Ruby: Refactor method visibility modeling

hmac · hmac · commit c5f36613daa0 · 2022-09-27T10:13:21.000+13:00
diff --git a/ruby/ql/lib/codeql/ruby/ast/Method.qll b/ruby/ql/lib/codeql/ruby/ast/Method.qll
@@ -36,8 +36,25 @@ class MethodBase extends Callable, BodyStmt, Scope, TMethodBase {
     result = BodyStmt.super.getAChild(pred)
   }
 
+  /**
+   * Holds if this method is public.
+   * Methods are public by default.
+   */
+  predicate isPublic() {
+    forall(VisibilityModifier m | m = this.getVisibilityModifier() | m.getVisibility() = "public")
+  }
+
   /** Holds if this method is private. */
-  predicate isPrivate() { none() }
+  predicate isPrivate() { this.getVisibilityModifier().getVisibility() = "private" }
+
+  /** Holds if this method is protected. */
+  predicate isProtected() { this.getVisibilityModifier().getVisibility() = "protected" }
+
+  /**
+   * Gets the visibility modifier that defines the visibility of this method, if
+   * one exists.
+   */
+  VisibilityModifier getVisibilityModifier() { none() }
 }
 
 /**
@@ -47,45 +64,40 @@ class MethodBase extends Callable, BodyStmt, Scope, TMethodBase {
 private class MethodModifier extends MethodCall {
   /** Gets the name of the method that this call applies to. */
   Expr getMethodArgument() { result = this.getArgument(0) }
-
-  /** Holds if this call modifies a method with name `name` in namespace `n`. */
-  pragma[noinline]
-  predicate modifiesMethod(Namespace n, string name) {
-    this = n.getAStmt() and
-    [
-      this.getMethodArgument().getConstantValue().getStringlikeValue(),
-      this.getMethodArgument().(MethodBase).getName()
-    ] = name
-  }
 }
 
-/** A call to `private` or `private_class_method`. */
-private class Private extends MethodModifier {
+/** A method call that sets the visibility of other methods. */
+private class VisibilityModifier extends MethodModifier {
   private Namespace namespace;
   private int position;
 
-  Private() { this.getMethodName() = "private" and namespace.getStmt(position) = this }
+  VisibilityModifier() {
+    this.getMethodName() =
+      [
+        "public", "private", "protected", "public_class_method", "private_class_method",
+        "protected_class_method"
+      ] and
+    namespace.getStmt(position) = this
+  }
 
-  override predicate modifiesMethod(Namespace n, string name) {
-    n = namespace and
-    (
-      // def foo
-      // ...
-      // private :foo
-      super.modifiesMethod(n, name)
-      or
-      // private
-      // ...
-      // def foo
-      not exists(this.getMethodArgument()) and
-      exists(MethodBase m, int i | n.getStmt(i) = m and m.getName() = name and i > position)
-    )
+  /**
+   * Holds if this modifier changes the "ambient" visibility - i.e. the default
+   * visibility of any subsequent method definitions.
+   */
+  predicate modifiesAmbientVisibility() {
+    this.getMethodName() = ["public", "private", "protected"] and
+    this.getNumberOfArguments() = 0
   }
-}
 
-/** A call to `private_class_method`. */
-private class PrivateClassMethod extends MethodModifier {
-  PrivateClassMethod() { this.getMethodName() = "private_class_method" }
+  string getVisibility() {
+    this.getMethodName() = ["public", "public_class_method"] and result = "public"
+    or
+    this.getMethodName() = ["private", "private_class_method"] and
+    result = "private"
+    or
+    this.getMethodName() = ["protected", "protected_class_method"] and
+    result = "protected"
+  }
 }
 
 /** A normal method. */
@@ -140,28 +152,41 @@ class Method extends MethodBase, TMethod {
    * ```
    */
   override predicate isPrivate() {
-    exists(Namespace n, string name |
-      any(Private p).modifiesMethod(n, name) and
-      isDeclaredIn(this, n, name)
-    )
+    this.getVisibilityModifier().getVisibility() = "private"
     or
     // Top-level methods are private members of the Object class
     this.getEnclosingModule() instanceof Toplevel
   }
 
+  override predicate isPublic() { super.isPublic() and not this.isPrivate() }
+
   final override Parameter getParameter(int n) {
     toGenerated(result) = g.getParameters().getChild(n)
   }
 
   final override string toString() { result = this.getName() }
-}
 
-/**
- * Holds if the method `m` has name `name` and is declared in namespace `n`.
- */
-pragma[noinline]
-private predicate isDeclaredIn(MethodBase m, Namespace n, string name) {
-  n = m.getEnclosingModule() and name = m.getName()
+  override VisibilityModifier getVisibilityModifier() {
+    result.getEnclosingModule() = this.getEnclosingModule() and
+    (
+      result.getMethodArgument() = this
+      or
+      result.getMethodArgument().getConstantValue().getStringlikeValue() = this.getName()
+    )
+    or
+    exists(Namespace n, int methodPos | n.getStmt(methodPos) = this |
+      // The relevant visibility modifier is the closest call that occurs before
+      // the definition of `m` (typically this means higher up the file).
+      result =
+        max(int modifierPos, VisibilityModifier modifier |
+          modifier.modifiesAmbientVisibility() and
+          n.getStmt(modifierPos) = modifier and
+          modifierPos < methodPos
+        |
+          modifier order by modifierPos
+        )
+    )
+  }
 }
 
