarizedCallable sc;
+
+  SummarizedCallableAdaptor() { this = TLibraryCallable(sc) }
+
+  final override predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    sc.propagatesFlow(input, output, preservesValue)
+  }
+
+  final override predicate clearsContent(int i, DataFlow::Content content) {
+    sc.clearsContent(i, content)
+  }
+}
+
+class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;

ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -2,8 +2,9 @@ private import ruby
 private import codeql.ruby.CFG
 private import DataFlowPrivate
 private import codeql.ruby.typetracking.TypeTracker
-private import codeql.ruby.dataflow.internal.DataFlowPublic as DataFlow
 private import codeql.ruby.ast.internal.Module
+private import FlowSummaryImpl as FlowSummaryImpl
+private import codeql.ruby.dataflow.FlowSummary
 
 newtype TReturnKind =
   TNormalReturnKind() or
@@ -39,83 +40,183 @@ class BreakReturnKind extends ReturnKind, TBreakReturnKind {
   override string toString() { result = "break" }
 }
 
-class DataFlowCallable = CfgScope;
+/** A callable defined in library code, identified by a unique string. */
+abstract class LibraryCallable extends string {
+  bindingset[this]
+  LibraryCallable() { any() }
 
-class DataFlowCall extends CfgNodes::ExprNodes::CallCfgNode {
-  DataFlowCallable getEnclosingCallable() { result = this.getScope() }
+  /** Gets a call to this library callable. */
+  abstract Call getACall();
+}
 
-  pragma[nomagic]
-  private predicate methodCall(DataFlow::LocalSourceNode sourceNode, string method) {
-    exists(DataFlow::Node nodeTo |
-      method = this.getExpr().(MethodCall).getMethodName() and
-      nodeTo.asExpr() = this.getReceiver() and
-      sourceNode.flowsTo(nodeTo)
-    )
-  }
+/**
+ * A callable. This includes callables from source code, as well as callables
+ * defined in library code.
+ */
+class DataFlowCallable extends TDataFlowCallable {
+  /** Gets the underlying source code callable, if any. */
+  Callable asCallable() { this = TCfgScope(result) }
 
-  private Block yieldCall() {
-    this.getExpr() instanceof YieldCall and
-    exists(BlockParameterNode node |
-      node = trackBlock(result) and
-      node.getMethod() = this.getExpr().getEnclosingMethod()
-    )
-  }
+  /** Get the underlying library callable, if any. */
+  LibraryCallable asLibraryCallable() { this = TLibraryCallable(result) }
 
-  pragma[nomagic]
-  private predicate superCall(Module superClass, string method) {
-    this.getExpr() instanceof SuperCall and
-    exists(Module tp |
-      tp = this.getExpr().getEnclosingModule().getModule() and
-      superClass = tp.getSuperClass() and
-      method = this.getExpr().getEnclosingMethod().getName()
-    )
-  }
+  /** Gets a textual representation of this callable. */
+  string toString() { result = [this.asCallable().toString(), this.asLibraryCallable()] }
 
-  pragma[nomagic]
-  private predicate instanceMethodCall(Module tp, string method) {
-    exists(DataFlow::LocalSourceNode sourceNode |
-      this.methodCall(sourceNode, method) and
-      sourceNode = trackInstance(tp)
-    )
-  }
+  /** Gets the location of this callable. */
+  Location getLocation() { result = this.asCallable().getLocation() }
+}
+
+/**
+ * A call. This includes calls from source code, as well as call(back)s
+ * inside library callables with a flow summary.
+ */
+class DataFlowCall extends TDataFlowCall {
+  /** Gets the enclosing callable. */
+  DataFlowCallable getEnclosingCallable() { none() }
+
+  /** Gets the underlying source code call, if any. */
+  CfgNodes::ExprNodes::CallCfgNode asCall() { none() }
+
+  /** Gets a textual representation of this call. */
+  string toString() { none() }
+
+  /** Gets the location of this call. */
+  Location getLocation() { none() }
+}
+
+/**
+ * A synthesized call inside a callable with a flow summary.
+ *
+ * For example, in
+ * ```rb
+ * ints.each do |i|
+ *   puts i
+ * end
+ * ```
+ *
+ * there is a call to the block argument inside `each`.
+ */
+class SummaryCall extends DataFlowCall, TSummaryCall {
+  private FlowSummaryImpl::Public::SummarizedCallable c;
+  private DataFlow::Node receiver;
+
+  SummaryCall() { this = TSummaryCall(c, receiver) }
+
+  /** Gets the data flow node that this call targets. */
+  DataFlow::Node getReceiver() { result = receiver }
+
+  override DataFlowCallable getEnclosingCallable() { result = c }
+
+  override string toString() { result = "[summary] call to " + receiver + " in " + c }
+
+  override Location getLocation() { result = c.getLocation() }
+}
+
+private class NormalCall extends DataFlowCall, TNormalCall {
+  private CfgNodes::ExprNodes::CallCfgNode c;
 
