Merge pull request #9138 from hmac/hmac/array-inclusion-guard-local-flow

Ruby: Make StringArrayInclusion more sensitive

Author: hmac

ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll

@@ -36,7 +36,7 @@ private import ExprNodes
  * constant value in some cases.
  */
 private module Propagation {
-  private ExprCfgNode getSource(VariableReadAccessCfgNode read) {
+  ExprCfgNode getSource(VariableReadAccessCfgNode read) {
     exists(Ssa::WriteDefinition def |
       def.assigns(result) and
       read = def.getARead()
@@ -509,3 +509,53 @@ private module Cached {
 }
 
 import Cached
+
+/**
+ * Holds if the control flow node `e` refers to an array constructed from the
+ * array literal `arr`.
+ * Example:
+ * ```rb
+ * [1, 2, 3]
+ * C = [1, 2, 3]; C
+ * x = [1, 2, 3]; x
+ * ```
+ */
+predicate isArrayConstant(ExprCfgNode e, ArrayLiteralCfgNode arr) {
+  // [...]
+  e = arr
+  or
+  // e = [...]; e
+  isArrayConstant(getSource(e), arr)
+  or
+  isArrayExpr(e.getExpr(), arr)
+}
+
+/**
+ * Holds if the expression `e` refers to an array constructed from the array literal `arr`.
+ */
+private predicate isArrayExpr(Expr e, ArrayLiteralCfgNode arr) {
+  // e = [...]
+  e = arr.getExpr()
+  or
+  // Like above, but handles the desugaring of array literals to Array.[] calls.
+  e.getDesugared() = arr.getExpr()
+  or
+  // A = [...]; A
+  // A = a; A
+  isArrayExpr(e.(ConstantReadAccess).getValue(), arr)
+  or
+  // Recurse via CFG nodes. Necessary for example in:
+  // a = [...]
+  // A = a
+  // A
+  //
+  // We map from A to a via ConstantReadAccess::getValue, yielding the Expr a.
+  // To get to [...] we need to go via getSource(ExprCfgNode e), so we find a
+  // CFG node for a and call `isArrayConstant`.
+  //
+  // The use of `forex` is intended to ensure that a is an array constant in all
+  // control flow paths.
+  // Note(hmac): I don't think this is necessary, as `getSource` will not return
+  // results if the source is a phi node.
+  forex(ExprCfgNode n | n = e.getAControlFlowNode() | isArrayConstant(n, arr))
+}

ruby/ql/lib/codeql/ruby/controlflow/CfgNodes.qll

@@ -374,6 +374,9 @@ module ExprNodes {
     MethodCallCfgNode() { super.getExpr() instanceof MethodCall }
 
     override MethodCall getExpr() { result = super.getExpr() }
+
+    /** Gets the name of this method call. */
+    string getMethodName() { result = this.getExpr().getMethodName() }
   }
 
   private class CaseExprChildMapping extends ExprChildMapping, CaseExpr {

ruby/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll

@@ -3,6 +3,10 @@
 private import ruby
 private import codeql.ruby.DataFlow
 private import codeql.ruby.CFG
+private import codeql.ruby.controlflow.CfgNodes
+private import codeql.ruby.dataflow.SSA
+private import codeql.ruby.ast.internal.Constant
+private import codeql.ruby.InclusionTests
 
 private predicate stringConstCompare(CfgNodes::ExprCfgNode g, CfgNode e, boolean branch) {
   exists(CfgNodes::ExprNodes::ComparisonOperationCfgNode c |
@@ -61,35 +65,27 @@ deprecated class StringConstCompare extends DataFlow::BarrierGuard,
   // The value of the condition that results in the node being validated.
   private boolean checkedBranch;
 
