Ruby: add flow summaries for Object#dup and Kernel#tap

aibaars · aibaars · commit 0160c374e4bf · 2022-10-04T12:58:49.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -167,4 +167,14 @@ module Kernel {
 
     override DataFlow::Node getCode() { result = this.getArgument(0) }
   }
+
+  private class TapSummary extends SimpleSummarizedCallable {
+    TapSummary() { this = "tap" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = ["ReturnValue", "Argument[block].Parameter[0]"] and
+      preservesValue = true
+    }
+  }
 }
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Object.qll
@@ -3,6 +3,7 @@
  */
 
 private import codeql.ruby.AST
+private import codeql.ruby.dataflow.FlowSummary
 
 /**
  * Provides modeling for the `Object` class.
@@ -31,4 +32,14 @@ module Object {
         "taint", "tainted?", "to_enum", "to_s", "trust", "untaint", "untrust", "untrusted?"
       ]
   }
+
+  private class DupSummary extends SimpleSummarizedCallable {
+    DupSummary() { this = "dup" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = true
+    }
+  }
 }
diff --git a/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected b/ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected
@@ -243,3 +243,39 @@
 | local_dataflow.rb:107:9:107:17 | [post] self | local_dataflow.rb:108:3:108:9 | self |
 | local_dataflow.rb:107:9:107:17 | call to source | local_dataflow.rb:107:5:107:7 | ... && ... |
 | local_dataflow.rb:107:9:107:17 | self | local_dataflow.rb:108:3:108:9 | self |
+| local_dataflow.rb:111:1:114:3 | self (object_dup) | local_dataflow.rb:112:3:112:21 | self |
+| local_dataflow.rb:111:1:114:3 | self in object_dup | local_dataflow.rb:111:1:114:3 | self (object_dup) |
+| local_dataflow.rb:112:3:112:21 | [post] self | local_dataflow.rb:112:8:112:16 | self |
+| local_dataflow.rb:112:3:112:21 | self | local_dataflow.rb:112:8:112:16 | self |
+| local_dataflow.rb:112:8:112:16 | [post] self | local_dataflow.rb:113:3:113:25 | self |
+| local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:113:3:113:25 | self |
+| local_dataflow.rb:113:3:113:25 | [post] self | local_dataflow.rb:113:8:113:16 | self |
+| local_dataflow.rb:113:3:113:25 | self | local_dataflow.rb:113:8:113:16 | self |
+| local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup |
+| local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:116:1:120:3 | self (kernel_tap) | local_dataflow.rb:117:3:117:24 | self |
+| local_dataflow.rb:116:1:120:3 | self in kernel_tap | local_dataflow.rb:116:1:120:3 | self (kernel_tap) |
+| local_dataflow.rb:117:3:117:24 | [post] self | local_dataflow.rb:117:8:117:16 | self |
+| local_dataflow.rb:117:3:117:24 | self | local_dataflow.rb:117:8:117:16 | self |
+| local_dataflow.rb:117:8:117:16 | [post] self | local_dataflow.rb:118:3:118:11 | self |
+| local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:118:3:118:11 | self |
+| local_dataflow.rb:118:3:118:11 | [post] self | local_dataflow.rb:119:3:119:31 | self |
+| local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap |
+| local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self |
+| local_dataflow.rb:118:17:118:31 | <captured> | local_dataflow.rb:118:23:118:29 | self |
+| local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x |
+| local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self |
+| local_dataflow.rb:119:3:119:31 | self | local_dataflow.rb:119:8:119:16 | self |
+| local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap |
+| local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:122:1:124:3 | self (dup_tap) | local_dataflow.rb:123:3:123:50 | self |
+| local_dataflow.rb:122:1:124:3 | self in dup_tap | local_dataflow.rb:122:1:124:3 | self (dup_tap) |
+| local_dataflow.rb:123:3:123:50 | [post] self | local_dataflow.rb:123:8:123:16 | self |
+| local_dataflow.rb:123:3:123:50 | self | local_dataflow.rb:123:8:123:16 | self |
+| local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup |
+| local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap |
+| local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup |
+| local_dataflow.rb:123:26:123:45 | <captured> | local_dataflow.rb:123:32:123:43 | self |
diff --git a/ruby/ql/test/library-tests/dataflow/local/Nodes.expected b/ruby/ql/test/library-tests/dataflow/local/Nodes.expected
