Ruby: Test both old and new-style barrier guards

Author: hmac

ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll

@@ -64,19 +64,7 @@ deprecated class StringConstCompare extends DataFlow::BarrierGuard,
   // The value of the condition that results in the node being validated.
   private boolean checkedBranch;
 
-  StringConstCompare() {
-    exists(CfgNodes::ExprNodes::StringLiteralCfgNode strLitNode |
-      this.getExpr() instanceof EqExpr and checkedBranch = true
-      or
-      this.getExpr() instanceof CaseEqExpr and checkedBranch = true
-      or
-      this.getExpr() instanceof NEExpr and checkedBranch = false
-    |
-      this.getLeftOperand() = strLitNode and this.getRightOperand() = checkedNode
-      or
-      this.getLeftOperand() = checkedNode and this.getRightOperand() = strLitNode
-    )
-  }
+  StringConstCompare() { stringConstCompare(this, checkedNode, checkedBranch) }
 
   override predicate checks(CfgNode expr, boolean branch) {
     expr = checkedNode and branch = checkedBranch
@@ -138,15 +126,7 @@ deprecated class StringConstArrayInclusionCall extends DataFlow::BarrierGuard,
   CfgNodes::ExprNodes::MethodCallCfgNode {
   private CfgNode checkedNode;
 
-  StringConstArrayInclusionCall() {
-    this.getMethodName() = "include?" and
-    this.getArgument(0) = checkedNode and
-    exists(ExprNodes::ArrayLiteralCfgNode arr | isArrayConstant(this.getReceiver(), arr) |
-      forall(ExprCfgNode elem | elem = arr.getAnArgument() |
-        elem instanceof ExprNodes::StringLiteralCfgNode
-      )
-    )
-  }
+  StringConstArrayInclusionCall() { stringConstArrayInclusionCall(this, checkedNode, _) }
 
   override predicate checks(CfgNode expr, boolean branch) { expr = checkedNode and branch = true }
 }

ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected

@@ -1,3 +1,5 @@
+WARNING: Type BarrierGuard has been deprecated and may be removed in future (barrier-guards.ql:8,3-15)
+oldStyleBarrierGuards
 | barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:5:4:7 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
 | barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:5:10:7 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
 | barrier-guards.rb:15:4:15:15 | ... != ... | barrier-guards.rb:18:5:18:7 | foo | barrier-guards.rb:15:4:15:6 | foo | false |
@@ -6,3 +8,12 @@
 | barrier-guards.rb:37:4:37:20 | call to include? | barrier-guards.rb:38:5:38:7 | foo | barrier-guards.rb:37:17:37:19 | foo | true |
 | barrier-guards.rb:43:4:43:15 | ... == ... | barrier-guards.rb:45:9:45:11 | foo | barrier-guards.rb:43:4:43:6 | foo | true |
 | barrier-guards.rb:70:4:70:21 | call to include? | barrier-guards.rb:71:5:71:7 | foo | barrier-guards.rb:70:18:70:20 | foo | true |
+newStyleBarrierGuards
+| barrier-guards.rb:4:5:4:7 | foo |
+| barrier-guards.rb:10:5:10:7 | foo |
+| barrier-guards.rb:18:5:18:7 | foo |
+| barrier-guards.rb:24:5:24:7 | foo |
+| barrier-guards.rb:28:5:28:7 | foo |
+| barrier-guards.rb:38:5:38:7 | foo |
+| barrier-guards.rb:45:9:45:11 | foo |
+| barrier-guards.rb:71:5:71:7 | foo |

ruby/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.ql

@@ -0,0 +1,16 @@
+import codeql.ruby.dataflow.internal.DataFlowPublic
+import codeql.ruby.dataflow.BarrierGuards
+import codeql.ruby.controlflow.CfgNodes
+import codeql.ruby.controlflow.ControlFlowGraph
+import codeql.ruby.DataFlow
+
+query predicate oldStyleBarrierGuards(
+  BarrierGuard g, DataFlow::Node guardedNode, ExprCfgNode expr, boolean branch
+) {
+  g.checks(expr, branch) and guardedNode = g.getAGuardedNode()
+}
+
+query predicate newStyleBarrierGuards(DataFlow::Node n) {
+  n instanceof StringConstCompareBarrier or
+  n instanceof StringConstArrayInclusionCallBarrier
+}