Merge pull request #9969 from hvitved/ruby/kwargs-missing-flow

hvitved · web-flow · commit 975edac34ea6 · 2022-08-09T09:59:57.000+02:00
Ruby: Support more flow through keyword arguments
diff --git a/ruby/ql/consistency-queries/DataFlowConsistency.ql b/ruby/ql/consistency-queries/DataFlowConsistency.ql
@@ -10,6 +10,6 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {
     or
     n instanceof SummaryNode
     or
-    n instanceof HashSplatArgumentsNode
+    n instanceof SynthHashSplatArgumentNode
   }
 }
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -65,7 +65,12 @@ class DataFlowCallable extends TDataFlowCallable {
   string toString() { result = [this.asCallable().toString(), this.asLibraryCallable()] }
 
   /** Gets the location of this callable. */
-  Location getLocation() { result = this.asCallable().getLocation() }
+  Location getLocation() {
+    result = this.asCallable().getLocation()
+    or
+    this instanceof TLibraryCallable and
+    result instanceof EmptyLocation
+  }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -227,6 +227,9 @@ private module Cached {
     } or
     TSelfParameterNode(MethodBase m) or
     TBlockParameterNode(MethodBase m) or
+    TSynthHashSplatParameterNode(DataFlowCallable c) {
+      isParameterNode(_, c, any(ParameterPosition p | p.isKeyword(_)))
+    } or
     TExprPostUpdateNode(CfgNodes::ExprCfgNode n) {
       n instanceof Argument or
       n = any(CfgNodes::ExprNodes::InstanceVariableAccessCfgNode v).getReceiver()
@@ -240,12 +243,13 @@ private module Cached {
     TSummaryParameterNode(FlowSummaryImpl::Public::SummarizedCallable c, ParameterPosition pos) {
       FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
     } or
-    THashSplatArgumentsNode(CfgNodes::ExprNodes::CallCfgNode c) {
+    TSynthHashSplatArgumentNode(CfgNodes::ExprNodes::CallCfgNode c) {
       exists(Argument arg | arg.isArgumentOf(c, any(ArgumentPosition pos | pos.isKeyword(_))))
     }
 
   class TParameterNode =
-    TNormalParameterNode or TBlockParameterNode or TSelfParameterNode or TSummaryParameterNode;
+    TNormalParameterNode or TBlockParameterNode or TSelfParameterNode or
+        TSynthHashSplatParameterNode or TSummaryParameterNode;
 
   private predicate defaultValueFlow(NamedParameter p, ExprNode e) {
     p.(OptionalParameter).getDefaultValue() = e.getExprNode().getExpr()
@@ -328,18 +332,21 @@ private module Cached {
 
   cached
   predicate isLocalSourceNode(Node n) {
-    n instanceof ParameterNode
-    or
-    n instanceof PostUpdateNodes::ExprPostUpdateNode
-    or
-    // Nodes that can't be reached from another entry definition or expression.
-    not reachedFromExprOrEntrySsaDef(n)
-    or
-    // Ensure all entry SSA definitions are local sources -- for parameters, this
-    // is needed by type tracking. Note that when the parameter has a default value,
-    // it will be reachable from an expression (the default value) and therefore
-    // won't be caught by the rule above.
-    entrySsaDefinition(n)
+    not n instanceof SynthHashSplatParameterNode and
+    (
+      n instanceof ParameterNode
+      or
+      n instanceof PostUpdateNodes::ExprPostUpdateNode
+      or
+      // Nodes that can't be reached from another entry definition or expression.
+      not reachedFromExprOrEntrySsaDef(n)
+      or
+      // Ensure all entry SSA definitions are local sources -- for parameters, this
+      // is needed by type tracking. Note that when the parameter has a default value,
+      // it will be reachable from an expression (the default value) and therefore
+      // won't be caught by the rule above.
+      entrySsaDefinition(n)
+    )
   }
 
   cached
@@ -415,7 +422,9 @@ predicate nodeIsHidden(Node n) {
   or
   n instanceof SynthReturnNode
   or
-  n instanceof HashSplatArgumentsNode
+  n instanceof SynthHashSplatParameterNode
+  or
+  n instanceof SynthHashSplatArgumentNode
 }
 
