Merge pull request #9919 from hmac/hmac/ar-associations

Ruby: ActiveRecord associations

Author: hmac

ruby/ql/lib/change-notes/2022-08-05-active-record-associations.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Calls to methods generated by ActiveRecord associations are now recognised as
+  instantiations of ActiveRecord objects. This increases the sensitivity of
+  queries such as `rb/sql-injection` and `rb/stored-xss`.

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

@@ -516,3 +516,177 @@ private module Persistence {
     override DataFlow::Node getValue() { assignNode.getRhs() = result.asExpr() }
   }
 }
+
+/**
+ * A method call inside an ActiveRecord model class that establishes an
+ * association between this model and another model.
+ *
+ * ```rb
+ * class User
+ *   has_many :posts
+ *   has_one :profile
+ * end
+ * ```
+ */
+private class ActiveRecordAssociation extends DataFlow::CallNode {
+  private ActiveRecordModelClass modelClass;
+
+  ActiveRecordAssociation() {
+    not exists(this.asExpr().getExpr().getEnclosingMethod()) and
+    this.asExpr().getExpr().getEnclosingModule() = modelClass and
+    this.getMethodName() = ["has_one", "has_many", "belongs_to", "has_and_belongs_to_many"]
+  }
+
+  /**
+   * Gets the class which declares this association.
+   *  For example, in
+   *  ```rb
+   *  class User
+   *    has_many :posts
+   *  end
+   *  ```
+   *  the source class is `User`.
+   */
+  ActiveRecordModelClass getSourceClass() { result = modelClass }
+
+  /**
+   * Gets the class which this association refers to.
+   *  For example, in
+   *  ```rb
+   *  class User
+   *    has_many :posts
+   *  end
+   *  ```
+   *  the target class is `Post`.
+   */
+  ActiveRecordModelClass getTargetClass() {
+    result.getName().toLowerCase() = this.getTargetModelName()
+  }
+
+  /**
+   * Gets the (lowercase) name of the model this association targets.
+   * For example, in `has_many :posts`, this is `post`.
+   */
+  string getTargetModelName() {
+    exists(string s |
+      s = this.getArgument(0).asExpr().getExpr().getConstantValue().getStringlikeValue()
+    |
+      // has_one :profile
+      // belongs_to :user
+      this.isSingular() and
+      result = s
+      or
+      // has_many :posts
+      // has_many :stories
+      this.isCollection() and
+      pluralize(result) = s
+    )
+  }
+
+  /** Holds if this association is one-to-one */
+  predicate isSingular() { this.getMethodName() = ["has_one", "belongs_to"] }
+
+  /** Holds if this association is one-to-many or many-to-many */
+  predicate isCollection() { this.getMethodName() = ["has_many", "has_and_belongs_to_many"] }
+}
+
+/**
+ * Converts `input` to plural form.
+ */
+bindingset[input]
+bindingset[result]
+private string pluralize(string input) {
+  exists(string stem | stem + "y" = input | result = stem + "ies")
+  or
+  result = input + "s"
+}
+
+/**
+ * A call to a method generated by an ActiveRecord association.
+ * These yield ActiveRecord collection proxies, which act like collections but
+ * add some additional methods.
+ * We exclude `<model>_changed?` and `<model>_previously_changed?` because these
+ * do not yield ActiveRecord instances.
+ * https://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html
+ */
+private class ActiveRecordAssociationMethodCall extends DataFlow::CallNode {
+  ActiveRecordAssociation assoc;
+
+  ActiveRecordAssociationMethodCall() {
+    exists(string model | model = assoc.getTargetModelName() |
+      this.getReceiver().(ActiveRecordInstance).getClass() = assoc.getSourceClass() and
+      (
+        assoc.isCollection() and
+        (
+          this.getMethodName() = pluralize(model) + ["", "="]
+          or
+          this.getMethodName() = "<<"
+          or
+          this.getMethodName() = model + ["_ids", "_ids="]
+        )
+        or
+        assoc.isSingular() and
+        (
+          this.getMethodName() = model + ["", "="] or
+          this.getMethodName() = ["build_", "reload_"] + model or
+          this.getMethodName() = "create_" + model + ["!", ""]
+        )
+      )
+    )
+  }
+
+  ActiveRecordAssociation getAssociation() { result = assoc }
+}
+
+/**
+ * A method call on an ActiveRecord collection proxy that yields one or more
+ * ActiveRecord instances.
+ * Example:
+ * ```rb
+ * class User < ActiveRecord::Base
+ *   has_many :posts
+ * end
+ *
+ * User.new.posts.create
+ * ```
+ * https://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html
+ */
+private class ActiveRecordCollectionProxyMethodCall extends DataFlow::CallNode {
+  ActiveRecordCollectionProxyMethodCall() {
+    this.getMethodName() =
+      [
+        "push", "concat", "build", "create", "create!", "delete", "delete_all", "destroy",
+        "destroy_all", "find", "distinct", "reset", "reload"
+      ] and
+    (
+      this.getReceiver().(ActiveRecordAssociationMethodCall).getAssociation().isCollection()
+      or
+      exists(ActiveRecordCollectionProxyMethodCall receiver | receiver = this.getReceiver() |
+        receiver.getAssociation().isCollection() and
+        receiver.getMethodName() = ["reset", "reload", "distinct"]
+      )
+    )
+  }
+
+  ActiveRecordAssociation getAssociation() {
+    result = this.getReceiver().(ActiveRecordAssociationMethodCall).getAssociation()
+  }
+}
+
+/**
+ * A call to an association method which yields ActiveRecord instances.
+ */
+private class ActiveRecordAssociationModelInstantiation extends ActiveRecordModelInstantiation instanceof ActiveRecordAssociationMethodCall {
+  override ActiveRecordModelClass getClass() {
+    result = this.(ActiveRecordAssociationMethodCall).getAssociation().getTargetClass()
+  }
+}
+
+/**
+ * A call to a method on a collection proxy which yields ActiveRecord instances.
+ */
+private class ActiveRecordCollectionProxyModelInstantiation extends ActiveRecordModelInstantiation instanceof ActiveRecordCollectionProxyMethodCall {
+  override ActiveRecordModelClass getClass() {
+    result = this.(ActiveRecordCollectionProxyMethodCall).getAssociation().getTargetClass()
+  }
+}

ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected

@@ -2,15 +2,102 @@ activeRecordModelClasses
 | ActiveRecord.rb:1:1:3:3 | UserGroup |
 | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:17:1:21:3 | Admin |
+| associations.rb:1:1:3:3 | Author |
+| associations.rb:5:1:9:3 | Post |
+| associations.rb:11:1:13:3 | Tag |
+| associations.rb:15:1:17:3 | Comment |
 activeRecordInstances
 | ActiveRecord.rb:9:5:9:68 | call to find |
 | ActiveRecord.rb:13:5:13:40 | call to find_by |
+| ActiveRecord.rb:13:5:13:46 | call to users |
 | ActiveRecord.rb:36:5:36:30 | call to find_by_name |
 | ActiveRecord.rb:55:5:57:7 | if ... |
 | ActiveRecord.rb:55:43:56:40 | then ... |
 | ActiveRecord.rb:56:7:56:40 | call to find_by |
 | ActiveRecord.rb:60:5:60:33 | call to find_by |
 | ActiveRecord.rb:62:5:62:34 | call to find |
+| associations.rb:19:1:19:20 | ... = ... |
+| associations.rb:19:1:19:20 | ... = ... |
+| associations.rb:19:11:19:20 | call to new |
+| associations.rb:21:1:21:28 | ... = ... |
+| associations.rb:21:1:21:28 | ... = ... |
+| associations.rb:21:9:21:15 | author1 |
+| associations.rb:21:9:21:21 | call to posts |
+| associations.rb:21:9:21:28 | call to create |
+| associations.rb:23:1:23:32 | ... = ... |
+| associations.rb:23:12:23:16 | post1 |
+| associations.rb:23:12:23:25 | call to comments |
+| associations.rb:23:12:23:32 | call to create |
+| associations.rb:25:1:25:22 | ... = ... |
+| associations.rb:25:1:25:22 | ... = ... |
+| associations.rb:25:11:25:15 | post1 |
+| associations.rb:25:11:25:22 | call to author |
+| associations.rb:27:1:27:28 | ... = ... |
+| associations.rb:27:1:27:28 | ... = ... |
+| associations.rb:27:9:27:15 | author2 |
+| associations.rb:27:9:27:21 | call to posts |
+| associations.rb:27:9:27:28 | call to create |
+| associations.rb:29:1:29:7 | author2 |
+| associations.rb:29:1:29:13 | call to posts |
+| associations.rb:29:1:29:22 | ... << ... |
+| associations.rb:29:18:29:22 | post2 |
+| associations.rb:31:1:31:5 | post1 |
+| associations.rb:31:1:31:12 | __synth__0 |
+| associations.rb:31:1:31:12 | call to author= |
+| associations.rb:31:1:31:22 | ... |
+| associations.rb:31:16:31:22 | ... = ... |
+| associations.rb:31:16:31:22 | ... = ... |
+| associations.rb:31:16:31:22 | author2 |
+| associations.rb:35:1:35:5 | post2 |
+| associations.rb:35:1:35:14 | call to comments |
+| associations.rb:35:1:35:21 | call to create |
+| associations.rb:37:1:37:7 | author1 |
+| associations.rb:37:1:37:13 | call to posts |
+| associations.rb:37:1:37:20 | call to reload |
+| associations.rb:37:1:37:27 | call to create |
+| associations.rb:39:1:39:5 | post1 |
+| associations.rb:40:1:40:5 | post1 |
+| associations.rb:42:1:42:7 | author1 |
+| associations.rb:42:1:42:13 | call to posts |
+| associations.rb:42:1:42:25 | call to push |
+| associations.rb:42:20:42:24 | post2 |
+| associations.rb:43:1:43:7 | author1 |
+| associations.rb:43:1:43:13 | call to posts |
+| associations.rb:43:1:43:27 | call to concat |
+| associations.rb:43:22:43:26 | post2 |
+| associations.rb:44:1:44:7 | author1 |
+| associations.rb:44:1:44:13 | call to posts |
+| associations.rb:44:1:44:19 | call to build |
+| associations.rb:45:1:45:7 | author1 |
