Ruby: add flow summaries for Pathname class

nickrolfe · nickrolfe · commit 03d0f66247d1 · 2022-06-24T14:14:06.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
@@ -14,6 +14,7 @@ import core.Hash
 import core.String
 import core.Regexp
 import core.IO
+import core.Pathname
 
 /**
  * A system command executed via subshell literal syntax.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Pathname.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Pathname.qll
@@ -0,0 +1,118 @@
+/** Modeling of the `Pathname` class from the Ruby standard library. */
+
+private import codeql.ruby.AST
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+private import codeql.ruby.dataflow.FlowSummary
+private import codeql.ruby.dataflow.internal.DataFlowDispatch
+private import codeql.ruby.controlflow.CfgNodes
+
+/**
+ * Modeling of the `Pathname` class from the Ruby standard library.
+ *
+ * https://docs.ruby-lang.org/en/3.1/Pathname.html
+ */
+module Pathname {
+  /// Flow summary for `Pathname.new`.
+  private class NewSummary extends SummarizedCallable {
+    NewSummary() { this = "Pathname.new" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("Pathname").getAnInstantiation().getExprNode().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#dirname`.
+  private class DirnameSummary extends SimpleSummarizedCallable {
+    DirnameSummary() { this = "dirname" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#each_filename`.
+  private class EachFilenameSummary extends SimpleSummarizedCallable {
+    EachFilenameSummary() { this = "each_filename" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "Argument[block].Parameter[0]" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#expand_path`.
+  private class ExpandPathSummary extends SimpleSummarizedCallable {
+    ExpandPathSummary() { this = "expand_path" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#join`.
+  private class JoinSummary extends SimpleSummarizedCallable {
+    JoinSummary() { this = "join" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = ["Argument[self]", "Argument[any]"] and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#parent`.
+  private class ParentSummary extends SimpleSummarizedCallable {
+    ParentSummary() { this = "parent" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#realpath`.
+  private class RealpathSummary extends SimpleSummarizedCallable {
+    RealpathSummary() { this = "realpath" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#relative_path_from`.
+  private class RelativePathFromSummary extends SimpleSummarizedCallable {
+    RelativePathFromSummary() { this = "relative_path_from" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+
+  /// Flow summary for `Pathname#to_path`.
+  private class ToPathSummary extends SimpleSummarizedCallable {
+    ToPathSummary() { this = "to_path" }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[self]" and
+      output = "ReturnValue" and
+      preservesValue = false
+    }
+  }
+}
diff --git a/ruby/ql/test/library-tests/dataflow/pathname-flow/pathame-flow.expected b/ruby/ql/test/library-tests/dataflow/pathname-flow/pathame-flow.expected
@@ -0,0 +1,90 @@
+failures
+edges
+| pathname_flow.rb:4:10:4:33 | call to new :  | pathname_flow.rb:5:10:5:11 | pn |
+| pathname_flow.rb:4:23:4:32 | call to source :  | pathname_flow.rb:4:10:4:33 | call to new :  |
+| pathname_flow.rb:9:6:9:29 | call to new :  | pathname_flow.rb:11:7:11:11 | ... + ... |
+| pathname_flow.rb:9:19:9:28 | call to source :  | pathname_flow.rb:9:6:9:29 | call to new :  |
+| pathname_flow.rb:10:6:10:29 | call to new :  | pathname_flow.rb:11:7:11:11 | ... + ... |
+| pathname_flow.rb:10:19:10:28 | call to source :  | pathname_flow.rb:10:6:10:29 | call to new :  |
+| pathname_flow.rb:15:7:15:30 | call to new :  | pathname_flow.rb:16:7:16:8 | pn :  |
