Ruby: reuse Content type

Author: asgerf

ruby/ql/lib/codeql/ruby/ApiGraphs.qll

@@ -525,7 +525,7 @@ module API {
       or
       exists(TypeTrackerSpecific::TypeTrackerContent c |
         TypeTrackerSpecific::basicLoadStep(node, ref, c) and
-        lbl = Label::content(c.asContent())
+        lbl = Label::content(c)
       )
       // note: method calls are not handled here as there is no DataFlow::Node for the intermediate MkMethodAccessNode API node
     }
@@ -537,7 +537,7 @@ module API {
     private predicate defStep(Label::ApiLabel lbl, DataFlow::Node node, DataFlow::Node rhs) {
       exists(TypeTrackerSpecific::TypeTrackerContent c |
         TypeTrackerSpecific::basicStoreStep(rhs, node, c) and
-        lbl = Label::content(c.asContent())
+        lbl = Label::content(c)
       )
     }
 

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -1,6 +1,7 @@
 private import codeql.ruby.AST
 private import codeql.ruby.ast.internal.Synthesis
 private import codeql.ruby.CFG
+private import codeql.ruby.AST as AST
 private import codeql.ruby.dataflow.SSA
 private import DataFlowPublic
 private import DataFlowDispatch
@@ -385,7 +386,8 @@ private module Cached {
     }
 
   cached
-  newtype TContent =
+  newtype TOptionalContent =
+    TNoContent() or
     TKnownElementContent(ConstantValue cv) {
       not cv.isInt(_) or
       cv.getInt() in [0 .. 10]
@@ -408,7 +410,14 @@ private module Cached {
       |
         name = [input, output].regexpFind("(?<=(^|\\.)Field\\[)[^\\]]+(?=\\])", _, _).trim()
       )
-    }
+    } or
+    // Only used by type-tracking
+    TAttributeName(string name) { name = any(AST::SetterMethodCall c).getTargetName() }
+
+  cached
+  class TContent =
+    TKnownElementContent or TUnknownElementContent or TKnownPairValueContent or
+        TUnknownPairValueContent or TFieldContent or TAttributeName;
 
   /**
    * Holds if `e` is an `ExprNode` that may be returned by a call to `c`.

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll

@@ -235,15 +235,18 @@ predicate localExprFlow(CfgNodes::ExprCfgNode e1, CfgNodes::ExprCfgNode e2) {
   localFlow(exprNode(e1), exprNode(e2))
 }
 
-/** A reference contained in an object. */
-class Content extends TContent {
+/** A reference contained in an object, or the `noContent()` value. */
+class OptionalContent extends TOptionalContent {
   /** Gets a textual representation of this content. */
   string toString() { none() }
 
   /** Gets the location of this content. */
   Location getLocation() { none() }
 }
 
+/** A reference contained in an object. */
+class Content extends OptionalContent, TContent { }
+
 /** Provides different sub classes of `Content`. */
 module Content {
   /** An element in a collection, for example an element in an array or in a hash. */
@@ -314,6 +317,34 @@ module Content {
   class UnknownPairValueContent extends PairValueContent, TUnknownPairValueContent {
     override string toString() { result = "pair" }
   }
+
+  /**
+   * A value stored behind a getter/setter pair.
+   *
+   * This is used (only) by type-tracking, as a heuristic since getter/setter pairs tend to operate
+   * on similar types of objects (i.e. the type flowing into a setter will likely flow out of the getter).
+   */
+  class AttributeNameContent extends Content, TAttributeName {
+    private string name;
+
+    AttributeNameContent() { this = TAttributeName(name) }
+
+    override string toString() { result = "attribute " + name }
+
+    /** Gets the attribute name. */
+    string getName() { result = name }
+  }
+
+  /** Gets `AttributeNameContent` of the given name. */
+  AttributeNameContent getAttributeName(string name) { result.getName() = name }
+
+  /** A value representing no content. */
+  class NoContent extends OptionalContent, TNoContent {
+    override string toString() { result = "noContent()" }
+  }
+
+  /** Gets the `noContent()` value. */
+  NoContent noContent() { any() }
 }
 
