Merge pull request #9030 from hmac/hmac/activesupport

Ruby: Model various bits of ActiveSupport

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll

@@ -6,6 +6,10 @@
 private import ruby
 private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
 
 /**
  * Modeling for `ActiveSupport`.
@@ -32,6 +36,107 @@ module ActiveSupport {
 
         override DataFlow::Node getCode() { result = this.getReceiver() }
       }
+
+      /**
+       * Flow summary for methods which transform the receiver in some way, possibly preserving taint.
+       */
+      private class StringTransformSummary extends SummarizedCallable {
+        // We're modelling a lot of different methods, so we make up a name for this summary.
+        StringTransformSummary() { this = "ActiveSupportStringTransform" }
+
+        override MethodCall getACall() {
+          result.getMethodName() =
+            [
+              "camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
+              "foreign_key", "humanize", "indent", "parameterize", "pluralize", "singularize",
+              "squish", "strip_heredoc", "tableize", "titlecase", "titleize", "underscore",
+              "upcase_first"
+            ]
+        }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self]" and output = "ReturnValue" and preservesValue = false
+        }
+      }
+    }
+
+    /**
+     * Extensions to the `Enumerable` module.
+     */
+    module Enumerable {
+      private class ArrayIndex extends int {
+        ArrayIndex() { this = any(DataFlow::Content::KnownElementContent c).getIndex().getInt() }
+      }
+
+      private class CompactBlankSummary extends SimpleSummarizedCallable {
+        CompactBlankSummary() { this = "compact_blank" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      private class ExcludingSummary extends SimpleSummarizedCallable {
+        ExcludingSummary() { this = ["excluding", "without"] }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      private class InOrderOfSummary extends SimpleSummarizedCallable {
+        InOrderOfSummary() { this = "in_order_of" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          input = "Argument[self].Element[any]" and
+          output = "ReturnValue.Element[?]" and
+          preservesValue = true
+        }
+      }
+
+      /**
+       * Like `Array#push` but doesn't update the receiver.
+       */
+      private class IncludingSummary extends SimpleSummarizedCallable {
+        IncludingSummary() { this = "including" }
+
+        override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+          (
+            exists(ArrayIndex i |
+              input = "Argument[self].Element[" + i + "]" and
+              output = "ReturnValue.Element[" + i + "]"
+            )
+            or
+            input = "Argument[self].Element[?]" and
+            output = "ReturnValue.Element[?]"
+            or
+            exists(int i | i in [0 .. (mc.getNumberOfArguments() - 1)] |
+              input = "Argument[" + i + "]" and
+              output = "ReturnValue.Element[?]"
+            )
+          ) and
+          preservesValue = true
+        }
+      }
+      // TODO: index_by, index_with, pick, pluck (they require Hash dataflow)
+    }
+  }
+
+  /**
+   * `ActiveSupport::Logger`
+   */
+  module Logger {
+    private class ActiveSupportLoggerInstantiation extends StdlibLogger::LoggerInstantiation {
+      ActiveSupportLoggerInstantiation() {
+        this =
+          API::getTopLevelMember("ActiveSupport")
+              .getMember(["Logger", "TaggedLogging"])
+              .getAnInstantiation()
+      }
     }
   }
 }

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Logger.qll

@@ -16,7 +16,7 @@ private import codeql.ruby.dataflow.internal.DataFlowDispatch
 module Logger {
   /** A reference to a `Logger` instance */
   private DataFlow::Node loggerInstance() {
-    result = API::getTopLevelMember("Logger").getAnInstantiation()
+    result instanceof LoggerInstantiation
     or
     exists(DataFlow::Node inst |
       inst = loggerInstance() and
@@ -33,11 +33,29 @@ module Logger {
     )
   }
 
+  /**
+   * An instantiation of a logger that responds to the std lib logging methods.
+   * This can be extended to recognize additional instances that conform to the
+   * same interface.
+   */
+  abstract class LoggerInstantiation extends DataFlow::Node { }
+
+  /**
+   * An instantiation of the std lib `Logger` class.
+   */
+  private class StdlibLoggerInstantiation extends LoggerInstantiation {
+    StdlibLoggerInstantiation() { this = API::getTopLevelMember("Logger").getAnInstantiation() }
+  }
+
+  private class LoggerInstance extends DataFlow::Node {
+    LoggerInstance() { this = loggerInstance() }
+  }
+
   /**
    * A call to a `Logger` instance method that causes a message to be logged.
    */
   abstract class LoggerLoggingCall extends Logging::Range, DataFlow::CallNode {
-    LoggerLoggingCall() { this.getReceiver() = loggerInstance() }
+    LoggerLoggingCall() { this.getReceiver() instanceof LoggerInstance }
   }
 
   /**

ruby/ql/test/library-tests/frameworks/active_support.rb

@@ -1,2 +1,6 @@
+constantizeCalls
 | active_support.rb:1:1:1:22 | call to constantize | active_support.rb:1:1:1:10 | "Foo::Bar" |
 | active_support.rb:3:1:3:13 | call to constantize | active_support.rb:3:1:3:1 | call to a |
+loggerInstantiations
+| active_support.rb:5:1:5:33 | call to new |
+| active_support.rb:6:1:6:40 | call to new |

…-tests/frameworks/ActiveSupport.expected …ks/active_support/ActiveSupport.expectedruby/ql/test/library-tests/frameworks/ActiveSupport.expected renamed to ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected ruby/ql/test/library-tests/frameworks/ActiveSupport.expected renamed to ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected

@@ -1,6 +1,9 @@
 import codeql.ruby.frameworks.ActiveSupport
 import codeql.ruby.DataFlow
+import codeql.ruby.frameworks.stdlib.Logger
 
 query DataFlow::Node constantizeCalls(ActiveSupport::CoreExtensions::String::Constantize c) {
   result = c.getCode()
 }
+
+query predicate loggerInstantiations(Logger::LoggerInstantiation l) { any() }