-  StringConstCompare() {
-    exists(CfgNodes::ExprNodes::StringLiteralCfgNode strLitNode |
-      this.getExpr() instanceof EqExpr and checkedBranch = true
-      or
-      this.getExpr() instanceof CaseEqExpr and checkedBranch = true
-      or
-      this.getExpr() instanceof NEExpr and checkedBranch = false
-    |
-      this.getLeftOperand() = strLitNode and this.getRightOperand() = checkedNode
-      or
-      this.getLeftOperand() = checkedNode and this.getRightOperand() = strLitNode
-    )
-  }
+  StringConstCompare() { stringConstCompare(this, checkedNode, checkedBranch) }
 
   override predicate checks(CfgNode expr, boolean branch) {
     expr = checkedNode and branch = checkedBranch
   }
 }
 
 private predicate stringConstArrayInclusionCall(CfgNodes::ExprCfgNode g, CfgNode e, boolean branch) {
-  exists(CfgNodes::ExprNodes::MethodCallCfgNode mc, ArrayLiteral aLit |
-    mc = g and
-    mc.getExpr().getMethodName() = "include?" and
-    [mc.getExpr().getReceiver(), mc.getExpr().getReceiver().(ConstantReadAccess).getValue()] = aLit
+  exists(InclusionTest t |
+    t.asExpr() = g and
+    e = t.getContainedNode().asExpr() and
+    branch = t.getPolarity()
   |
-    forall(Expr elem | elem = aLit.getAnElement() | elem instanceof StringLiteral) and
-    mc.getArgument(0) = e
-  ) and
-  branch = true
+    exists(ExprNodes::ArrayLiteralCfgNode arr |
+      isArrayConstant(t.getContainerNode().asExpr(), arr)
+    |
+      forall(ExprCfgNode elem | elem = arr.getAnArgument() |
+        elem instanceof ExprNodes::StringLiteralCfgNode
+      )
+    )
+  )
 }
 
 /**
@@ -132,16 +128,7 @@ deprecated class StringConstArrayInclusionCall extends DataFlow::BarrierGuard,
   CfgNodes::ExprNodes::MethodCallCfgNode {
   private CfgNode checkedNode;
 
-  StringConstArrayInclusionCall() {
-    exists(ArrayLiteral aLit |
-      this.getExpr().getMethodName() = "include?" and
-      [this.getExpr().getReceiver(), this.getExpr().getReceiver().(ConstantReadAccess).getValue()] =
-        aLit
-    |
-      forall(Expr elem | elem = aLit.getAnElement() | elem instanceof StringLiteral) and
-      this.getArgument(0) = checkedNode
-    )
-  }
+  StringConstArrayInclusionCall() { stringConstArrayInclusionCall(this, checkedNode, true) }
 
   override predicate checks(CfgNode expr, boolean branch) { expr = checkedNode and branch = true }
 }

ruby/ql/test/library-tests/ast/Ast.expected

@@ -1556,6 +1556,35 @@ constants/constants.rb:
 #   73|       getAnOperand/getLeftOperand: [ClassVariableAccess] @@fourty_six
 #   73|       getAnOperand/getRightOperand: [ConstantReadAccess] FOURTY_SIX
 #   73|         getScopeExpr: [ConstantReadAccess] Mod3
+#   78|   getStmt: [AssignExpr] ... = ...
+#   78|     getAnOperand/getLeftOperand: [LocalVariableAccess] a
+#   78|     getAnOperand/getRightOperand: [ArrayLiteral] [...]
+#   78|       getElement: [IntegerLiteral] 1
+#   78|       getElement: [IntegerLiteral] 2
+#   78|       getElement: [IntegerLiteral] 3
+#   79|   getStmt: [AssignExpr] ... = ...
+#   79|     getAnOperand/getLeftOperand: [ConstantAssignment] A
+#   79|     getAnOperand/getRightOperand: [ArrayLiteral] [...]
+#   79|       getElement: [IntegerLiteral] 1
+#   79|       getElement: [IntegerLiteral] 2
+#   79|       getElement: [IntegerLiteral] 3
+#   80|   getStmt: [AssignExpr] ... = ...
+#   80|     getAnOperand/getLeftOperand: [ConstantAssignment] B
+#   80|     getAnOperand/getRightOperand: [LocalVariableAccess] a
+#   81|   getStmt: [AssignExpr] ... = ...
+#   81|     getAnOperand/getLeftOperand: [ConstantAssignment] C
+#   81|     getAnOperand/getRightOperand: [ConstantReadAccess] A
+#   82|   getStmt: [AssignExpr] ... = ...
+#   82|     getAnOperand/getLeftOperand: [LocalVariableAccess] b
+#   82|     getAnOperand/getRightOperand: [ConstantReadAccess] B
+#   84|   getStmt: [IfExpr] if ...
+#   84|     getCondition: [MethodCall] call to condition
+#   84|       getReceiver: [SelfVariableAccess] self
+#   84|     getBranch/getThen: [StmtSequence] then ...
+#   85|       getStmt: [AssignExpr] ... = ...
+#   85|         getAnOperand/getLeftOperand: [LocalVariableAccess] c
+#   85|         getAnOperand/getRightOperand: [LocalVariableAccess] b
+#   87|   getStmt: [LocalVariableAccess] c
 escape_sequences/escapes.rb:
 #    1| [Toplevel] escapes.rb
 #    6|   getStmt: [StringLiteral] "\'"

