Ruby: make old class names available as deprecated aliases

Author: nickrolfe

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -13,6 +13,16 @@ private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.frameworks.internal.Rails
 
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::ParamsCall` instead.
+ */
+deprecated class ParamsCall = Rails::ParamsCall;
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::CookiesCall` instead.
+ */
+deprecated class CookiesCall = Rails::CookiesCall;
+
 /**
  * A `ClassDeclaration` for a class that extends `ActionController::Base`.
  * For example,
@@ -74,7 +84,7 @@ class ActionControllerActionMethod extends Method, Http::Server::RequestHandler:
   override string getFramework() { result = "ActionController" }
 
   /** Gets a call to render from within this method. */
-  RenderCall getARenderCall() { result.getParent+() = this }
+  Rails::RenderCall getARenderCall() { result.getParent+() = this }
 
   /**
    * Gets the controller class containing this method.
@@ -126,7 +136,7 @@ private class ActionControllerContextCall extends MethodCall {
  * ActionController parameters available via the `params` method.
  */
 class ParamsSource extends Http::Server::RequestInputAccess::Range {
-  ParamsSource() { this.asExpr().getExpr() instanceof ParamsCall }
+  ParamsSource() { this.asExpr().getExpr() instanceof Rails::ParamsCall }
 
   override string getSourceType() { result = "ActionController::Metal#params" }
 }
@@ -136,7 +146,7 @@ class ParamsSource extends Http::Server::RequestInputAccess::Range {
  * ActionController parameters available via the `cookies` method.
  */
 class CookiesSource extends Http::Server::RequestInputAccess::Range {
-  CookiesSource() { this.asExpr().getExpr() instanceof CookiesCall }
+  CookiesSource() { this.asExpr().getExpr() instanceof Rails::CookiesCall }
 
   override string getSourceType() { result = "ActionController::Metal#cookies" }
 }
@@ -290,7 +300,7 @@ ActionControllerControllerClass getAssociatedControllerClass(ErbFile f) {
   // template file, `fp`. In this case, `f` inherits the associated
   // controller classes from `fp`.
   f.isPartial() and
-  exists(RenderCall r, ErbFile fp |
+  exists(Rails::RenderCall r, ErbFile fp |
     r.getLocation().getFile() = fp and
     r.getTemplateFile() = f and
     result = getAssociatedControllerClass(fp)

ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll

@@ -11,6 +11,26 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.frameworks.internal.Rails
 private import codeql.ruby.frameworks.Rails
 
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::HtmlSafeCall` instead.
+ */
+deprecated class HtmlSafeCall = Rails::HtmlSafeCall;
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::HtmlEscapeCall` instead.
+ */
+deprecated class HtmlEscapeCall = Rails::HtmlEscapeCall;
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::RenderCall` instead.
+ */
+deprecated class RenderCall = Rails::RenderCall;
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::RenderToCall` instead.
+ */
+deprecated class RenderToCall = Rails::RenderToCall;
+
 /**
  * Holds if this AST node is in a context where `ActionView` methods are available.
  */
@@ -28,7 +48,7 @@ private class ActionViewHtmlSafeCall extends HtmlSafeCallImpl {
  * A call to a Rails method that escapes HTML.
  */
 class RailsHtmlEscaping extends Escaping::Range, DataFlow::CallNode {
-  RailsHtmlEscaping() { this.asExpr().getExpr() instanceof HtmlEscapeCall }
+  RailsHtmlEscaping() { this.asExpr().getExpr() instanceof Rails::HtmlEscapeCall }
 
   override DataFlow::Node getAnInput() { result = this.getArgument(0) }
 
@@ -80,8 +100,8 @@ private class ActionViewCookiesCall extends ActionViewContextCall, CookiesCallIm
  */
 private class RenderCallAsHttpResponse extends DataFlow::CallNode, Http::Server::HttpResponse::Range {
   RenderCallAsHttpResponse() {
-    this.asExpr().getExpr() instanceof RenderCall or
-    this.asExpr().getExpr() instanceof RenderToCall
+    this.asExpr().getExpr() instanceof Rails::RenderCall or
+    this.asExpr().getExpr() instanceof Rails::RenderToCall
   }
 
   // `render` is a very polymorphic method - all of these are valid calls:

ruby/ql/lib/codeql/ruby/frameworks/Rails.qll

@@ -5,71 +5,71 @@
 private import codeql.ruby.AST
 private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
-private import codeql.ruby.frameworks.ActionController
-private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActiveRecord
 private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.internal.Rails
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.security.OpenSSL
 
-/**
- * A method call on a string to mark it as HTML safe for Rails. Strings marked
- * as such will not be automatically escaped when inserted into HTML.
- */
-class HtmlSafeCall extends MethodCall instanceof HtmlSafeCallImpl { }
+module Rails {
+  /**
+   * A method call on a string to mark it as HTML safe for Rails. Strings marked
+   * as such will not be automatically escaped when inserted into HTML.
+   */
+  class HtmlSafeCall extends MethodCall instanceof HtmlSafeCallImpl { }
 
-/** A call to a Rails method to escape HTML. */
-class HtmlEscapeCall extends MethodCall instanceof HtmlEscapeCallImpl { }
+  /** A call to a Rails method to escape HTML. */
+  class HtmlEscapeCall extends MethodCall instanceof HtmlEscapeCallImpl { }
 