 /**

ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll

@@ -20,31 +20,9 @@ private newtype TOptionalTypeTrackerContent =
   MkContent(DataFlowPublic::Content content) or
   MkNoContent()
 
-/** A content for use by type trackers, or the empty content `noContent()` */
-class OptionalTypeTrackerContent extends TOptionalTypeTrackerContent {
-  /** Gets a textual representation of this content. */
-  string toString() {
-    result = "attribute " + this.asAttributeName()
-    or
-    result = this.asContent().toString()
-    or
-    this instanceof MkNoContent and result = "no content"
-  }
-
-  /** Gets the attribute name represented by this content, if any. */
-  string asAttributeName() { this = MkAttribute(result) }
-
-  /** Gets the data flow content by this type-tracker content, if any. */
-  DataFlowPublic::Content asContent() { this = MkContent(result) }
-}
-
-/** Gets the value representing no content, that is, the empty access path. */
-OptionalTypeTrackerContent noContent() { result = MkNoContent() }
-
-private class TTypeTrackerContent = MkAttribute or MkContent;
+class TypeTrackerContent = DataFlowPublic::Content;
 
-/** A content for use by type trackers. */
-class TypeTrackerContent extends OptionalTypeTrackerContent, TTypeTrackerContent { }
+predicate noContent = DataFlowPublic::Content::noContent/0;
 
 /** Holds if there is a simple local flow step from `nodeFrom` to `nodeTo` */
 predicate simpleLocalFlowStep = DataFlowPrivate::localFlowStepTypeTracker/2;
@@ -185,7 +163,7 @@ predicate basicStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent content)
         SummaryComponentStack::singleton(output))) and
     nodeFrom = evaluateSummaryComponentLocal(call, input) and
     nodeTo = evaluateSummaryComponentLocal(call, output) and
-    content.asContent() = contents.getAStoreContent()
+    content = contents.getAStoreContent()
   )
 }
 
@@ -196,7 +174,10 @@ predicate basicStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent content)
 predicate postUpdateStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent content) {
   // TODO: support SetterMethodCall inside TuplePattern
   exists(ExprNodes::MethodCallCfgNode call |
-    content = MkAttribute(call.getExpr().(Ast::SetterMethodCall).getTargetName()) and
+    content =
+      DataFlowPublic::Content::getAttributeName(call.getExpr()
+            .(Ast::SetterMethodCall)
+            .getTargetName()) and
     nodeTo.(DataFlowPublic::PostUpdateNode).getPreUpdateNode().asExpr() = call.getReceiver() and
     call.getExpr() instanceof Ast::SetterMethodCall and
     call.getArgument(call.getNumberOfArguments() - 1) =
@@ -210,7 +191,7 @@ predicate postUpdateStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent con
 predicate basicLoadStep(Node nodeFrom, Node nodeTo, TypeTrackerContent content) {
   exists(ExprNodes::MethodCallCfgNode call |
     call.getExpr().getNumberOfArguments() = 0 and
-    content = MkAttribute(call.getExpr().getMethodName()) and
+    content = DataFlowPublic::Content::getAttributeName(call.getExpr().getMethodName()) and
     nodeFrom.asExpr() = call.getReceiver() and
     nodeTo.asExpr() = call
   )
@@ -225,7 +206,7 @@ predicate basicLoadStep(Node nodeFrom, Node nodeTo, TypeTrackerContent content)
       SummaryComponentStack::singleton(output)) and
     nodeFrom = evaluateSummaryComponentLocal(call, input) and
     nodeTo = evaluateSummaryComponentLocal(call, output) and
-    content.asContent() = contents.getAReadContent()
+    content = contents.getAReadContent()
   )
 }