+  NormalCall() { this = TNormalCall(c) }
+
+  override CfgNodes::ExprNodes::CallCfgNode asCall() { result = c }
+
+  override DataFlowCallable getEnclosingCallable() { result = TCfgScope(c.getScope()) }
+
+  override string toString() { result = c.toString() }
+
+  override Location getLocation() { result = c.getLocation() }
+}
+
+pragma[nomagic]
+private predicate methodCall(
+  CfgNodes::ExprNodes::CallCfgNode call, DataFlow::LocalSourceNode sourceNode, string method
+) {
+  exists(DataFlow::Node nodeTo |
+    method = call.getExpr().(MethodCall).getMethodName() and
+    nodeTo.asExpr() = call.getReceiver() and
+    sourceNode.flowsTo(nodeTo)
+  )
+}
+
+private Block yieldCall(CfgNodes::ExprNodes::CallCfgNode call) {
+  call.getExpr() instanceof YieldCall and
+  exists(BlockParameterNode node |
+    node = trackBlock(result) and
+    node.getMethod() = call.getExpr().getEnclosingMethod()
+  )
+}
+
+pragma[nomagic]
+private predicate superCall(CfgNodes::ExprNodes::CallCfgNode call, Module superClass, string method) {
+  call.getExpr() instanceof SuperCall and
+  exists(Module tp |
+    tp = call.getExpr().getEnclosingModule().getModule() and
+    superClass = tp.getSuperClass() and
+    method = call.getExpr().getEnclosingMethod().getName()
+  )
+}
+
+pragma[nomagic]
+private predicate instanceMethodCall(CfgNodes::ExprNodes::CallCfgNode call, Module tp, string method) {
+  exists(DataFlow::LocalSourceNode sourceNode |
+    methodCall(call, sourceNode, method) and
+    sourceNode = trackInstance(tp)
+  )
+}
+
+cached
+private module Cached {
   cached
-  DataFlowCallable getTarget() {
+  newtype TDataFlowCallable =
+    TCfgScope(CfgScope scope) or
+    TLibraryCallable(LibraryCallable callable)
+
+  cached
+  newtype TDataFlowCall =
+    TNormalCall(CfgNodes::ExprNodes::CallCfgNode c) or
+    TSummaryCall(FlowSummaryImpl::Public::SummarizedCallable c, DataFlow::Node receiver) {
+      FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+    }
+
+  cached
+  CfgScope getTarget(CfgNodes::ExprNodes::CallCfgNode call) {
     exists(string method |
       exists(Module tp |
-        this.instanceMethodCall(tp, method) and
+        instanceMethodCall(call, tp, method) and
         result = lookupMethod(tp, method) and
         if result.(Method).isPrivate()
         then
           exists(Self self |
-            self = this.getReceiver().getExpr() and
+            self = call.getReceiver().getExpr() and
             pragma[only_bind_out](self.getEnclosingModule().getModule().getSuperClass*()) =
               pragma[only_bind_out](result.getEnclosingModule().getModule())
           ) and
           // For now, we restrict the scope of top-level declarations to their file.
           // This may remove some plausible targets, but also removes a lot of
           // implausible targets
           if result.getEnclosingModule() instanceof Toplevel
-          then result.getFile() = this.getFile()
+          then result.getFile() = call.getFile()
           else any()
         else any()
       )
       or
       exists(DataFlow::LocalSourceNode sourceNode |
-        this.methodCall(sourceNode, method) and
+        methodCall(call, sourceNode, method) and
         sourceNode = trackSingletonMethod(result, method)
       )
     )
     or
     exists(Module superClass, string method |
-      this.superCall(superClass, method) and
+      superCall(call, superClass, method) and
       result = lookupMethod(superClass, method)
     )
     or
-    result = this.yieldCall()
+    result = yieldCall(call)
   }
 }
 
+import Cached
+
 private DataFlow::LocalSourceNode trackInstance(Module tp, TypeTracker t) {
   t.start() and
   (
@@ -297,8 +398,13 @@ private DataFlow::LocalSourceNode trackModule(Module tp) {
 
 /** Gets a viable run-time target for the call `call`. */
 DataFlowCallable viableCallable(DataFlowCall call) {
-  result = call.getTarget() and
-  not call.getExpr() instanceof YieldCall // handled by `lambdaCreation`/`lambdaCall`
+  result = TCfgScope(getTarget(call.asCall())) and
+  not call.asCall().getExpr() instanceof YieldCall // handled by `lambdaCreation`/`lambdaCall`
+  or
+  exists(LibraryCallable callable |
+    result = TLibraryCallable(callable) and
+    call.asCall().getExpr() = callable.getACall()
+  )
 }
 
 /**
@@ -307,7 +413,7 @@ DataFlowCallable viableCallable(DataFlowCall call) {
  * qualifier accesses a parameter of the enclosing callable `c` (including
  * the implicit `self` parameter).
  */
-predicate mayBenefitFromCallContext(DataFlowCall call, Callable c) { none() }
+predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) { none() }
 
 /**
  * Gets a viable dispatch target of `call` in the context `ctx`. This is