-/** A call to fetch the request parameters in a Rails app. */
-class ParamsCall extends MethodCall instanceof ParamsCallImpl { }
+  /** A call to fetch the request parameters in a Rails app. */
+  class ParamsCall extends MethodCall instanceof ParamsCallImpl { }
 
-/** A call to fetch the request cookies in a Rails app. */
-class CookiesCall extends MethodCall instanceof CookiesCallImpl { }
+  /** A call to fetch the request cookies in a Rails app. */
+  class CookiesCall extends MethodCall instanceof CookiesCallImpl { }
 
-/**
- * A call to a render method that will populate the response body with the
- * rendered content.
- */
-class RenderCall extends MethodCall instanceof RenderCallImpl {
-  private Expr getTemplatePathArgument() {
-    // TODO: support other ways of specifying paths (e.g. `file`)
-    result = [this.getKeywordArgument(["partial", "template", "action"]), this.getArgument(0)]
-  }
+  /**
+   * A call to a render method that will populate the response body with the
+   * rendered content.
+   */
+  class RenderCall extends MethodCall instanceof RenderCallImpl {
+    private Expr getTemplatePathArgument() {
+      // TODO: support other ways of specifying paths (e.g. `file`)
+      result = [this.getKeywordArgument(["partial", "template", "action"]), this.getArgument(0)]
+    }
 
-  private string getTemplatePathValue() {
-    result = this.getTemplatePathArgument().getConstantValue().getStringlikeValue()
-  }
+    private string getTemplatePathValue() {
+      result = this.getTemplatePathArgument().getConstantValue().getStringlikeValue()
+    }
 
-  // everything up to and including the final slash, but ignoring any leading slash
-  private string getSubPath() {
-    result = this.getTemplatePathValue().regexpCapture("^/?(.*/)?(?:[^/]*?)$", 1)
-  }
+    // everything up to and including the final slash, but ignoring any leading slash
+    private string getSubPath() {
+      result = this.getTemplatePathValue().regexpCapture("^/?(.*/)?(?:[^/]*?)$", 1)
+    }
 
-  // everything after the final slash, or the whole string if there is no slash
-  private string getBaseName() {
-    result = this.getTemplatePathValue().regexpCapture("^/?(?:.*/)?([^/]*?)$", 1)
-  }
+    // everything after the final slash, or the whole string if there is no slash
+    private string getBaseName() {
+      result = this.getTemplatePathValue().regexpCapture("^/?(?:.*/)?([^/]*?)$", 1)
+    }
 
-  /**
-   * Gets the template file to be rendered by this call, if any.
-   */
-  ErbFile getTemplateFile() {
-    result.getTemplateName() = this.getBaseName() and
-    result.getRelativePath().matches("%app/views/" + this.getSubPath() + "%")
+    /**
+     * Gets the template file to be rendered by this call, if any.
+     */
+    ErbFile getTemplateFile() {
+      result.getTemplateName() = this.getBaseName() and
+      result.getRelativePath().matches("%app/views/" + this.getSubPath() + "%")
+    }
+
+    /**
+     * Get the local variables passed as context to the renderer
+     */
+    HashLiteral getLocals() { result = this.getKeywordArgument("locals") }
+    // TODO: implicit renders in controller actions
   }
 
-  /**
-   * Get the local variables passed as context to the renderer
-   */
-  HashLiteral getLocals() { result = this.getKeywordArgument("locals") }
-  // TODO: implicit renders in controller actions
+  /** A render call that does not automatically set the HTTP response body. */
+  class RenderToCall extends MethodCall instanceof RenderToCallImpl { }
 }
 
-/** A render call that does not automatically set the HTTP response body. */
-class RenderToCall extends MethodCall instanceof RenderToCallImpl { }
-
 /**
  * A reference to either `Rails::Railtie`, `Rails::Engine`, or `Rails::Application`.
  * `Engine` and `Application` extend `Railtie`, but may not have definitions present in the database.

ruby/ql/test/library-tests/frameworks/ActionController.ql

@@ -6,11 +6,11 @@ query predicate actionControllerControllerClasses(ActionControllerControllerClas
 
 query predicate actionControllerActionMethods(ActionControllerActionMethod m) { any() }
 
-query predicate paramsCalls(ParamsCall c) { any() }
+query predicate paramsCalls(Rails::ParamsCall c) { any() }
 
 query predicate paramsSources(ParamsSource src) { any() }
 
-query predicate cookiesCalls(CookiesCall c) { any() }
+query predicate cookiesCalls(Rails::CookiesCall c) { any() }
 
 query predicate cookiesSources(CookiesSource src) { any() }
 

ruby/ql/test/library-tests/frameworks/ActionView.ql

@@ -4,13 +4,13 @@ private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.Concepts
 
-query predicate htmlSafeCalls(HtmlSafeCall c) { any() }
+query predicate htmlSafeCalls(Rails::HtmlSafeCall c) { any() }
 
 query predicate rawCalls(RawCall c) { any() }
 
-query predicate renderCalls(RenderCall c) { any() }
+query predicate renderCalls(Rails::RenderCall c) { any() }
 
-query predicate renderToCalls(RenderToCall c) { any() }
+query predicate renderToCalls(Rails::RenderToCall c) { any() }
 
 query predicate linkToCalls(LinkToCall c) { any() }