Merge pull request #10598 from hmac/hmac/actioncontroller-metal

Ruby: Identify ActionController::Metal controllers

Author: hmac

ruby/ql/lib/change-notes/2022-09-28-actioncontroller-metal.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Subclasses of `ActionController::Metal` are now recognised as controllers.

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -32,7 +32,12 @@ class ActionControllerControllerClass extends ClassDeclaration {
         API::getTopLevelMember("ActionController").getMember("Base"),
         // In Rails applications `ApplicationController` typically extends `ActionController::Base`, but we
         // treat it separately in case the `ApplicationController` definition is not in the database.
-        API::getTopLevelMember("ApplicationController")
+        API::getTopLevelMember("ApplicationController"),
+        // ActionController::Metal technically doesn't contain all of the
+        // methods available in Base, such as those for rendering views.
+        // However we prefer to be over-sensitive in this case in order to find
+        // more results.
+        API::getTopLevelMember("ActionController").getMember("Metal")
       ].getASubclass().getAValueReachableFromSource().asExpr().getExpr()
   }
 

ruby/ql/test/library-tests/frameworks/ActionController.expected

@@ -8,6 +8,7 @@ actionControllerControllerClasses
 | app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
 | app/controllers/photos_controller.rb:1:1:4:3 | PhotosController |
 | app/controllers/posts_controller.rb:1:1:10:3 | PostsController |
+| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
 | app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
 actionControllerActionMethods
 | active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |

ruby/ql/test/library-tests/frameworks/app/controllers/tags_controller.rb

@@ -0,0 +1,2 @@
+class TagsController < ActionController::Metal
+end