@@ -14,6 +14,11 @@ ret
 | local_dataflow.rb:52:3:52:10 | "normal" |
 | local_dataflow.rb:89:3:89:9 | call to sink |
 | local_dataflow.rb:108:3:108:9 | call to sink |
+| local_dataflow.rb:113:3:113:25 | call to sink |
+| local_dataflow.rb:118:23:118:29 | call to sink |
+| local_dataflow.rb:119:3:119:31 | call to sink |
+| local_dataflow.rb:123:3:123:50 | call to sink |
+| local_dataflow.rb:123:32:123:43 | call to puts |
 arg
 | local_dataflow.rb:3:8:3:10 | self | local_dataflow.rb:3:8:3:10 | call to p | self |
 | local_dataflow.rb:3:10:3:10 | a | local_dataflow.rb:3:8:3:10 | call to p | position 0 |
@@ -124,3 +129,44 @@ arg
 | local_dataflow.rb:107:16:107:16 | 8 | local_dataflow.rb:107:9:107:17 | call to source | position 0 |
 | local_dataflow.rb:108:3:108:9 | self | local_dataflow.rb:108:3:108:9 | call to sink | self |
 | local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:108:3:108:9 | call to sink | position 0 |
+| local_dataflow.rb:112:3:112:21 | self | local_dataflow.rb:112:3:112:21 | call to sink | self |
+| local_dataflow.rb:112:8:112:16 | call to source | local_dataflow.rb:112:8:112:20 | call to dup | self |
+| local_dataflow.rb:112:8:112:16 | self | local_dataflow.rb:112:8:112:16 | call to source | self |
+| local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:3:112:21 | call to sink | position 0 |
+| local_dataflow.rb:112:15:112:15 | 1 | local_dataflow.rb:112:8:112:16 | call to source | position 0 |
+| local_dataflow.rb:113:3:113:25 | self | local_dataflow.rb:113:3:113:25 | call to sink | self |
+| local_dataflow.rb:113:8:113:16 | call to source | local_dataflow.rb:113:8:113:20 | call to dup | self |
+| local_dataflow.rb:113:8:113:16 | self | local_dataflow.rb:113:8:113:16 | call to source | self |
+| local_dataflow.rb:113:8:113:20 | call to dup | local_dataflow.rb:113:8:113:24 | call to dup | self |
+| local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:3:113:25 | call to sink | position 0 |
+| local_dataflow.rb:113:15:113:15 | 1 | local_dataflow.rb:113:8:113:16 | call to source | position 0 |
+| local_dataflow.rb:117:3:117:24 | self | local_dataflow.rb:117:3:117:24 | call to sink | self |
+| local_dataflow.rb:117:8:117:16 | call to source | local_dataflow.rb:117:8:117:23 | call to tap | self |
+| local_dataflow.rb:117:8:117:16 | self | local_dataflow.rb:117:8:117:16 | call to source | self |
+| local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:3:117:24 | call to sink | position 0 |
+| local_dataflow.rb:117:15:117:15 | 1 | local_dataflow.rb:117:8:117:16 | call to source | position 0 |
+| local_dataflow.rb:117:22:117:23 | { ... } | local_dataflow.rb:117:8:117:23 | call to tap | block |
+| local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap | self |
+| local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:118:3:118:11 | call to source | self |
+| local_dataflow.rb:118:10:118:10 | 1 | local_dataflow.rb:118:3:118:11 | call to source | position 0 |
+| local_dataflow.rb:118:17:118:31 | { ... } | local_dataflow.rb:118:3:118:31 | call to tap | block |
+| local_dataflow.rb:118:23:118:29 | self | local_dataflow.rb:118:23:118:29 | call to sink | self |
+| local_dataflow.rb:118:28:118:28 | x | local_dataflow.rb:118:23:118:29 | call to sink | position 0 |
+| local_dataflow.rb:119:3:119:31 | self | local_dataflow.rb:119:3:119:31 | call to sink | self |
+| local_dataflow.rb:119:8:119:16 | call to source | local_dataflow.rb:119:8:119:23 | call to tap | self |
+| local_dataflow.rb:119:8:119:16 | self | local_dataflow.rb:119:8:119:16 | call to source | self |
+| local_dataflow.rb:119:8:119:23 | call to tap | local_dataflow.rb:119:8:119:30 | call to tap | self |
+| local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:3:119:31 | call to sink | position 0 |
+| local_dataflow.rb:119:15:119:15 | 1 | local_dataflow.rb:119:8:119:16 | call to source | position 0 |
+| local_dataflow.rb:119:22:119:23 | { ... } | local_dataflow.rb:119:8:119:23 | call to tap | block |
+| local_dataflow.rb:119:29:119:30 | { ... } | local_dataflow.rb:119:8:119:30 | call to tap | block |
+| local_dataflow.rb:123:3:123:50 | self | local_dataflow.rb:123:3:123:50 | call to sink | self |
+| local_dataflow.rb:123:8:123:16 | call to source | local_dataflow.rb:123:8:123:20 | call to dup | self |