ruby/ql/test/library-tests/ast/AstDesugar.expected

@@ -336,6 +336,18 @@ constants/constants.rb:
 #   20|       getComponent: [StringTextComponent] Chuck
 #   20|     getArgument: [StringLiteral] "Dave"
 #   20|       getComponent: [StringTextComponent] Dave
+#   78| [ArrayLiteral] [...]
+#   78|   getDesugared: [MethodCall] call to []
+#   78|     getReceiver: [ConstantReadAccess] Array
+#   78|     getArgument: [IntegerLiteral] 1
+#   78|     getArgument: [IntegerLiteral] 2
+#   78|     getArgument: [IntegerLiteral] 3
+#   79| [ArrayLiteral] [...]
+#   79|   getDesugared: [MethodCall] call to []
+#   79|     getReceiver: [ConstantReadAccess] Array
+#   79|     getArgument: [IntegerLiteral] 1
+#   79|     getArgument: [IntegerLiteral] 2
+#   79|     getArgument: [IntegerLiteral] 3
 escape_sequences/escapes.rb:
 #   58| [ArrayLiteral] %w(...)
 #   58|   getDesugared: [MethodCall] call to []

ruby/ql/test/library-tests/ast/TreeSitter.expected

@@ -1656,10 +1656,56 @@ constants/constants.rb:
 #   73|         1: [ReservedWord] ::
 #   73|         2: [Constant] FOURTY_SIX
 #   74|     5: [ReservedWord] end
+#   78|   13: [Assignment] Assignment
+#   78|     0: [Identifier] a
+#   78|     1: [ReservedWord] =
+#   78|     2: [Array] Array
+#   78|       0: [ReservedWord] [
+#   78|       1: [Integer] 1
+#   78|       2: [ReservedWord] ,
+#   78|       3: [Integer] 2
+#   78|       4: [ReservedWord] ,
+#   78|       5: [Integer] 3
+#   78|       6: [ReservedWord] ]
+#   79|   14: [Assignment] Assignment
+#   79|     0: [Constant] A
+#   79|     1: [ReservedWord] =
+#   79|     2: [Array] Array
+#   79|       0: [ReservedWord] [
+#   79|       1: [Integer] 1
+#   79|       2: [ReservedWord] ,
+#   79|       3: [Integer] 2
+#   79|       4: [ReservedWord] ,
+#   79|       5: [Integer] 3
+#   79|       6: [ReservedWord] ]
+#   80|   15: [Assignment] Assignment
+#   80|     0: [Constant] B
+#   80|     1: [ReservedWord] =
+#   80|     2: [Identifier] a
+#   81|   16: [Assignment] Assignment
+#   81|     0: [Constant] C
+#   81|     1: [ReservedWord] =
+#   81|     2: [Constant] A
+#   82|   17: [Assignment] Assignment
+#   82|     0: [Identifier] b
+#   82|     1: [ReservedWord] =
+#   82|     2: [Constant] B
+#   84|   18: [If] If
+#   84|     0: [ReservedWord] if
+#   84|     1: [Identifier] condition
+#   84|     2: [Then] Then
+#   85|       0: [Assignment] Assignment
+#   85|         0: [Identifier] c
+#   85|         1: [ReservedWord] =
+#   85|         2: [Identifier] b
+#   86|     3: [ReservedWord] end
+#   87|   19: [Identifier] c
 #   26| [Comment] # A call to Kernel::Array; despite beginning with an upper-case character,
 #   27| [Comment] # we don't consider this to be a constant access.
 #   55| [Comment] # refers to ::ModuleA::FOURTY_FOUR
 #   57| [Comment] # refers to ::ModuleA::ModuleB::ClassB::FOURTY_FOUR
+#   76| [Comment] # Array constants
+#   87| [Comment] # not recognised
 control/cases.rb:
 #    1| [Program] Program
 #    2|   0: [Assignment] Assignment

