Ruby: Identify ActionController::Metal controllers

hmac · hmac · commit 28a23209a583 · 2022-09-28T07:10:09.000+13:00
Subclasses of `ActionController::Metal` are stripped-down controllers.
We want to recognise them as ActionController controllers.
There are some common ActionController methods that are not available in
Metal, but these are not likely to be used anyway as they would throw an
exception, so I don't think there's much harm in including them in the
modelling.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -32,7 +32,12 @@ class ActionControllerControllerClass extends ClassDeclaration {
         API::getTopLevelMember("ActionController").getMember("Base"),
         // In Rails applications `ApplicationController` typically extends `ActionController::Base`, but we
         // treat it separately in case the `ApplicationController` definition is not in the database.
-        API::getTopLevelMember("ApplicationController")
+        API::getTopLevelMember("ApplicationController"),
+        // ActionController::Metal technically doesn't contain all of the
+        // methods available in Base, such as those for rendering views.
+        // However we prefer to be over-sensitive in this case in order to find
+        // more results.
+        API::getTopLevelMember("ActionController").getMember("Metal")
       ].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
   }
 
diff --git a/ruby/ql/test/library-tests/frameworks/ActionController.expected b/ruby/ql/test/library-tests/frameworks/ActionController.expected
@@ -7,6 +7,7 @@ actionControllerControllerClasses
 | app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
 | app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
+| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
 actionControllerActionMethods
 | active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
diff --git a/ruby/ql/test/library-tests/frameworks/app/controllers/tags_controller.rb b/ruby/ql/test/library-tests/frameworks/app/controllers/tags_controller.rb
@@ -0,0 +1,2 @@
+class TagsController < ActionController::Metal
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+class TagsController < ActionController::Metal`
	`2`	`+end`