Ruby: Summarize level steps in type tracking

asgerf · asgerf · commit a4d4e406c675 · 2022-10-04T11:06:44.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -62,6 +62,16 @@ private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
         .flowsTo(returnNode) and
     callStep(nodeTo.asExpr(), nodeFrom, param)
   )
+  or
+  exists(
+    SummarizedCallable callable, DataFlowPublic::CallNode call, SummaryComponent input,
+    SummaryComponent output
+  |
+    hasLevelSummary(callable, input, output) and
+    call.asExpr().getExpr() = callable.getACallSimple() and
+    nodeFrom = evaluateSummaryComponentLocal(call, input) and
+    nodeTo = evaluateSummaryComponentLocal(call, output)
+  )
 }
 
 /** Holds if there is a level step from `nodeFrom` to `nodeTo`. */
@@ -230,6 +240,12 @@ class Boolean extends boolean {
 
 private import SummaryComponentStack
 
+private predicate hasLevelSummary(
+  SummarizedCallable callable, SummaryComponent input, SummaryComponent output
+) {
+  callable.propagatesFlow(singleton(input), singleton(output), true)
+}
+
 private predicate hasStoreSummary(
   SummarizedCallable callable, DataFlow::ContentSet contents, SummaryComponent input,
   SummaryComponent output
