Ruby: Implement mustFlow

hvitved · hvitved · commit 66aa1c9378f7 · 2023-09-23T15:22:46.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -1700,7 +1700,27 @@ private predicate mustHaveLambdaType(CfgNodes::ExprCfgNode e, Callable c) {
   )
 }
 
-predicate localMustFlowStep(Node node1, Node node2) { none() }
+predicate localMustFlowStep(Node node1, Node node2) {
+  LocalFlow::localFlowSsaParamInput(node1, node2)
+  or
+  exists(SsaImpl::Definition def |
+    def.(Ssa::WriteDefinition).assigns(node1.asExpr()) and
+    node2.(SsaDefinitionExtNode).getDefinitionExt() = def
+    or
+    def = node1.(SsaDefinitionExtNode).getDefinitionExt() and
+    node2.asExpr() = SsaImpl::getARead(def)
+  )
+  or
+  node1.asExpr() = node2.asExpr().(CfgNodes::ExprNodes::AssignExprCfgNode).getRhs()
+  or
+  node1.asExpr() = node2.asExpr().(CfgNodes::ExprNodes::BlockArgumentCfgNode).getValue()
+  or
+  node1 =
+    unique(FlowSummaryNode n1 |
+      FlowSummaryImpl::Private::Steps::summaryLocalStep(n1.getSummaryNode(),
+        node2.(FlowSummaryNode).getSummaryNode(), true)
+    )
+}
 
