Merge pull request #9918 from hmac/hmac/mime-type-match

Ruby: Model Mime::Type

Author: hmac

ruby/ql/lib/change-notes/2022-08-04-mime-type.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Arguments to `Mime::Type#match?` and `Mime::Type#=~` are now recognised as
+  regular expression sources.

ruby/ql/lib/codeql/ruby/Regexp.qll

@@ -92,20 +92,32 @@ private class ParsedStringRegExp extends RegExp {
   override string getFlags() { none() }
 }
 
+/** Provides a class for modeling regular expression interpretations. */
+module RegExpInterpretation {
+  /**
+   * A node that is not a regular expression literal, but is used in places that
+   * may interpret it as one. Instances of this class are typically strings that
+   * flow to method calls like `RegExp.new`.
+   */
+  abstract class Range extends DataFlow::Node { }
+}
+
 /**
- * Holds if `source` may be interpreted as a regular expression.
+ * A node interpreted as a regular expression.
  */
-private predicate isInterpretedAsRegExp(DataFlow::Node source) {
-  // The first argument to an invocation of `Regexp.new` or `Regexp.compile`.
-  source = API::getTopLevelMember("Regexp").getAMethodCall(["compile", "new"]).getArgument(0)
-  or
-  // The argument of a call that coerces the argument to a regular expression.
-  exists(DataFlow::CallNode mce |
-    mce.getMethodName() = ["match", "match?"] and
-    source = mce.getArgument(0) and
-    // exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
-    not mce.getReceiver().asExpr().getExpr() instanceof AST::RegExpLiteral
-  )
+class StdLibRegExpInterpretation extends RegExpInterpretation::Range {
+  StdLibRegExpInterpretation() {
+    // The first argument to an invocation of `Regexp.new` or `Regexp.compile`.
+    this = API::getTopLevelMember("Regexp").getAMethodCall(["compile", "new"]).getArgument(0)
+    or
+    // The argument of a call that coerces the argument to a regular expression.
+    exists(DataFlow::CallNode mce |
+      mce.getMethodName() = ["match", "match?"] and
+      this = mce.getArgument(0) and
+      // exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
+      not mce.getReceiver().asExpr().getExpr() instanceof AST::RegExpLiteral
+    )
+  }
 }
 
 private class RegExpConfiguration extends Configuration {
@@ -120,7 +132,7 @@ private class RegExpConfiguration extends Configuration {
       )
   }
 
-  override predicate isSink(DataFlow::Node sink) { isInterpretedAsRegExp(sink) }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegExpInterpretation::Range }
 
   override predicate isSanitizer(DataFlow::Node node) {
     // stop flow if `node` is receiver of

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -83,7 +83,7 @@ class ActionControllerActionMethod extends Method, HTTP::Server::RequestHandler:
    * Gets a route to this handler, if one exists.
    * May return multiple results.
    */
-  ActionDispatch::Route getARoute() {
+  ActionDispatch::Routing::Route getARoute() {
     exists(string name |
       isRoute(result, name, controllerClass) and
       isActionControllerMethod(this, name, controllerClass)
@@ -93,10 +93,10 @@ class ActionControllerActionMethod extends Method, HTTP::Server::RequestHandler:
 
 pragma[nomagic]
 private predicate isRoute(
-  ActionDispatch::Route route, string name, ActionControllerControllerClass controllerClass
+  ActionDispatch::Routing::Route route, string name, ActionControllerControllerClass controllerClass
 ) {
   route.getController() + "_controller" =
-    ActionDispatch::underscore(namespaceDeclaration(controllerClass)) and
+    ActionDispatch::Routing::underscore(namespaceDeclaration(controllerClass)) and
   name = route.getAction()
 }