 /** An SSA definition, viewed as a node in a data flow graph. */
@@ -470,10 +479,13 @@ private module ParameterNodes {
   abstract class ParameterNodeImpl extends NodeImpl {
     abstract Parameter getParameter();
 
-    abstract predicate isSourceParameterOf(Callable c, ParameterPosition pos);
+    abstract predicate isParameterOf(DataFlowCallable c, ParameterPosition pos);
 
-    predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
-      this.isSourceParameterOf(c.asCallable(), pos)
+    final predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
+      exists(DataFlowCallable callable |
+        this.isParameterOf(callable, pos) and
+        c = callable.asCallable()
+      )
     }
   }
 
@@ -488,21 +500,23 @@ private module ParameterNodes {
 
     override Parameter getParameter() { result = parameter }
 
-    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
-      exists(int i | pos.isPositional(i) and c.getParameter(i) = parameter |
-        parameter instanceof SimpleParameter
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      exists(Callable callable | callable = c.asCallable() |
+        exists(int i | pos.isPositional(i) and callable.getParameter(i) = parameter |
+          parameter instanceof SimpleParameter
+          or
+          parameter instanceof OptionalParameter
+        )
+        or
+        parameter =
+          any(KeywordParameter kp |
+            callable.getAParameter() = kp and
+            pos.isKeyword(kp.getName())
+          )
         or
-        parameter instanceof OptionalParameter
+        parameter = callable.getAParameter().(HashSplatParameter) and
+        pos.isHashSplat()
       )
-      or
-      parameter =
-        any(KeywordParameter kp |
-          c.getAParameter() = kp and
-          pos.isKeyword(kp.getName())
-        )
-      or
-      parameter = c.getAParameter().(HashSplatParameter) and
-      pos.isHashSplat()
     }
 
     override CfgScope getCfgScope() { result = parameter.getCallable() }
@@ -525,8 +539,8 @@ private module ParameterNodes {
 
     override Parameter getParameter() { none() }
 
-    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
-      method = c and pos.isSelf()
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      method = c.asCallable() and pos.isSelf()
     }
 
     override CfgScope getCfgScope() { result = method }
@@ -551,8 +565,8 @@ private module ParameterNodes {
       result = method.getAParameter() and result instanceof BlockParameter
     }
 
-    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) {
-      c = method and pos.isBlock()
+    override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      c.asCallable() = method and pos.isBlock()
     }
 
     override CfgScope getCfgScope() { result = method }
@@ -570,6 +584,73 @@ private module ParameterNodes {
     }
   }
 
