Ruby: Take overrides into account for singleton methods defined on modules

hvitved · hvitved · commit 48bdf13c8979 · 2022-10-06T11:56:26.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -389,7 +389,7 @@ private module Cached {
         // ```
         exists(DataFlow::Node sourceNode, Module m |
           flowsToMethodCall(call, sourceNode, method) and
-          singletonMethodOnModule(result, method, m)
+          result = lookupSingletonMethod(m, method)
         |
           // ```rb
           // def C.singleton; end # <- result
@@ -725,14 +725,33 @@ private predicate singletonMethodOnModule(MethodBase method, string name, Module
     selfInModule(object.(SelfVariableReadAccess).getVariable(), m)
   )
   or
-  flowsToSingletonMethodObject(trackModuleAccess(m), method, name)
+  exists(DataFlow::LocalSourceNode sourceNode |
+    m = resolveConstantReadAccess(sourceNode.asExpr().getExpr()) and
+    flowsToSingletonMethodObject(sourceNode, method, name)
+  )
   or
   exists(Module other |
     extendCallModule(m, other) and
     method = lookupMethod(other, name)
   )
 }
 
+pragma[nomagic]
+private MethodBase lookupSingletonMethod(Module m, string name) {
+  singletonMethodOnModule(result, name, m)
+  or
+  // cannot be part of `singletonMethodOnModule` because it would introduce
+  // negative recursion below
+  exists(DataFlow::LocalSourceNode sourceNode |
+    sourceNode = trackModuleAccess(m) and
+    not m = resolveConstantReadAccess(sourceNode.asExpr().getExpr()) and
+    flowsToSingletonMethodObject(sourceNode, result, name)
+  )
+  or
+  not singletonMethodOnModule(_, name, m) and
+  result = lookupSingletonMethod(m.getSuperClass(), name)
+}
+
 /**
  * Holds if `method` is a singleton method named `name`, defined on expression
  * `object`, where `object` is not likely to resolve to a module:
diff --git a/ruby/ql/test/library-tests/modules/callgraph.expected b/ruby/ql/test/library-tests/modules/callgraph.expected
@@ -161,6 +161,8 @@ getTarget
 | calls.rb:412:9:412:44 | call to puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:416:1:416:29 | call to singleton1 | calls.rb:406:9:408:11 | singleton1 |
 | calls.rb:417:1:417:29 | call to singleton2 | calls.rb:411:5:413:7 | singleton2 |
+| calls.rb:418:1:418:34 | call to call_singleton1 | calls.rb:383:9:385:11 | call_singleton1 |
+| calls.rb:419:1:419:34 | call to call_singleton2 | calls.rb:392:5:394:7 | call_singleton2 |
 | calls.rb:424:13:424:48 | call to puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:429:9:429:44 | call to puts | calls.rb:102:5:102:30 | puts |
 | calls.rb:432:13:432:48 | call to puts | calls.rb:102:5:102:30 | puts |
@@ -290,8 +292,6 @@ unresolvedCall
 | calls.rb:274:1:274:14 | call to singleton_g |
 | calls.rb:276:1:276:14 | call to singleton_g |
 | calls.rb:313:9:313:20 | call to instance |
-| calls.rb:418:1:418:34 | call to call_singleton1 |
-| calls.rb:419:1:419:34 | call to call_singleton2 |
 | calls.rb:422:8:422:13 | call to rand |
 | calls.rb:422:8:422:17 | ... > ... |
 | calls.rb:439:9:439:10 | call to m3 |