ruby/ql/test/library-tests/ast/ValueText.expected

@@ -109,6 +109,12 @@ exprValue
 | constants/constants.rb:63:19:63:20 | 45 | 45 | int |
 | constants/constants.rb:65:19:65:35 | FOURTY_FIVE | 45 | int |
 | constants/constants.rb:71:18:71:19 | 46 | 46 | int |
+| constants/constants.rb:78:6:78:6 | 1 | 1 | int |
+| constants/constants.rb:78:9:78:9 | 2 | 2 | int |
+| constants/constants.rb:78:12:78:12 | 3 | 3 | int |
+| constants/constants.rb:79:6:79:6 | 1 | 1 | int |
+| constants/constants.rb:79:9:79:9 | 2 | 2 | int |
+| constants/constants.rb:79:12:79:12 | 3 | 3 | int |
 | control/cases.rb:2:5:2:5 | 0 | 0 | int |
 | control/cases.rb:3:5:3:5 | 0 | 0 | int |
 | control/cases.rb:4:5:4:5 | 0 | 0 | int |
@@ -1004,6 +1010,12 @@ exprCfgNodeValue
 | constants/constants.rb:63:19:63:20 | 45 | 45 | int |
 | constants/constants.rb:65:19:65:35 | FOURTY_FIVE | 45 | int |
 | constants/constants.rb:71:18:71:19 | 46 | 46 | int |
+| constants/constants.rb:78:6:78:6 | 1 | 1 | int |
+| constants/constants.rb:78:9:78:9 | 2 | 2 | int |
+| constants/constants.rb:78:12:78:12 | 3 | 3 | int |
+| constants/constants.rb:79:6:79:6 | 1 | 1 | int |
+| constants/constants.rb:79:9:79:9 | 2 | 2 | int |
+| constants/constants.rb:79:12:79:12 | 3 | 3 | int |
 | control/cases.rb:2:5:2:5 | 0 | 0 | int |
 | control/cases.rb:3:5:3:5 | 0 | 0 | int |
 | control/cases.rb:4:5:4:5 | 0 | 0 | int |