+  /**
+   * For all methods containing keyword parameters, we construct a synthesized
+   * (hidden) parameter node to contain all keyword arguments. This allows us
+   * to handle cases like
+   *
+   * ```rb
+   * def foo(p1:, p2:)
+   *   sink(p1)
+   *   sink(p2)
+   * end
+   *
+   * args = {:p1 => taint(1), :p2 => taint(2) }
+   * foo(**args)
+   * ```
+   *
+   * by adding read steps out of the synthesized parameter node to the relevant
+   * keyword parameters.
+   *
+   * Note that this will introduce a bit of redundancy in cases like
+   *
+   * ```rb
+   * foo(p1: taint(1), p2: taint(2))
+   * ```
+   *
+   * where direct keyword matching is possible, since we construct a synthesized hash
+   * splat argument (`SynthHashSplatArgumentNode`) at the call site, which means that
+   * `taint(1)` will flow into `p1` both via normal keyword matching and via the synthesized
+   * nodes (and similarly for `p2`). However, this redunancy is OK since
+   *  (a) it means that type-tracking through keyword arguments also works in most cases,
+   *  (b) read/store steps can be avoided when direct keyword matching is possible, and
+   *      hence access path limits are not a concern, and
+   *  (c) since the synthesized nodes are hidden, the reported data-flow paths will be
+   *      collapsed anyway.
+   */
+  class SynthHashSplatParameterNode extends ParameterNodeImpl, TSynthHashSplatParameterNode {
+    private DataFlowCallable callable;
+
+    SynthHashSplatParameterNode() { this = TSynthHashSplatParameterNode(callable) }
+
+    /**
+     * Gets a keyword parameter that will be the result of reading `c` out of this
+     * synthesized node.
+     */
+    ParameterNode getAKeywordParameter(ContentSet c) {
+      exists(string name |
+        isParameterNode(result, callable, any(ParameterPosition p | p.isKeyword(name)))
+      |
+        c = getKeywordContent(name) or
+        c.isSingleton(TUnknownElementContent())
+      )
+    }
+
+    final override Parameter getParameter() { none() }
+
+    final override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+      c = callable and pos.isHashSplat()
+    }
+
+    final override CfgScope getCfgScope() { result = callable.asCallable() }
+
+    final override DataFlowCallable getEnclosingCallable() { result = callable }
+
+    final override Location getLocationImpl() { result = callable.getLocation() }
+
+    final override string toStringImpl() { result = "**kwargs" }
+  }
+
   /** A parameter for a library callable with a flow summary. */
   class SummaryParameterNode extends ParameterNodeImpl, TSummaryParameterNode {
     private FlowSummaryImpl::Public::SummarizedCallable sc;
@@ -579,8 +660,6 @@ private module ParameterNodes {
 
     override Parameter getParameter() { none() }
 
-    override predicate isSourceParameterOf(Callable c, ParameterPosition pos) { none() }
-
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       sc = c.asLibraryCallable() and pos = pos_
     }
@@ -689,10 +768,10 @@ private module ArgumentNodes {
    * part of the method signature, such that those cannot end up in the hash-splat
    * parameter.
    */
-  class HashSplatArgumentsNode extends ArgumentNode, THashSplatArgumentsNode {
+  class SynthHashSplatArgumentNode extends ArgumentNode, TSynthHashSplatArgumentNode {
     CfgNodes::ExprNodes::CallCfgNode c;
 
-    HashSplatArgumentsNode() { this = THashSplatArgumentsNode(c) }
+    SynthHashSplatArgumentNode() { this = TSynthHashSplatArgumentNode(c) }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       this.sourceArgumentOf(call.asCall(), pos)
@@ -704,10 +783,10 @@ private module ArgumentNodes {
     }
   }
 
-  private class HashSplatArgumentsNodeImpl extends NodeImpl, THashSplatArgumentsNode {
+  private class SynthHashSplatArgumentNodeImpl extends NodeImpl, TSynthHashSplatArgumentNode {
     CfgNodes::ExprNodes::CallCfgNode c;
 
-    HashSplatArgumentsNodeImpl() { this = THashSplatArgumentsNode(c) }
+    SynthHashSplatArgumentNodeImpl() { this = TSynthHashSplatArgumentNode(c) }
 
     override CfgScope getCfgScope() { result = c.getExpr().getCfgScope() }
 
@@ -929,7 +1008,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
   or
   // Wrap all keyword arguments in a synthesized hash-splat argument node
   exists(CfgNodes::ExprNodes::CallCfgNode call, ArgumentPosition keywordPos, string name |
-    node2 = THashSplatArgumentsNode(call) and
+    node2 = TSynthHashSplatArgumentNode(call) and
     node1.asExpr().(Argument).isArgumentOf(call, keywordPos) and
     keywordPos.isKeyword(name) and
     c = getKeywordContent(name)
@@ -962,6 +1041,8 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
         ))
     )
   or
+  node2 = node1.(SynthHashSplatParameterNode).getAKeywordParameter(c)
+  or
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1, c, node2)
 }
 