+| local_dataflow.rb:123:8:123:16 | self | local_dataflow.rb:123:8:123:16 | call to source | self |
+| local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap | self |
+| local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup | self |
+| local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:3:123:50 | call to sink | position 0 |
+| local_dataflow.rb:123:15:123:15 | 1 | local_dataflow.rb:123:8:123:16 | call to source | position 0 |
+| local_dataflow.rb:123:26:123:45 | { ... } | local_dataflow.rb:123:8:123:45 | call to tap | block |
+| local_dataflow.rb:123:32:123:43 | self | local_dataflow.rb:123:32:123:43 | call to puts | self |
+| local_dataflow.rb:123:37:123:43 | "hello" | local_dataflow.rb:123:32:123:43 | call to puts | position 0 |
diff --git a/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected b/ruby/ql/test/library-tests/dataflow/local/TaintflowStep.expected
@@ -33,6 +33,28 @@ edges
 | local_dataflow.rb:106:7:106:15 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
 | local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
 | local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b |
+| local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup |
+| local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:20 | call to dup :  |
+| local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:20 | call to dup :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | local_dataflow.rb:113:8:113:24 | call to dup |
+| local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap |
+| local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:20:118:20 | x :  |
+| local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:20:118:20 | x :  |
+| local_dataflow.rb:118:20:118:20 | x :  | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:118:20:118:20 | x :  | local_dataflow.rb:118:28:118:28 | x |
+| local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:23 | call to tap :  |
+| local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:23 | call to tap :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | local_dataflow.rb:119:8:119:30 | call to tap |
+| local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:20 | call to dup :  |
+| local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:20 | call to dup :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | local_dataflow.rb:123:8:123:45 | call to tap :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | local_dataflow.rb:123:8:123:45 | call to tap :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | local_dataflow.rb:123:8:123:49 | call to dup |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | local_dataflow.rb:123:8:123:49 | call to dup |
 nodes
 | local_dataflow.rb:78:12:78:20 | call to source :  | semmle.label | call to source :  |
 | local_dataflow.rb:79:25:79:25 | b | semmle.label | b |
@@ -80,6 +102,40 @@ nodes
 | local_dataflow.rb:107:9:107:17 | call to source :  | semmle.label | call to source :  |
 | local_dataflow.rb:108:8:108:8 | b | semmle.label | b |
 | local_dataflow.rb:108:8:108:8 | b | semmle.label | b |
+| local_dataflow.rb:112:8:112:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:112:8:112:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:112:8:112:20 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:112:8:112:20 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:113:8:113:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:113:8:113:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:113:8:113:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:113:8:113:24 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:113:8:113:24 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:117:8:117:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:117:8:117:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:117:8:117:23 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:117:8:117:23 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:118:3:118:11 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:118:3:118:11 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:118:20:118:20 | x :  | semmle.label | x :  |
+| local_dataflow.rb:118:20:118:20 | x :  | semmle.label | x :  |
+| local_dataflow.rb:118:28:118:28 | x | semmle.label | x |
+| local_dataflow.rb:118:28:118:28 | x | semmle.label | x |