 /** A singleton method. */
@@ -216,10 +241,14 @@ class SingletonMethod extends MethodBase, TSingletonMethod {
    * end
    * ```
    */
-  override predicate isPrivate() {
-    exists(Namespace n, string name |
-      any(PrivateClassMethod p).modifiesMethod(n, name) and
-      isDeclaredIn(this, n, name)
+  override predicate isPrivate() { super.isPrivate() }
+
+  override VisibilityModifier getVisibilityModifier() {
+    result.getEnclosingModule() = this.getEnclosingModule() and
+    (
+      result.getMethodArgument() = this
+      or
+      result.getMethodArgument().getConstantValue().getStringlikeValue() = this.getName()
     )
   }
 }
diff --git a/ruby/ql/test/library-tests/modules/callgraph.expected b/ruby/ql/test/library-tests/modules/callgraph.expected
@@ -324,3 +324,73 @@ privateMethod
 | private.rb:63:11:65:5 | m1 |
 | private.rb:67:11:69:5 | m2 |
 | private.rb:77:11:81:5 | m1 |
+publicMethod
+| calls.rb:7:1:9:3 | bar |
+| calls.rb:13:1:15:3 | bar |
+| calls.rb:22:5:24:7 | instance_m |
+| calls.rb:25:5:27:7 | singleton_m |
+| calls.rb:51:5:57:7 | baz |
+| calls.rb:66:5:68:7 | baz |
+| calls.rb:92:5:92:23 | bit_length |
+| calls.rb:93:5:93:16 | abs |
+| calls.rb:97:5:97:23 | capitalize |
+| calls.rb:102:5:102:30 | puts |
+| calls.rb:106:5:106:24 | module_eval |
+| calls.rb:107:5:107:20 | include |
+| calls.rb:108:5:108:20 | prepend |
+| calls.rb:109:5:109:20 | private |
+| calls.rb:114:5:114:16 | new |
+| calls.rb:119:5:119:31 | [] |
+| calls.rb:124:3:124:29 | [] |
+| calls.rb:126:3:126:17 | length |
+| calls.rb:128:3:134:5 | foreach |
+| calls.rb:163:5:165:7 | s_method |
+| calls.rb:169:5:170:7 | to_s |
+| calls.rb:174:5:175:7 | to_s |
+| calls.rb:188:5:191:7 | singleton_a |
+| calls.rb:193:5:196:7 | singleton_b |
+| calls.rb:198:5:200:7 | singleton_c |
+| calls.rb:202:5:205:7 | singleton_d |
+| calls.rb:207:5:212:7 | instance |
+| calls.rb:208:9:210:11 | singleton_e |
+| calls.rb:215:9:217:11 | singleton_f |
+| calls.rb:220:5:222:7 | call_singleton_g |
+| calls.rb:233:1:235:3 | singleton_g |
+| calls.rb:240:1:242:3 | singleton_g |
+| calls.rb:248:5:250:7 | singleton_g |
+| calls.rb:264:1:266:3 | singleton_g |
+| calls.rb:278:5:280:7 | singleton_h |
+| calls.rb:291:5:293:7 | singleton_i |
+| calls.rb:300:5:302:7 | singleton_j |
+| calls.rb:308:5:311:7 | instance |
+| calls.rb:313:5:315:7 | singleton |
+| calls.rb:323:5:325:7 | instance |
+| calls.rb:329:5:331:7 | instance |
+| calls.rb:335:5:337:7 | instance |
+| calls.rb:365:5:367:7 | instance |
+| calls.rb:376:9:378:11 | singleton1 |
+| calls.rb:380:9:382:11 | call_singleton1 |
+| calls.rb:385:5:387:7 | singleton2 |
+| calls.rb:389:5:391:7 | call_singleton2 |
+| calls.rb:401:9:403:11 | singleton1 |
+| calls.rb:406:5:408:7 | singleton2 |
+| calls.rb:416:9:418:11 | m1 |
+| calls.rb:421:5:433:7 | m2 |
+| calls.rb:424:9:430:11 | m3 |
+| calls.rb:427:13:429:15 | m4 |
+| calls.rb:437:13:439:15 | m5 |
+| calls.rb:478:5:480:7 | singleton |
+| hello.rb:2:5:4:7 | hello |
+| hello.rb:5:5:7:7 | world |
+| hello.rb:13:5:15:7 | message |
+| hello.rb:19:5:21:7 | message |
+| modules.rb:9:5:10:7 | method_in_foo_bar |
+| modules.rb:16:3:17:5 | method_in_foo |
+| modules.rb:27:3:28:5 | method_in_another_definition_of_foo |
+| modules.rb:38:3:39:5 | method_a |
+| modules.rb:41:3:42:5 | method_b |
+| modules.rb:52:3:53:5 | method_in_another_definition_of_foo_bar |
+| private.rb:5:3:6:5 | public |
+| private.rb:20:3:21:5 | public2 |
+| private.rb:46:3:47:5 | public |
+| private.rb:71:3:73:5 | call_m1 |
diff --git a/ruby/ql/test/library-tests/modules/callgraph.ql b/ruby/ql/test/library-tests/modules/callgraph.ql
@@ -5,3 +5,5 @@ query Callable getTarget(Call call) { result = call.getATarget() }
 query predicate unresolvedCall(Call call) { not exists(call.getATarget()) }
 
 query predicate privateMethod(MethodBase m) { m.isPrivate() }
+
+query predicate publicMethod(MethodBase m) { m.isPublic() }
