Ruby: Make StringArrayInclusion more sensitive

hmac · hmac · commit 706d1d2eee83 · 2022-07-13T18:20:12.000+12:00
We now recognise the following pattern as a barrier guard for `x`:

    values = ["foo", "bar"]

    if values.include? x
      sink x
    end
diff --git a/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll b/ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll
@@ -374,6 +374,9 @@ module ExprNodes {
     MethodCallCfgNode() { super.getExpr() instanceof MethodCall }
 
     override MethodCall getExpr() { result = super.getExpr() }
+
+    /** Gets the name of this method call. */
+    string getMethodName() { result = this.getExpr().getMethodName() }
   }
 
   private class CaseExprChildMapping extends ExprChildMapping, CaseExpr {
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll b/ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll
@@ -3,6 +3,8 @@
 private import ruby
 private import codeql.ruby.DataFlow
 private import codeql.ruby.CFG
+private import codeql.ruby.controlflow.CfgNodes
+private import codeql.ruby.dataflow.SSA
 
 private predicate stringConstCompare(CfgNodes::ExprCfgNode g, CfgNode e, boolean branch) {
   exists(CfgNodes::ExprNodes::ComparisonOperationCfgNode c |
@@ -133,13 +135,24 @@ deprecated class StringConstArrayInclusionCall extends DataFlow::BarrierGuard,
   private CfgNode checkedNode;
 
   StringConstArrayInclusionCall() {
-    exists(ArrayLiteral aLit |
-      this.getExpr().getMethodName() = "include?" and
-      [this.getExpr().getReceiver(), this.getExpr().getReceiver().(ConstantReadAccess).getValue()] =
-        aLit
+    this.getMethodName() = "include?" and
+    this.getArgument(0) = checkedNode and
+    exists(ExprNodes::ArrayLiteralCfgNode arr |
+      // [...].include?
+      this.getReceiver() = arr
+      or
+      // C = [...]
+      // C.include?
+      this.getReceiver().(ExprNodes::ConstantReadAccessCfgNode).getExpr().getValue().getDesugared() =
+        arr.getExpr()
+      or
+      // x = [...]
+      // x.include?
+      exists(Ssa::WriteDefinition def | def.getARead() = this.getReceiver() and def.assigns(arr))
     |
-      forall(Expr elem | elem = aLit.getAnElement() | elem instanceof StringLiteral) and
-      this.getArgument(0) = checkedNode
+      forall(ExprCfgNode elem | elem = arr.getAnArgument() |
+        elem instanceof ExprNodes::StringLiteralCfgNode
+      )
     )
   }
 
diff --git a/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected b/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected
@@ -0,0 +1,8 @@
+| barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:5:4:7 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
+| barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:5:10:7 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
+| barrier-guards.rb:15:4:15:15 | ... != ... | barrier-guards.rb:18:5:18:7 | foo | barrier-guards.rb:15:4:15:6 | foo | false |
+| barrier-guards.rb:21:8:21:19 | ... == ... | barrier-guards.rb:24:5:24:7 | foo | barrier-guards.rb:21:8:21:10 | foo | true |
+| barrier-guards.rb:27:8:27:19 | ... != ... | barrier-guards.rb:28:5:28:7 | foo | barrier-guards.rb:27:8:27:10 | foo | false |
+| barrier-guards.rb:37:4:37:20 | call to include? | barrier-guards.rb:38:5:38:7 | foo | barrier-guards.rb:37:17:37:19 | foo | true |
+| barrier-guards.rb:43:4:43:15 | ... == ... | barrier-guards.rb:45:9:45:11 | foo | barrier-guards.rb:43:4:43:6 | foo | true |
+| barrier-guards.rb:69:4:69:21 | call to include? | barrier-guards.rb:70:5:70:7 | foo | barrier-guards.rb:69:18:69:20 | foo | true |
diff --git a/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb b/ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb
@@ -0,0 +1,73 @@
+foo = "foo"
+
+if foo == "foo"
+    foo
+else
+    foo
+end
+
+if ["foo"].include?(foo)
+    foo
+else
+    foo
+end
+
+if foo != "foo"
+    foo
+else
+    foo
+end
+
+unless foo == "foo"
+    foo
+else
+    foo
+end
+
+unless foo != "foo"
+    foo
+else
+    foo
+end
+
+foo
+
+FOO = ["foo"]
+
+if FOO.include?(foo)
+    foo
+else
+    foo
+end
+
+if foo == "foo"
+    capture {
+        foo # guarded
+    }
+end
+
+if foo == "foo"
+    capture {
+        foo = "bar"
+        foo # not guarded
+    }
+end
+
+if foo == "foo"
+    my_lambda = -> () {
+        foo # not guarded
+    }
+
+    foo = "bar"
+
+    my_lambda()
+end
+
+foos = ["foo"]
+bars = ["bar"]
+
+if foos.include?(foo)
+    foo
+else
+    foo
+end

Original file line number	Diff line number	Diff line change
`@@ -374,6 +374,9 @@ module ExprNodes {`
`374`	`374`	`MethodCallCfgNode() { super.getExpr() instanceof MethodCall }`
`375`	`375`
`376`	`376`	`override MethodCall getExpr() { result = super.getExpr() }`
	`377`	`+`
	`378`	`+ /** Gets the name of this method call. */`
	`379`	`+ string getMethodName() { result = this.getExpr().getMethodName() }`
`377`	`380`	`}`
`378`	`381`
`379`	`382`	`private class CaseExprChildMapping extends ExprChildMapping, CaseExpr {`