Move Mysql2 flow model to MaD and remove ql sanitizer

Author: owen-mc

ruby/ql/lib/codeql/ruby/frameworks/Mysql2.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/ruby-all
+      extensible: summaryModel
+    data:
+      - ['Mysql2::Client!', 'Method[escape]', 'Argument[0]', 'ReturnValue', 'taint']

ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll

@@ -48,26 +48,4 @@ module Mysql2 {
 
     override DataFlow::Node getSql() { result = query }
   }
-
-  /**
-   * A call to `Mysql2::Client.escape`, considered as a sanitizer for SQL statements.
-   */
-  private class Mysql2EscapeSanitization extends SqlSanitization::Range {
-    Mysql2EscapeSanitization() {
-      this = API::getTopLevelMember("Mysql2").getMember("Client").getAMethodCall("escape")
-    }
-  }
-
-  /**
-   * Flow summary for `Mysql2::Client.escape()`.
-   */
-  private class EscapeSummary extends SummarizedCallable::Range {
-    EscapeSummary() { this = "Mysql2::Client.escape()" }
-
-    override MethodCall getACall() { result = any(Mysql2EscapeSanitization c).asExpr().getExpr() }
-
-    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
-    }
-  }
 }

ruby/ql/test/library-tests/frameworks/mysql2/SqlInjection.expected

@@ -1,15 +1,28 @@
 #select
 | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
+| Mysql2.rb:17:27:17:75 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:17:27:17:75 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
 | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | This SQL query depends on a $@. | Mysql2.rb:3:12:3:17 | call to params | user-provided value |
 edges
 | Mysql2.rb:3:5:3:8 | name | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:3:5:3:8 | name | Mysql2.rb:16:37:16:40 | name | provenance |  |
 | Mysql2.rb:3:5:3:8 | name | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
 | Mysql2.rb:3:12:3:17 | call to params | Mysql2.rb:3:12:3:29 | ...[...] | provenance |  |
 | Mysql2.rb:3:12:3:29 | ...[...] | Mysql2.rb:3:5:3:8 | name | provenance |  |
+| Mysql2.rb:16:5:16:11 | escaped | Mysql2.rb:17:27:17:75 | "SELECT * FROM users WHERE use..." | provenance | AdditionalTaintStep |
+| Mysql2.rb:16:15:16:41 | call to escape | Mysql2.rb:16:5:16:11 | escaped | provenance |  |
+| Mysql2.rb:16:37:16:40 | name | Mysql2.rb:16:15:16:41 | call to escape | provenance | MaD:1 |
+models
+| 1 | Summary: Mysql2::Client!; Method[escape]; Argument[0]; ReturnValue; taint |
 nodes
 | Mysql2.rb:3:5:3:8 | name | semmle.label | name |
 | Mysql2.rb:3:12:3:17 | call to params | semmle.label | call to params |
 | Mysql2.rb:3:12:3:29 | ...[...] | semmle.label | ...[...] |
 | Mysql2.rb:13:27:13:72 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
+| Mysql2.rb:16:5:16:11 | escaped | semmle.label | escaped |
+| Mysql2.rb:16:15:16:41 | call to escape | semmle.label | call to escape |
+| Mysql2.rb:16:37:16:40 | name | semmle.label | name |
+| Mysql2.rb:17:27:17:75 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
 | Mysql2.rb:24:31:24:93 | "SELECT * FROM users WHERE use..." | semmle.label | "SELECT * FROM users WHERE use..." |
 subpaths
+testFailures
+| Mysql2.rb:17:27:17:75 | "SELECT * FROM users WHERE use..." | Unexpected result: Alert |