+| pathname_flow.rb:15:20:15:29 | call to source :  | pathname_flow.rb:15:7:15:30 | call to new :  |
+| pathname_flow.rb:16:7:16:8 | pn :  | pathname_flow.rb:16:7:16:16 | call to dirname |
+| pathname_flow.rb:20:6:20:29 | call to new :  | pathname_flow.rb:21:2:21:2 | a :  |
+| pathname_flow.rb:20:19:20:28 | call to source :  | pathname_flow.rb:20:6:20:29 | call to new :  |
+| pathname_flow.rb:21:2:21:2 | a :  | pathname_flow.rb:21:22:21:22 | x :  |
+| pathname_flow.rb:21:22:21:22 | x :  | pathname_flow.rb:22:8:22:8 | x |
+| pathname_flow.rb:27:6:27:29 | call to new :  | pathname_flow.rb:28:7:28:7 | a :  |
+| pathname_flow.rb:27:19:27:28 | call to source :  | pathname_flow.rb:27:6:27:29 | call to new :  |
+| pathname_flow.rb:28:7:28:7 | a :  | pathname_flow.rb:28:7:28:21 | call to expand_path |
+| pathname_flow.rb:32:6:32:29 | call to new :  | pathname_flow.rb:35:7:35:7 | a :  |
+| pathname_flow.rb:32:19:32:28 | call to source :  | pathname_flow.rb:32:6:32:29 | call to new :  |
+| pathname_flow.rb:34:6:34:29 | call to new :  | pathname_flow.rb:35:17:35:17 | c :  |
+| pathname_flow.rb:34:19:34:28 | call to source :  | pathname_flow.rb:34:6:34:29 | call to new :  |
+| pathname_flow.rb:35:7:35:7 | a :  | pathname_flow.rb:35:7:35:18 | call to join |
+| pathname_flow.rb:35:17:35:17 | c :  | pathname_flow.rb:35:7:35:18 | call to join |
+| pathname_flow.rb:39:6:39:29 | call to new :  | pathname_flow.rb:40:7:40:7 | a :  |
+| pathname_flow.rb:39:19:39:28 | call to source :  | pathname_flow.rb:39:6:39:29 | call to new :  |
+| pathname_flow.rb:40:7:40:7 | a :  | pathname_flow.rb:40:7:40:16 | call to parent |
+| pathname_flow.rb:44:6:44:29 | call to new :  | pathname_flow.rb:45:7:45:7 | a :  |
+| pathname_flow.rb:44:19:44:28 | call to source :  | pathname_flow.rb:44:6:44:29 | call to new :  |
+| pathname_flow.rb:45:7:45:7 | a :  | pathname_flow.rb:45:7:45:18 | call to realpath |
+| pathname_flow.rb:49:6:49:29 | call to new :  | pathname_flow.rb:50:7:50:7 | a :  |
+| pathname_flow.rb:49:19:49:28 | call to source :  | pathname_flow.rb:49:6:49:29 | call to new :  |
+| pathname_flow.rb:50:7:50:7 | a :  | pathname_flow.rb:50:7:50:38 | call to relative_path_from |
+| pathname_flow.rb:54:6:54:29 | call to new :  | pathname_flow.rb:55:7:55:7 | a :  |
+| pathname_flow.rb:54:19:54:28 | call to source :  | pathname_flow.rb:54:6:54:29 | call to new :  |
+| pathname_flow.rb:55:7:55:7 | a :  | pathname_flow.rb:55:7:55:15 | call to to_path |
+| pathname_flow.rb:59:6:59:29 | call to new :  | pathname_flow.rb:60:7:60:7 | a :  |
+| pathname_flow.rb:59:19:59:28 | call to source :  | pathname_flow.rb:59:6:59:29 | call to new :  |
+| pathname_flow.rb:60:7:60:7 | a :  | pathname_flow.rb:60:7:60:12 | call to to_s |
+nodes
+| pathname_flow.rb:4:10:4:33 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:4:23:4:32 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:5:10:5:11 | pn | semmle.label | pn |
+| pathname_flow.rb:9:6:9:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:9:19:9:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:10:6:10:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:10:19:10:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:11:7:11:11 | ... + ... | semmle.label | ... + ... |
+| pathname_flow.rb:15:7:15:30 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:15:20:15:29 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:16:7:16:8 | pn :  | semmle.label | pn :  |
+| pathname_flow.rb:16:7:16:16 | call to dirname | semmle.label | call to dirname |
+| pathname_flow.rb:20:6:20:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:20:19:20:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:21:2:21:2 | a :  | semmle.label | a :  |
+| pathname_flow.rb:21:22:21:22 | x :  | semmle.label | x :  |
+| pathname_flow.rb:22:8:22:8 | x | semmle.label | x |
