Ruby: Hack special-casing of hash literals

asgerf · asgerf · commit 9302271c156b · 2022-10-04T11:14:30.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
@@ -40,7 +40,7 @@ module Hash {
    * Gets a call to the method `name` invoked on the `Hash` object
    * (not on a hash instance).
    */
-  private MethodCall getAStaticHashCall(string name) {
+  MethodCall getAStaticHashCall(string name) {
     result.getMethodName() = name and
     resolveConstantReadAccess(result.getReceiver()) = TResolved("Hash")
   }
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -10,6 +10,7 @@ private import codeql.ruby.dataflow.internal.SsaImpl as SsaImpl
 private import codeql.ruby.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.ruby.dataflow.internal.FlowSummaryImplSpecific as FlowSummaryImplSpecific
 private import codeql.ruby.dataflow.internal.AccessPathSyntax
+private import codeql.ruby.frameworks.core.Hash
 
 class Node = DataFlowPublic::Node;
 
@@ -220,6 +221,25 @@ predicate basicStoreStep(Node nodeFrom, Node nodeTo, DataFlow::ContentSet conten
     nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
     nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
   )
+  or
+  // Hash literals
+  exists(Cfg::CfgNodes::ExprNodes::PairCfgNode pair |
+    hashLiteralStore(nodeTo, any(DataFlow::Node n | n.asExpr() = pair)) and
+    nodeFrom.asExpr() = pair.getValue()
+  |
+    exists(ConstantValue constant |
+      constant = pair.getKey().getConstantValue() and
+      contents.isSingleton(DataFlow::Content::getElementContent(constant))
+    )
+    or
+    not exists(pair.getKey().getConstantValue()) and
+    contents.isAnyElement()
+  )
+}
+
+private predicate hashLiteralStore(DataFlow::CallNode hashCreation, DataFlow::Node argument) {
+  hashCreation.getExprNode().getExpr() = Hash::getAStaticHashCall("[]") and
+  argument = hashCreation.getArgument(_)
 }
 
 /**
@@ -310,6 +330,14 @@ predicate basicWithContentStep(Node nodeFrom, Node nodeTo, ContentFilter filter)
     nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
     nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
   )
+  or
+  // Hash-splat in a hash literal
+  exists(DataFlow::Node node |
+    hashLiteralStore(nodeTo, node) and
+    node.asExpr().getExpr() instanceof HashSplatExpr and
+    nodeFrom.asExpr() = node.asExpr().(Cfg::CfgNodes::ExprNodes::UnaryOperationCfgNode).getOperand() and
+    filter = MkElementFilter()
+  )
 }
 
 /**
@@ -344,7 +372,8 @@ private predicate hasLoadStoreSummary(
 ) {
   callable
       .propagatesFlow(push(SummaryComponent::content(loadContents), input),
-        push(SummaryComponent::content(storeContents), output), true)
+        push(SummaryComponent::content(storeContents), output), true) and
+  callable != "Hash.[]" // Special-cased due to having a huge number of summaries
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module Hash {`
`40`	`40`	* Gets a call to the method `name` invoked on the `Hash` object
`41`	`41`	`* (not on a hash instance).`
`42`	`42`	`*/`
`43`		`- private MethodCall getAStaticHashCall(string name) {`
	`43`	`+ MethodCall getAStaticHashCall(string name) {`
`44`	`44`	`result.getMethodName() = name and`
`45`	`45`	`resolveConstantReadAccess(result.getReceiver()) = TResolved("Hash")`
`46`	`46`	`}`