diff --git a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected
@@ -26,6 +26,16 @@ edges
 | params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:25:12:25:13 | p1 :  |
 | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | params_flow.rb:25:17:25:24 | **kwargs [element :p3] :  |
 | params_flow.rb:35:25:35:28 | args [element :p3] :  | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  |
+| params_flow.rb:37:16:37:24 | call to taint :  | params_flow.rb:38:10:38:13 | args [element :p1] :  |
+| params_flow.rb:37:34:37:42 | call to taint :  | params_flow.rb:38:10:38:13 | args [element :p2] :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p1] :  | params_flow.rb:25:12:25:13 | p1 :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p2] :  | params_flow.rb:25:17:25:24 | **kwargs [element :p2] :  |
+| params_flow.rb:38:10:38:13 | args [element :p1] :  | params_flow.rb:38:8:38:13 | ** ... [element :p1] :  |
+| params_flow.rb:38:10:38:13 | args [element :p2] :  | params_flow.rb:38:8:38:13 | ** ... [element :p2] :  |
+| params_flow.rb:40:16:40:24 | call to taint :  | params_flow.rb:41:26:41:29 | args [element :p1] :  |
+| params_flow.rb:41:13:41:21 | call to taint :  | params_flow.rb:16:18:16:19 | p2 :  |
+| params_flow.rb:41:24:41:29 | ** ... [element :p1] :  | params_flow.rb:16:13:16:14 | p1 :  |
+| params_flow.rb:41:26:41:29 | args [element :p1] :  | params_flow.rb:41:24:41:29 | ** ... [element :p1] :  |
 nodes
 | params_flow.rb:9:16:9:17 | p1 :  | semmle.label | p1 :  |
 | params_flow.rb:9:20:9:21 | p2 :  | semmle.label | p2 :  |
@@ -60,18 +70,32 @@ nodes
 | params_flow.rb:35:12:35:20 | call to taint :  | semmle.label | call to taint :  |
 | params_flow.rb:35:23:35:28 | ** ... [element :p3] :  | semmle.label | ** ... [element :p3] :  |
 | params_flow.rb:35:25:35:28 | args [element :p3] :  | semmle.label | args [element :p3] :  |
+| params_flow.rb:37:16:37:24 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:37:34:37:42 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p1] :  | semmle.label | ** ... [element :p1] :  |
+| params_flow.rb:38:8:38:13 | ** ... [element :p2] :  | semmle.label | ** ... [element :p2] :  |
+| params_flow.rb:38:10:38:13 | args [element :p1] :  | semmle.label | args [element :p1] :  |
+| params_flow.rb:38:10:38:13 | args [element :p2] :  | semmle.label | args [element :p2] :  |
+| params_flow.rb:40:16:40:24 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:41:13:41:21 | call to taint :  | semmle.label | call to taint :  |
+| params_flow.rb:41:24:41:29 | ** ... [element :p1] :  | semmle.label | ** ... [element :p1] :  |
+| params_flow.rb:41:26:41:29 | args [element :p1] :  | semmle.label | args [element :p1] :  |
 subpaths
 #select
 | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint :  | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint :  | call to taint :  |
 | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint :  | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint :  | call to taint :  |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint :  | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint :  | call to taint :  |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:22:27:22:34 | call to taint :  | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:22:27:22:34 | call to taint :  | call to taint :  |
 | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:23:33:23:40 | call to taint :  | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:23:33:23:40 | call to taint :  | call to taint :  |
+| params_flow.rb:17:10:17:11 | p1 | params_flow.rb:40:16:40:24 | call to taint :  | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:40:16:40:24 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:21:27:21:34 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:21:27:21:34 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:22:13:22:20 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:22:13:22:20 | call to taint :  | call to taint :  |
 | params_flow.rb:18:10:18:11 | p2 | params_flow.rb:23:16:23:23 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:23:16:23:23 | call to taint :  | call to taint :  |
+| params_flow.rb:18:10:18:11 | p2 | params_flow.rb:41:13:41:21 | call to taint :  | params_flow.rb:18:10:18:11 | p2 | $@ | params_flow.rb:41:13:41:21 | call to taint :  | call to taint :  |
 | params_flow.rb:26:10:26:11 | p1 | params_flow.rb:33:12:33:19 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:33:12:33:19 | call to taint :  | call to taint :  |
 | params_flow.rb:26:10:26:11 | p1 | params_flow.rb:35:12:35:20 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:35:12:35:20 | call to taint :  | call to taint :  |
+| params_flow.rb:26:10:26:11 | p1 | params_flow.rb:37:16:37:24 | call to taint :  | params_flow.rb:26:10:26:11 | p1 | $@ | params_flow.rb:37:16:37:24 | call to taint :  | call to taint :  |
 | params_flow.rb:28:10:28:22 | ( ... ) | params_flow.rb:33:26:33:34 | call to taint :  | params_flow.rb:28:10:28:22 | ( ... ) | $@ | params_flow.rb:33:26:33:34 | call to taint :  | call to taint :  |
+| params_flow.rb:28:10:28:22 | ( ... ) | params_flow.rb:37:34:37:42 | call to taint :  | params_flow.rb:28:10:28:22 | ( ... ) | $@ | params_flow.rb:37:34:37:42 | call to taint :  | call to taint :  |
 | params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:33:41:33:49 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:33:41:33:49 | call to taint :  | call to taint :  |
 | params_flow.rb:29:10:29:22 | ( ... ) | params_flow.rb:34:14:34:22 | call to taint :  | params_flow.rb:29:10:29:22 | ( ... ) | $@ | params_flow.rb:34:14:34:22 | call to taint :  | call to taint :  |
diff --git a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb
@@ -14,22 +14,28 @@ def positional(p1, p2)
 positional(taint(1), taint(2))
 