+| pathname_flow.rb:27:6:27:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:27:19:27:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:28:7:28:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:28:7:28:21 | call to expand_path | semmle.label | call to expand_path |
+| pathname_flow.rb:32:6:32:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:32:19:32:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:34:6:34:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:34:19:34:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:35:7:35:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:35:7:35:18 | call to join | semmle.label | call to join |
+| pathname_flow.rb:35:17:35:17 | c :  | semmle.label | c :  |
+| pathname_flow.rb:39:6:39:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:39:19:39:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:40:7:40:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:40:7:40:16 | call to parent | semmle.label | call to parent |
+| pathname_flow.rb:44:6:44:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:44:19:44:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:45:7:45:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:45:7:45:18 | call to realpath | semmle.label | call to realpath |
+| pathname_flow.rb:49:6:49:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:49:19:49:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:50:7:50:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:50:7:50:38 | call to relative_path_from | semmle.label | call to relative_path_from |
+| pathname_flow.rb:54:6:54:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:54:19:54:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:55:7:55:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:55:7:55:15 | call to to_path | semmle.label | call to to_path |
+| pathname_flow.rb:59:6:59:29 | call to new :  | semmle.label | call to new :  |
+| pathname_flow.rb:59:19:59:28 | call to source :  | semmle.label | call to source :  |
+| pathname_flow.rb:60:7:60:7 | a :  | semmle.label | a :  |
+| pathname_flow.rb:60:7:60:12 | call to to_s | semmle.label | call to to_s |
+subpaths
+#select
diff --git a/ruby/ql/test/library-tests/dataflow/pathname-flow/pathame-flow.ql b/ruby/ql/test/library-tests/dataflow/pathname-flow/pathame-flow.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind path-problem
+ */
+
+import ruby
+import TestUtilities.InlineFlowTest
+import PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
diff --git a/ruby/ql/test/library-tests/dataflow/pathname-flow/pathname_flow.rb b/ruby/ql/test/library-tests/dataflow/pathname-flow/pathname_flow.rb
@@ -0,0 +1,61 @@
+require 'pathname'
+
+def m_new
+    pn = Pathname.new(source 'a')
+    sink pn # $ hasTaintFlow=a
+end
+
+def m_plus
+	a = Pathname.new(source 'a')
+	b = Pathname.new(source 'b')
+	sink(a + b) # $ hasTaintFlow=a $ hasTaintFlow=b
+end
+
+def m_dirname
+	pn = Pathname.new(source 'a')
+	sink pn.dirname # $ hasTaintFlow=a
+end
+
+def m_each_filename
+	a = Pathname.new(source 'a')
+	a.each_filename do |x|
+		sink x # $ hasTaintFlow=a
+	end
+end
+
+def m_expand_path
+	a = Pathname.new(source 'a')
+	sink a.expand_path() # $ hasTaintFlow=a
+end
+
+def m_join
+	a = Pathname.new(source 'a')
+	b = Pathname.new('foo')
+	c = Pathname.new(source 'c')
+	sink a.join(b, c) # $ hasTaintFlow=a $ hasTaintFlow=c
+end
+
+def m_parent
+	a = Pathname.new(source 'a')
+	sink a.parent() # $ hasTaintFlow=a
+end
+
+def m_realpath
+	a = Pathname.new(source 'a')
+	sink a.realpath() # $ hasTaintFlow=a
+end
+
+def m_relative_path_from
+	a = Pathname.new(source 'a')
+	sink a.relative_path_from('/foo/bar') # $ hasTaintFlow=a
+end
+
+def m_to_path
+	a = Pathname.new(source 'a')
+	sink a.to_path # $ hasTaintFlow=a
+end
+
+def m_to_s
+	a = Pathname.new(source 'a')
+	sink a.to_s # $ hasTaintFlow=a
+end