+| local_dataflow.rb:119:8:119:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:119:8:119:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:119:8:119:23 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:119:8:119:30 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:119:8:119:30 | call to tap | semmle.label | call to tap |
+| local_dataflow.rb:123:8:123:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:123:8:123:16 | call to source :  | semmle.label | call to source :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:123:8:123:20 | call to dup :  | semmle.label | call to dup :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:123:8:123:45 | call to tap :  | semmle.label | call to tap :  |
+| local_dataflow.rb:123:8:123:49 | call to dup | semmle.label | call to dup |
+| local_dataflow.rb:123:8:123:49 | call to dup | semmle.label | call to dup |
 subpaths
 #select
 | local_dataflow.rb:79:25:79:25 | b | local_dataflow.rb:78:12:78:20 | call to source :  | local_dataflow.rb:79:25:79:25 | b | $@ | local_dataflow.rb:78:12:78:20 | call to source :  | call to source :  |
@@ -103,3 +159,9 @@ subpaths
 | local_dataflow.rb:105:8:105:8 | a | local_dataflow.rb:104:9:104:17 | call to source :  | local_dataflow.rb:105:8:105:8 | a | $@ | local_dataflow.rb:104:9:104:17 | call to source :  | call to source :  |
 | local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:106:7:106:15 | call to source :  | local_dataflow.rb:108:8:108:8 | b | $@ | local_dataflow.rb:106:7:106:15 | call to source :  | call to source :  |
 | local_dataflow.rb:108:8:108:8 | b | local_dataflow.rb:107:9:107:17 | call to source :  | local_dataflow.rb:108:8:108:8 | b | $@ | local_dataflow.rb:107:9:107:17 | call to source :  | call to source :  |
+| local_dataflow.rb:112:8:112:20 | call to dup | local_dataflow.rb:112:8:112:16 | call to source :  | local_dataflow.rb:112:8:112:20 | call to dup | $@ | local_dataflow.rb:112:8:112:16 | call to source :  | call to source :  |
+| local_dataflow.rb:113:8:113:24 | call to dup | local_dataflow.rb:113:8:113:16 | call to source :  | local_dataflow.rb:113:8:113:24 | call to dup | $@ | local_dataflow.rb:113:8:113:16 | call to source :  | call to source :  |
+| local_dataflow.rb:117:8:117:23 | call to tap | local_dataflow.rb:117:8:117:16 | call to source :  | local_dataflow.rb:117:8:117:23 | call to tap | $@ | local_dataflow.rb:117:8:117:16 | call to source :  | call to source :  |
+| local_dataflow.rb:118:28:118:28 | x | local_dataflow.rb:118:3:118:11 | call to source :  | local_dataflow.rb:118:28:118:28 | x | $@ | local_dataflow.rb:118:3:118:11 | call to source :  | call to source :  |
+| local_dataflow.rb:119:8:119:30 | call to tap | local_dataflow.rb:119:8:119:16 | call to source :  | local_dataflow.rb:119:8:119:30 | call to tap | $@ | local_dataflow.rb:119:8:119:16 | call to source :  | call to source :  |
+| local_dataflow.rb:123:8:123:49 | call to dup | local_dataflow.rb:123:8:123:16 | call to source :  | local_dataflow.rb:123:8:123:49 | call to dup | $@ | local_dataflow.rb:123:8:123:16 | call to source :  | call to source :  |
diff --git a/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb b/ruby/ql/test/library-tests/dataflow/local/local_dataflow.rb
@@ -107,3 +107,18 @@ def and_or
   b &&= source(8)
   sink(b) # $ hasValueFlow=7 hasValueFlow=8
 end
+
+def object_dup
+  sink(source(1).dup) # $ hasValueFlow=1
+  sink(source(1).dup.dup) # $ hasValueFlow=1
+end
+
+def kernel_tap
+  sink(source(1).tap {}) # $ hasValueFlow=1
+  source(1).tap { |x| sink(x) } # $ hasValueFlow=1
+  sink(source(1).tap {}.tap {}) # $ hasValueFlow=1
+end
+
+def dup_tap
+  sink(source(1).dup.tap { |x| puts "hello" }.dup)  # $ hasValueFlow=1
+end

Original file line number	Diff line number	Diff line change
`@@ -167,4 +167,14 @@ module Kernel {`
`167`	`167`
`168`	`168`	`override DataFlow::Node getCode() { result = this.getArgument(0) }`
`169`	`169`	`}`
	`170`	`+`
	`171`	`+ private class TapSummary extends SimpleSummarizedCallable {`
	`172`	`+ TapSummary() { this = "tap" }`
	`173`	`+`
	`174`	`+ override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {`
	`175`	`+ input = "Argument[self]" and`
	`176`	`+ output = ["ReturnValue", "Argument[block].Parameter[0]"] and`
	`177`	`+ preservesValue = true`
	`178`	`+ }`
	`179`	`+ }`
`170`	`180`	`}`