Merge pull request #9215 from RasmusWL/ruby-mad-argument-self

Ruby: Fixes for `Argument[any,any-named]` in MaD

Author: RasmusWL

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -780,6 +780,24 @@ module API {
       or
       pos.isBlock() and
       result = Label::blockParameter()
+      or
+      pos.isAny() and
+      (
+        result = Label::parameter(_)
+        or
+        result = Label::keywordParameter(_)
+        or
+        result = Label::blockParameter()
+        // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
+      )
+      or
+      pos.isAnyNamed() and
+      result = Label::keywordParameter(_)
+      //
+      // Note: there is currently no API graph label for `self`.
+      // It was omitted since in practice it means going back to where you came from.
+      // For example, `base.getMethod("foo").getSelf()` would just be `base`.
+      // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
     }
 
     /** Gets the API graph label corresponding to the given parameter position. */
@@ -796,6 +814,24 @@ module API {
       or
       pos.isBlock() and
       result = Label::blockParameter()
+      or
+      pos.isAny() and
+      (
+        result = Label::parameter(_)
+        or
+        result = Label::keywordParameter(_)
+        or
+        result = Label::blockParameter()
+        // NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
+      )
+      or
+      pos.isAnyNamed() and
+      result = Label::keywordParameter(_)
+      //
+      // Note: there is currently no API graph label for `self`.
+      // It was omitted since in practice it means going back to where you came from.
+      // For example, `base.getMethod("foo").getSelf()` would just be `base`.
+      // However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
     }
   }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -260,7 +260,9 @@ private module Cached {
       or
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
     } or
-    THashSplatArgumentPosition()
+    THashSplatArgumentPosition() or
+    TAnyArgumentPosition() or
+    TAnyKeywordArgumentPosition()
 
   cached
   newtype TParameterPosition =
@@ -280,7 +282,8 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
     } or
     THashSplatParameterPosition() or
-    TAnyParameterPosition()
+    TAnyParameterPosition() or
+    TAnyKeywordParameterPosition()
 }
 
 import Cached
@@ -482,11 +485,14 @@ class ParameterPosition extends TParameterPosition {
   predicate isHashSplat() { this = THashSplatParameterPosition() }
 
   /**
-   * Holds if this position represents any parameter. This includes both positional
-   * and named parameters.
+   * Holds if this position represents any parameter, except `self` parameters. This
+   * includes both positional, named, and block parameters.
    */
   predicate isAny() { this = TAnyParameterPosition() }
 
+  /** Holds if this position represents any positional parameter. */
+  predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
+
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -502,6 +508,8 @@ class ParameterPosition extends TParameterPosition {
     this.isHashSplat() and result = "**"
     or
     this.isAny() and result = "any"
+    or
+    this.isAnyNamed() and result = "any-named"
   }
 }
 
@@ -519,6 +527,15 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents a keyword argument named `name`. */
   predicate isKeyword(string name) { this = TKeywordArgumentPosition(name) }
 
+  /**
+   * Holds if this position represents any argument, except `self` arguments. This
+   * includes both positional, named, and block arguments.
+   */
+  predicate isAny() { this = TAnyArgumentPosition() }
+
+  /** Holds if this position represents any positional parameter. */
+  predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
+
   /**
    * Holds if this position represents a synthesized argument containing all keyword
    * arguments wrapped in a hash.
@@ -535,12 +552,16 @@ class ArgumentPosition extends TArgumentPosition {
     or
     exists(string name | this.isKeyword(name) and result = "keyword " + name)
     or
+    this.isAny() and result = "any"
+    or
+    this.isAnyNamed() and result = "any-named"
+    or
     this.isHashSplat() and result = "**"
   }
 }
 
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
-pragma[inline]
+pragma[nomagic]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   ppos.isSelf() and apos.isSelf()
   or
@@ -556,5 +577,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   ppos.isHashSplat() and apos.isHashSplat()
   or
-  ppos.isAny() and exists(apos)
+  ppos.isAny() and not apos.isSelf()
+  or
+  apos.isAny() and not ppos.isSelf()
+  or
+  ppos.isAnyNamed() and apos.isKeyword(_)
+  or
+  apos.isAnyNamed() and ppos.isKeyword(_)
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -293,6 +293,12 @@ ArgumentPosition parseParamBody(string s) {
   or
   s = "block" and
   result.isBlock()
+  or
+  s = "any" and
+  result.isAny()
+  or
+  s = "any-named" and
+  result.isAnyNamed()
 }
 
 /** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
@@ -317,4 +323,10 @@ ParameterPosition parseArgBody(string s) {
   or
   s = "block" and
   result.isBlock()
+  or
+  s = "any" and
+  result.isAny()
+  or
+  s = "any-named" and
+  result.isAnyNamed()
 }

ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll

@@ -378,10 +378,10 @@ private class MergeSummary extends SimpleSummarizedCallable {
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (
-      input = "Argument[any].WithElement[any]" and
+      input = "Argument[self,any].WithElement[any]" and
       output = "ReturnValue"
       or
-      input = "Argument[any].Element[any]" and
+      input = "Argument[self,any].Element[any]" and
       output = "Argument[block].Parameter[1,2]"
     ) and
     preservesValue = true
@@ -393,10 +393,10 @@ private class MergeBangSummary extends SimpleSummarizedCallable {
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (
-      input = "Argument[any].WithElement[any]" and
+      input = "Argument[self,any].WithElement[any]" and
       output = ["ReturnValue", "Argument[self]"]
       or
-      input = "Argument[any].Element[any]" and
+      input = "Argument[self,any].Element[any]" and
       output = "Argument[block].Parameter[1,2]"
     ) and
     preservesValue = true

ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -115,7 +115,7 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
   or
   token.getName() = "Parameter" and
   result =
-    node.getASuccessor(API::Label::getLabelFromArgumentPosition(FlowSummaryImplSpecific::parseParamBody(token
+    node.getASuccessor(API::Label::getLabelFromParameterPosition(FlowSummaryImplSpecific::parseArgBody(token
               .getAnArgument())))
   // Note: The "Element" token is not implemented yet, as it ultimately requires type-tracking and
   // API graphs to be aware of the steps involving Element contributed by the standard library model.
@@ -129,7 +129,7 @@ bindingset[token]
 API::Node getExtraSuccessorFromInvoke(InvokeNode node, AccessPathToken token) {
   token.getName() = "Argument" and
   result =
-    node.getASuccessor(API::Label::getLabelFromParameterPosition(FlowSummaryImplSpecific::parseArgBody(token
+    node.getASuccessor(API::Label::getLabelFromArgumentPosition(FlowSummaryImplSpecific::parseParamBody(token
               .getAnArgument())))
 }
 
@@ -181,7 +181,7 @@ predicate isExtraValidTokenArgumentInIdentifyingAccessPath(string name, string a
   or
   name = ["Argument", "Parameter"] and
   (
-    argument = ["self", "block"]
+    argument = ["self", "block", "any", "any-named"]
     or
     argument.regexpMatch("\\w+:") // keyword argument
   )

ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected

@@ -248,9 +248,7 @@ edges
 | hash_flow.rb:414:11:414:14 | hash [element :f] :  | hash_flow.rb:414:11:414:18 | ...[...] :  |
 | hash_flow.rb:414:11:414:18 | ...[...] :  | hash_flow.rb:414:10:414:19 | ( ... ) |
 | hash_flow.rb:421:15:421:25 | call to taint :  | hash_flow.rb:430:12:430:16 | hash1 [element :a] :  |
-| hash_flow.rb:421:15:421:25 | call to taint :  | hash_flow.rb:442:11:442:15 | hash1 [element :a] :  |
 | hash_flow.rb:423:15:423:25 | call to taint :  | hash_flow.rb:430:12:430:16 | hash1 [element :c] :  |
-| hash_flow.rb:423:15:423:25 | call to taint :  | hash_flow.rb:444:11:444:15 | hash1 [element :c] :  |
 | hash_flow.rb:426:15:426:25 | call to taint :  | hash_flow.rb:430:25:430:29 | hash2 [element :d] :  |
 | hash_flow.rb:428:15:428:25 | call to taint :  | hash_flow.rb:430:25:430:29 | hash2 [element :f] :  |
 | hash_flow.rb:430:12:430:16 | [post] hash1 [element :a] :  | hash_flow.rb:442:11:442:15 | hash1 [element :a] :  |
@@ -444,9 +442,7 @@ edges
 | hash_flow.rb:663:11:663:14 | hash [element] :  | hash_flow.rb:663:11:663:18 | ...[...] :  |
 | hash_flow.rb:663:11:663:18 | ...[...] :  | hash_flow.rb:663:10:663:19 | ( ... ) |
 | hash_flow.rb:670:15:670:25 | call to taint :  | hash_flow.rb:679:12:679:16 | hash1 [element :a] :  |
-| hash_flow.rb:670:15:670:25 | call to taint :  | hash_flow.rb:691:11:691:15 | hash1 [element :a] :  |
 | hash_flow.rb:672:15:672:25 | call to taint :  | hash_flow.rb:679:12:679:16 | hash1 [element :c] :  |
-| hash_flow.rb:672:15:672:25 | call to taint :  | hash_flow.rb:693:11:693:15 | hash1 [element :c] :  |
 | hash_flow.rb:675:15:675:25 | call to taint :  | hash_flow.rb:679:25:679:29 | hash2 [element :d] :  |
 | hash_flow.rb:677:15:677:25 | call to taint :  | hash_flow.rb:679:25:679:29 | hash2 [element :f] :  |
 | hash_flow.rb:679:12:679:16 | [post] hash1 [element :a] :  | hash_flow.rb:691:11:691:15 | hash1 [element :a] :  |