Ruby: use CfgNodes classes to implement case value to pattern variable taint steps

aibaars · aibaars · commit 5df1f7a0c339 · 2022-01-24T10:31:08.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll
@@ -24,20 +24,54 @@ predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
 
+private CfgNodes::ExprNodes::VariableWriteAccessCfgNode variablesInPattern(
+  CfgNodes::ExprNodes::CasePatternCfgNode p
+) {
+  result = p
+  or
+  exists(CfgNodes::ExprNodes::AsPatternCfgNode ap | p = ap |
+    result = variablesInPattern(ap.getPattern()) or
+    result = ap.getVariableAccess()
+  )
+  or
+  exists(CfgNodes::ExprNodes::ParenthesizedPatternCfgNode pp | p = pp |
+    result = variablesInPattern(pp.getPattern())
+  )
+  or
+  exists(CfgNodes::ExprNodes::AlternativePatternCfgNode ap | p = ap |
+    result = variablesInPattern(ap.getAlternative(_))
+  )
+  or
+  exists(CfgNodes::ExprNodes::ArrayPatternCfgNode ap | p = ap |
+    result = variablesInPattern(ap.getPrefixElement(_)) or
+    result = variablesInPattern(ap.getSuffixElement(_)) or
+    result = ap.getRestVariableAccess()
+  )
+  or
+  exists(CfgNodes::ExprNodes::FindPatternCfgNode fp | p = fp |
+    result = variablesInPattern(fp.getElement(_)) or
+    result = fp.getPrefixVariableAccess() or
+    result = fp.getSuffixVariableAccess()
+  )
+  or
+  exists(CfgNodes::ExprNodes::HashPatternCfgNode hp | p = hp |
+    result = variablesInPattern(hp.getValue(_)) or
+    result = hp.getRestVariableAccess()
+  )
+}
+
 /**
  * Holds if the additional step from `nodeFrom` to `nodeTo` should be included
  * in all global taint flow configurations.
  */
 cached
 predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   // value of `case` expression into variables in patterns
-  exists(VariableWriteAccess varDef, CaseExpr case, InClause clause, CfgNode nodeToCfg |
-    clause = case.getABranch() and
-    varDef.getParent*() = clause.getPattern() and
-    nodeFrom.asExpr().getExpr() = case.getValue() and
-    nodeToCfg = nodeTo.(SsaDefinitionNode).getDefinition().getControlFlowNode() and
-    nodeToCfg = nodeFrom.asExpr().getASuccessor+() and
-    nodeToCfg.getNode() = varDef
+  exists(CfgNodes::ExprNodes::CaseExprCfgNode case, CfgNodes::ExprNodes::InClauseCfgNode clause |
+    nodeFrom.asExpr() = case.getValue() and
+    clause = case.getBranch(_) and
+    nodeTo.(SsaDefinitionNode).getDefinition().getControlFlowNode() =
+      variablesInPattern(clause.getPattern())
   )
   or
   // operation involving `nodeFrom`