+| associations.rb:45:1:45:13 | call to posts |
+| associations.rb:45:1:45:20 | call to create |
+| associations.rb:46:1:46:7 | author1 |
+| associations.rb:46:1:46:13 | call to posts |
+| associations.rb:46:1:46:21 | call to create! |
+| associations.rb:47:1:47:7 | author1 |
+| associations.rb:47:1:47:13 | call to posts |
+| associations.rb:47:1:47:20 | call to delete |
+| associations.rb:48:1:48:7 | author1 |
+| associations.rb:48:1:48:13 | call to posts |
+| associations.rb:48:1:48:24 | call to delete_all |
+| associations.rb:49:1:49:7 | author1 |
+| associations.rb:49:1:49:13 | call to posts |
+| associations.rb:49:1:49:21 | call to destroy |
+| associations.rb:50:1:50:7 | author1 |
+| associations.rb:50:1:50:13 | call to posts |
+| associations.rb:50:1:50:25 | call to destroy_all |
+| associations.rb:51:1:51:7 | author1 |
+| associations.rb:51:1:51:13 | call to posts |
+| associations.rb:51:1:51:22 | call to distinct |
+| associations.rb:51:1:51:36 | call to find |
+| associations.rb:52:1:52:7 | author1 |
+| associations.rb:52:1:52:13 | call to posts |
+| associations.rb:52:1:52:19 | call to reset |
+| associations.rb:52:1:52:33 | call to find |
+| associations.rb:53:1:53:7 | author1 |
+| associations.rb:53:1:53:13 | call to posts |
+| associations.rb:53:1:53:20 | call to reload |
+| associations.rb:53:1:53:34 | call to find |
 activeRecordSqlExecutionRanges
 | ActiveRecord.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" |
 | ActiveRecord.rb:19:16:19:24 | condition |
@@ -53,6 +140,13 @@ activeRecordModelClassMethodCalls
 | ActiveRecord.rb:92:5:92:71 | call to update |
 | ActiveRecord.rb:98:13:98:54 | call to annotate |
 | ActiveRecord.rb:102:13:102:77 | call to annotate |
+| associations.rb:2:3:2:17 | call to has_many |
+| associations.rb:6:3:6:20 | call to belongs_to |
+| associations.rb:7:3:7:20 | call to has_many |
+| associations.rb:8:3:8:31 | call to has_and_belongs_to_many |
+| associations.rb:12:3:12:32 | call to has_and_belongs_to_many |
+| associations.rb:16:3:16:18 | call to belongs_to |
+| associations.rb:19:11:19:20 | call to new |
 potentiallyUnsafeSqlExecutingMethodCall
 | ActiveRecord.rb:9:5:9:68 | call to find |
 | ActiveRecord.rb:19:5:19:25 | call to destroy_by |
@@ -68,10 +162,51 @@ potentiallyUnsafeSqlExecutingMethodCall
 activeRecordModelInstantiations
 | ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:13:5:13:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup |
+| ActiveRecord.rb:13:5:13:46 | call to users | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:36:5:36:30 | call to find_by_name | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:56:7:56:40 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:60:5:60:33 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:62:5:62:34 | call to find | ActiveRecord.rb:5:1:15:3 | User |
+| associations.rb:19:11:19:20 | call to new | associations.rb:1:1:3:3 | Author |
+| associations.rb:21:9:21:21 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:21:9:21:28 | call to create | associations.rb:5:1:9:3 | Post |
+| associations.rb:23:12:23:25 | call to comments | associations.rb:15:1:17:3 | Comment |
+| associations.rb:23:12:23:32 | call to create | associations.rb:15:1:17:3 | Comment |