 /** Gets the type of `n` used for type pruning. */
 DataFlowType getNodeType(Node n) {
diff --git a/ruby/ql/test/library-tests/dataflow/global/Flow.expected b/ruby/ql/test/library-tests/dataflow/global/Flow.expected
@@ -1,23 +1,17 @@
 testFailures
-| callbacks.rb:18:25:18:25 | x | Unexpected result: hasValueFlow=1 |
-| callbacks.rb:29:37:29:37 | x | Unexpected result: hasValueFlow=2 |
 edges
 | callbacks.rb:9:15:9:15 | x | callbacks.rb:10:12:10:12 | x |
 | callbacks.rb:10:12:10:12 | x | callbacks.rb:17:15:17:15 | x |
-| callbacks.rb:10:12:10:12 | x | callbacks.rb:18:15:18:15 | x |
 | callbacks.rb:13:20:13:20 | x | callbacks.rb:14:14:14:14 | x |
 | callbacks.rb:14:14:14:14 | x | callbacks.rb:9:15:9:15 | x |
 | callbacks.rb:17:15:17:15 | x | callbacks.rb:17:25:17:25 | x |
 | callbacks.rb:17:31:17:38 | call to taint | callbacks.rb:13:20:13:20 | x |
-| callbacks.rb:18:15:18:15 | x | callbacks.rb:18:25:18:25 | x |
 | callbacks.rb:20:17:20:17 | x | callbacks.rb:21:11:21:11 | x |
 | callbacks.rb:21:11:21:11 | x | callbacks.rb:28:31:28:31 | x |
-| callbacks.rb:21:11:21:11 | x | callbacks.rb:29:29:29:29 | x |
 | callbacks.rb:24:23:24:23 | x | callbacks.rb:25:17:25:17 | x |
 | callbacks.rb:25:17:25:17 | x | callbacks.rb:20:17:20:17 | x |
 | callbacks.rb:28:18:28:25 | call to taint | callbacks.rb:24:23:24:23 | x |
 | callbacks.rb:28:31:28:31 | x | callbacks.rb:28:39:28:39 | x |
-| callbacks.rb:29:29:29:29 | x | callbacks.rb:29:37:29:37 | x |
 | captured_variables.rb:9:24:9:24 | x | captured_variables.rb:10:10:10:23 | -> { ... } [captured x] |
 | captured_variables.rb:9:24:9:24 | x | captured_variables.rb:11:5:11:6 | fn [captured x] |
 | captured_variables.rb:10:5:10:6 | fn [captured x] | captured_variables.rb:11:5:11:6 | fn [captured x] |
@@ -278,17 +272,13 @@ nodes
 | callbacks.rb:17:15:17:15 | x | semmle.label | x |
 | callbacks.rb:17:25:17:25 | x | semmle.label | x |
 | callbacks.rb:17:31:17:38 | call to taint | semmle.label | call to taint |
-| callbacks.rb:18:15:18:15 | x | semmle.label | x |
-| callbacks.rb:18:25:18:25 | x | semmle.label | x |
 | callbacks.rb:20:17:20:17 | x | semmle.label | x |
 | callbacks.rb:21:11:21:11 | x | semmle.label | x |
 | callbacks.rb:24:23:24:23 | x | semmle.label | x |
 | callbacks.rb:25:17:25:17 | x | semmle.label | x |
 | callbacks.rb:28:18:28:25 | call to taint | semmle.label | call to taint |
 | callbacks.rb:28:31:28:31 | x | semmle.label | x |
 | callbacks.rb:28:39:28:39 | x | semmle.label | x |
-| callbacks.rb:29:29:29:29 | x | semmle.label | x |
-| callbacks.rb:29:37:29:37 | x | semmle.label | x |
 | captured_variables.rb:9:24:9:24 | x | semmle.label | x |
 | captured_variables.rb:10:5:10:6 | fn [captured x] | semmle.label | fn [captured x] |
 | captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
@@ -585,9 +575,7 @@ subpaths
 | instance_variables.rb:120:6:120:10 | foo16 [@field] | instance_variables.rb:13:5:15:7 | self in get_field [@field] | instance_variables.rb:14:9:14:21 | return | instance_variables.rb:120:6:120:20 | call to get_field |
 #select
 | callbacks.rb:17:25:17:25 | x | callbacks.rb:17:31:17:38 | call to taint | callbacks.rb:17:25:17:25 | x | $@ | callbacks.rb:17:31:17:38 | call to taint | call to taint |
-| callbacks.rb:18:25:18:25 | x | callbacks.rb:17:31:17:38 | call to taint | callbacks.rb:18:25:18:25 | x | $@ | callbacks.rb:17:31:17:38 | call to taint | call to taint |
 | callbacks.rb:28:39:28:39 | x | callbacks.rb:28:18:28:25 | call to taint | callbacks.rb:28:39:28:39 | x | $@ | callbacks.rb:28:18:28:25 | call to taint | call to taint |
-| callbacks.rb:29:37:29:37 | x | callbacks.rb:28:18:28:25 | call to taint | callbacks.rb:29:37:29:37 | x | $@ | callbacks.rb:28:18:28:25 | call to taint | call to taint |
 | captured_variables.rb:10:20:10:20 | x | captured_variables.rb:13:20:13:29 | call to taint | captured_variables.rb:10:20:10:20 | x | $@ | captured_variables.rb:13:20:13:29 | call to taint | call to taint |
 | captured_variables.rb:17:14:17:14 | x | captured_variables.rb:20:25:20:34 | call to taint | captured_variables.rb:17:14:17:14 | x | $@ | captured_variables.rb:20:25:20:34 | call to taint | call to taint |
 | captured_variables.rb:24:14:24:14 | x | captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:24:14:24:14 | x | $@ | captured_variables.rb:27:48:27:57 | call to taint | call to taint |
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
@@ -971,7 +971,7 @@ module MakeImplCommon<InputSig Lang> {
     predicate allowParameterReturnInSelfCached(ParamNode p) { allowParameterReturnInSelf(p) }
 
     cached
-    predicate paramMustFlow(ParamNode p, ArgNode arg) { localMustFlowStep+(p, arg) }
+    predicate paramMustFlow(ParamNode p, ArgNode arg) { localMustFlowStep*(p, arg) }
 
     cached
     newtype TCallContext =