ruby/ql/test/library-tests/ast/constants/constants.expected

@@ -61,6 +61,13 @@ constantAccess
 | constants.rb:71:5:71:14 | FOURTY_SIX | write | FOURTY_SIX | ConstantAssignment |
 | constants.rb:73:18:73:21 | Mod3 | read | Mod3 | ConstantReadAccess |
 | constants.rb:73:18:73:33 | FOURTY_SIX | read | FOURTY_SIX | ConstantReadAccess |
+| constants.rb:78:5:78:13 | Array | read | Array | ConstantReadAccess |
+| constants.rb:79:1:79:1 | A | write | A | ConstantAssignment |
+| constants.rb:79:5:79:13 | Array | read | Array | ConstantReadAccess |
+| constants.rb:80:1:80:1 | B | write | B | ConstantAssignment |
+| constants.rb:81:1:81:1 | C | write | C | ConstantAssignment |
+| constants.rb:81:5:81:5 | A | read | A | ConstantReadAccess |
+| constants.rb:82:5:82:5 | B | read | B | ConstantReadAccess |
 getConst
 | constants.rb:1:1:15:3 | ModuleA | CONST_B | constants.rb:6:15:6:23 | "const_b" |
 | constants.rb:1:1:15:3 | ModuleA | FOURTY_FOUR | constants.rb:53:17:53:29 | "fourty-four" |
@@ -71,23 +78,41 @@ getConst
 | constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | FOURTY_ONE | constants.rb:48:18:48:19 | 41 |
 | constants.rb:62:3:64:5 | Mod1::Mod3 | FOURTY_FIVE | constants.rb:63:19:63:20 | 45 |
 | constants.rb:70:3:72:5 | Mod1::Mod3::Mod5 | FOURTY_SIX | constants.rb:71:18:71:19 | 46 |
+| file://:0:0:0:0 | Object | A | constants.rb:79:5:79:13 | [...] |
+| file://:0:0:0:0 | Object | B | constants.rb:80:5:80:5 | a |
+| file://:0:0:0:0 | Object | C | constants.rb:81:5:81:5 | A |
 | file://:0:0:0:0 | Object | GREETING | constants.rb:17:12:17:64 | ... + ... |
 lookupConst
 | constants.rb:1:1:15:3 | ModuleA | CONST_B | constants.rb:6:15:6:23 | "const_b" |
 | constants.rb:1:1:15:3 | ModuleA | FOURTY_FOUR | constants.rb:53:17:53:29 | "fourty-four" |
+| constants.rb:2:5:4:7 | ModuleA::ClassA | A | constants.rb:79:5:79:13 | [...] |
+| constants.rb:2:5:4:7 | ModuleA::ClassA | B | constants.rb:80:5:80:5 | a |
+| constants.rb:2:5:4:7 | ModuleA::ClassA | C | constants.rb:81:5:81:5 | A |
 | constants.rb:2:5:4:7 | ModuleA::ClassA | CONST_A | constants.rb:3:19:3:27 | "const_a" |
 | constants.rb:2:5:4:7 | ModuleA::ClassA | GREETING | constants.rb:17:12:17:64 | ... + ... |
 | constants.rb:8:5:14:7 | ModuleA::ModuleB | MAX_SIZE | constants.rb:39:30:39:33 | 1024 |
+| constants.rb:12:9:13:11 | ModuleA::ModuleB::ClassC | A | constants.rb:79:5:79:13 | [...] |
+| constants.rb:12:9:13:11 | ModuleA::ModuleB::ClassC | B | constants.rb:80:5:80:5 | a |
+| constants.rb:12:9:13:11 | ModuleA::ModuleB::ClassC | C | constants.rb:81:5:81:5 | A |
 | constants.rb:12:9:13:11 | ModuleA::ModuleB::ClassC | GREETING | constants.rb:17:12:17:64 | ... + ... |
+| constants.rb:31:1:33:3 | ModuleA::ClassD | A | constants.rb:79:5:79:13 | [...] |
+| constants.rb:31:1:33:3 | ModuleA::ClassD | B | constants.rb:80:5:80:5 | a |
+| constants.rb:31:1:33:3 | ModuleA::ClassD | C | constants.rb:81:5:81:5 | A |
 | constants.rb:31:1:33:3 | ModuleA::ClassD | CONST_A | constants.rb:3:19:3:27 | "const_a" |
 | constants.rb:31:1:33:3 | ModuleA::ClassD | FOURTY_TWO | constants.rb:32:16:32:17 | 42 |
 | constants.rb:31:1:33:3 | ModuleA::ClassD | GREETING | constants.rb:17:12:17:64 | ... + ... |
 | constants.rb:35:1:37:3 | ModuleA::ModuleC | FOURTY_THREE | constants.rb:36:18:36:19 | 43 |
+| constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | A | constants.rb:79:5:79:13 | [...] |
+| constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | B | constants.rb:80:5:80:5 | a |
+| constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | C | constants.rb:81:5:81:5 | A |
 | constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | FOURTY_FOUR | constants.rb:56:19:56:20 | 44 |
 | constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | FOURTY_ONE | constants.rb:48:18:48:19 | 41 |
 | constants.rb:54:3:58:5 | ModuleA::ModuleB::ClassB | GREETING | constants.rb:17:12:17:64 | ... + ... |
 | constants.rb:62:3:64:5 | Mod1::Mod3 | FOURTY_FIVE | constants.rb:63:19:63:20 | 45 |
 | constants.rb:70:3:72:5 | Mod1::Mod3::Mod5 | FOURTY_SIX | constants.rb:71:18:71:19 | 46 |
+| file://:0:0:0:0 | Object | A | constants.rb:79:5:79:13 | [...] |
+| file://:0:0:0:0 | Object | B | constants.rb:80:5:80:5 | a |
+| file://:0:0:0:0 | Object | C | constants.rb:81:5:81:5 | A |
 | file://:0:0:0:0 | Object | GREETING | constants.rb:17:12:17:64 | ... + ... |
 constantValue
 | constants.rb:17:22:17:45 | CONST_A | constants.rb:3:19:3:27 | "const_a" |
@@ -101,6 +126,8 @@ constantValue
 | constants.rb:57:21:57:31 | FOURTY_FOUR | constants.rb:53:17:53:29 | "fourty-four" |
 | constants.rb:57:21:57:31 | FOURTY_FOUR | constants.rb:56:19:56:20 | 44 |
 | constants.rb:65:19:65:35 | FOURTY_FIVE | constants.rb:63:19:63:20 | 45 |
+| constants.rb:81:5:81:5 | A | constants.rb:79:5:79:13 | [...] |
+| constants.rb:82:5:82:5 | B | constants.rb:80:5:80:5 | a |
 constantWriteAccessQualifiedName
 | constants.rb:1:1:15:3 | ModuleA | ModuleA |
 | constants.rb:2:5:4:7 | ClassA | ModuleA::ClassA |
@@ -133,3 +160,14 @@ constantWriteAccessQualifiedName
 | constants.rb:70:3:72:5 | Mod5 | Mod3::Mod5 |
 | constants.rb:71:5:71:14 | FOURTY_SIX | Mod1::Mod3::Mod5::FOURTY_SIX |
 | constants.rb:71:5:71:14 | FOURTY_SIX | Mod3::Mod5::FOURTY_SIX |
+| constants.rb:79:1:79:1 | A | A |
+| constants.rb:80:1:80:1 | B | B |
+| constants.rb:81:1:81:1 | C | C |
+arrayConstant
+| constants.rb:20:13:20:37 | call to [] | constants.rb:20:13:20:37 | call to [] |
+| constants.rb:78:5:78:13 | call to [] | constants.rb:78:5:78:13 | call to [] |
+| constants.rb:79:5:79:13 | call to [] | constants.rb:79:5:79:13 | call to [] |
+| constants.rb:80:5:80:5 | a | constants.rb:78:5:78:13 | call to [] |
+| constants.rb:81:5:81:5 | A | constants.rb:79:5:79:13 | call to [] |
+| constants.rb:82:5:82:5 | B | constants.rb:78:5:78:13 | call to [] |
+| constants.rb:85:7:85:7 | b | constants.rb:78:5:78:13 | call to [] |

ruby/ql/test/library-tests/ast/constants/constants.ql

@@ -1,5 +1,6 @@
 import ruby
 import codeql.ruby.ast.internal.Module as M
+import codeql.ruby.ast.internal.Constant
 
 query predicate constantAccess(ConstantAccess a, string kind, string name, string cls) {
   (
@@ -20,3 +21,5 @@ query predicate constantValue(ConstantReadAccess a, Expr e) { e = a.getValue() }
 query predicate constantWriteAccessQualifiedName(ConstantWriteAccess w, string qualifiedName) {
   w.getAQualifiedName() = qualifiedName
 }
+
+query predicate arrayConstant = isArrayConstant/2;

ruby/ql/test/library-tests/ast/constants/constants.rb

@@ -72,3 +72,16 @@ module Mod3::Mod5
   end
   @@fourty_six = Mod3::FOURTY_SIX
 end
+
+# Array constants
+
+a = [1, 2, 3]
+A = [1, 2, 3]
+B = a
+C = A
+b = B
+
+if condition
+  c = b
+end
+c # not recognised