 def keyword(p1:, p2:)
-    sink p1 # $ hasValueFlow=3 $ hasValueFlow=6 $ hasValueFlow=8
-    sink p2 # $ hasValueFlow=4 $ hasValueFlow=5 $ hasValueFlow=7
+    sink p1 # $ hasValueFlow=3 $ hasValueFlow=6 $ hasValueFlow=8 $ hasValueFlow=16
+    sink p2 # $ hasValueFlow=4 $ hasValueFlow=5 $ hasValueFlow=7 $ hasValueFlow=17
 end
 
 keyword(p1: taint(3), p2: taint(4))
 keyword(p2: taint(5), p1: taint(6))
 keyword(:p2 => taint(7), :p1 => taint(8))
 
 def kwargs(p1:, **kwargs)
-    sink p1 # $ hasValueFlow=9 $ hasValueFlow=13
+    sink p1 # $ hasValueFlow=9 $ hasValueFlow=13 $ hasValueFlow=14
     sink (kwargs[:p1])
-    sink (kwargs[:p2]) # $ hasValueFlow=10
+    sink (kwargs[:p2]) # $ hasValueFlow=10 $ hasValueFlow=15
     sink (kwargs[:p3]) # $ hasValueFlow=11 $ hasValueFlow=12
     sink (kwargs[:p4])
 end
 
 kwargs(p1: taint(9), p2: taint(10), p3: taint(11), p4: "")
 args = { p3: taint(12), p4: "" }
 kwargs(p1: taint(13), **args)
+
+args = {:p1 => taint(14), :p2 => taint(15) }
+kwargs(**args)
+
+args = {:p1 => taint(16) }
+keyword(p2: taint(17), **args)
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected b/ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
diff --git a/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb b/ruby/ql/test/library-tests/dataflow/summaries/summaries.rb

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,6 @@ private class MyConsistencyConfiguration extends ConsistencyConfiguration {`
`10`	`10`	`or`
`11`	`11`	`n instanceof SummaryNode`
`12`	`12`	`or`
`13`		`- n instanceof HashSplatArgumentsNode`
	`13`	`+ n instanceof SynthHashSplatArgumentNode`
`14`	`14`	`}`
`15`	`15`	`}`