+| associations.rb:25:11:25:22 | call to author | associations.rb:1:1:3:3 | Author |
+| associations.rb:27:9:27:21 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:27:9:27:28 | call to create | associations.rb:5:1:9:3 | Post |
+| associations.rb:29:1:29:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:29:1:29:22 | ... << ... | associations.rb:11:1:13:3 | Tag |
+| associations.rb:29:1:29:22 | ... << ... | associations.rb:15:1:17:3 | Comment |
+| associations.rb:31:1:31:12 | call to author= | associations.rb:1:1:3:3 | Author |
+| associations.rb:35:1:35:14 | call to comments | associations.rb:15:1:17:3 | Comment |
+| associations.rb:35:1:35:21 | call to create | associations.rb:15:1:17:3 | Comment |
+| associations.rb:37:1:37:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:37:1:37:20 | call to reload | associations.rb:5:1:9:3 | Post |
+| associations.rb:42:1:42:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:42:1:42:25 | call to push | associations.rb:5:1:9:3 | Post |
+| associations.rb:43:1:43:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:43:1:43:27 | call to concat | associations.rb:5:1:9:3 | Post |
+| associations.rb:44:1:44:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:44:1:44:19 | call to build | associations.rb:5:1:9:3 | Post |
+| associations.rb:45:1:45:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:45:1:45:20 | call to create | associations.rb:5:1:9:3 | Post |
+| associations.rb:46:1:46:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:46:1:46:21 | call to create! | associations.rb:5:1:9:3 | Post |
+| associations.rb:47:1:47:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:47:1:47:20 | call to delete | associations.rb:5:1:9:3 | Post |
+| associations.rb:48:1:48:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:48:1:48:24 | call to delete_all | associations.rb:5:1:9:3 | Post |
+| associations.rb:49:1:49:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:49:1:49:21 | call to destroy | associations.rb:5:1:9:3 | Post |
+| associations.rb:50:1:50:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:50:1:50:25 | call to destroy_all | associations.rb:5:1:9:3 | Post |
+| associations.rb:51:1:51:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:51:1:51:22 | call to distinct | associations.rb:5:1:9:3 | Post |
+| associations.rb:52:1:52:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:52:1:52:19 | call to reset | associations.rb:5:1:9:3 | Post |
+| associations.rb:53:1:53:13 | call to posts | associations.rb:5:1:9:3 | Post |
+| associations.rb:53:1:53:20 | call to reload | associations.rb:5:1:9:3 | Post |
 persistentWriteAccesses
 | ActiveRecord.rb:72:5:72:24 | call to create | ActiveRecord.rb:72:18:72:23 | call to params |
 | ActiveRecord.rb:76:5:76:66 | call to create | ActiveRecord.rb:76:24:76:36 | ...[...] |
@@ -82,3 +217,4 @@ persistentWriteAccesses
 | ActiveRecord.rb:88:5:88:69 | call to update | ActiveRecord.rb:88:27:88:39 | ...[...] |
 | ActiveRecord.rb:88:5:88:69 | call to update | ActiveRecord.rb:88:52:88:68 | ...[...] |
 | ActiveRecord.rb:92:5:92:71 | call to update | ActiveRecord.rb:92:21:92:70 | call to [] |
+| associations.rb:31:16:31:22 | ... = ... | associations.rb:31:16:31:22 | author2 |