Ruby: Add Argument[foo:] syntax for keyword arguments

Author: asgerf

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -257,6 +257,8 @@ private module Cached {
       name = any(KeywordParameter kp).getName()
       or
       exists(any(Call c).getKeywordArgument(name))
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
     }
 
   cached
@@ -270,7 +272,11 @@ private module Cached {
       or
       FlowSummaryImplSpecific::ParsePositions::isParsedArgumentPosition(_, pos)
     } or
-    TKeywordParameterPosition(string name) { name = any(KeywordParameter kp).getName() }
+    TKeywordParameterPosition(string name) {
+      name = any(KeywordParameter kp).getName()
+      or
+      FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
+    }
 }
 
 import Cached

ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -166,6 +166,16 @@ module ParsePositions {
     isArgBody(c) and
     i = AccessPath::parseInt(c)
   }
+
+  predicate isParsedKeywordParameterPosition(string c, string paramName) {
+    isParamBody(c) and
+    c = paramName + ":"
+  }
+
+  predicate isParsedKeywordArgumentPosition(string c, string paramName) {
+    isArgBody(c) and
+    c = paramName + ":"
+  }
 }
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
@@ -175,6 +185,11 @@ ArgumentPosition parseParamBody(string s) {
     result.isPositional(i)
   )
   or
+  exists(string name |
+    ParsePositions::isParsedKeywordParameterPosition(s, name) and
+    result.isKeyword(name)
+  )
+  or
   s = "self" and
   result.isSelf()
   or
@@ -189,6 +204,11 @@ ParameterPosition parseArgBody(string s) {
     result.isPositional(i)
   )
   or
+  exists(string name |
+    ParsePositions::isParsedKeywordArgumentPosition(s, name) and
+    result.isKeyword(name)
+  )
+  or
   s = "self" and
   result.isSelf()
   or

ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll

@@ -176,5 +176,9 @@ predicate isExtraValidTokenArgumentInIdentifyingAccessPath(string name, string a
   exists(argument)
   or
   name = ["Argument", "Parameter"] and
-  argument = ["self", "block"]
+  (
+    argument = ["self", "block"]
+    or
+    argument.regexpMatch("\\w+:") // keyword argument
+  )
 }

ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected

@@ -10,6 +10,8 @@ edges
 | summaries.rb:1:11:1:26 | call to identity :  | summaries.rb:35:16:35:22 | tainted |
 | summaries.rb:1:11:1:26 | call to identity :  | summaries.rb:36:21:36:27 | tainted |
 | summaries.rb:1:11:1:26 | call to identity :  | summaries.rb:37:36:37:42 | tainted |
+| summaries.rb:1:11:1:26 | call to identity :  | summaries.rb:51:24:51:30 | tainted :  |
+| summaries.rb:1:11:1:26 | call to identity :  | summaries.rb:54:23:54:29 | tainted :  |
 | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:1:11:1:26 | call to identity :  |
 | summaries.rb:4:12:7:3 | call to apply_block :  | summaries.rb:9:6:9:13 | tainted2 |
 | summaries.rb:4:24:4:30 | tainted :  | summaries.rb:4:12:7:3 | call to apply_block :  |
@@ -32,6 +34,11 @@ edges
 | summaries.rb:42:24:42:24 | t :  | summaries.rb:42:8:42:25 | call to matchedByName |
 | summaries.rb:44:8:44:8 | t :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv |
 | summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint |
+| summaries.rb:51:24:51:30 | tainted :  | summaries.rb:51:6:51:31 | call to namedArg |
+| summaries.rb:54:23:54:29 | tainted :  | summaries.rb:54:40:54:40 | x :  |
+| summaries.rb:54:40:54:40 | x :  | summaries.rb:55:8:55:8 | x |
+| summaries.rb:62:24:62:30 | "taint" :  | summaries.rb:62:8:62:31 | call to preserveTaint |
+| summaries.rb:65:26:65:32 | "taint" :  | summaries.rb:65:8:65:33 | call to preserveTaint |
 nodes
 | summaries.rb:1:11:1:26 | call to identity :  | semmle.label | call to identity :  |
 | summaries.rb:1:20:1:26 | "taint" :  | semmle.label | "taint" :  |
@@ -69,6 +76,15 @@ nodes
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | semmle.label | call to matchedByNameRcv |
 | summaries.rb:48:8:48:31 | call to preserveTaint | semmle.label | call to preserveTaint |
 | summaries.rb:48:24:48:30 | "taint" :  | semmle.label | "taint" :  |
+| summaries.rb:51:6:51:31 | call to namedArg | semmle.label | call to namedArg |
+| summaries.rb:51:24:51:30 | tainted :  | semmle.label | tainted :  |
+| summaries.rb:54:23:54:29 | tainted :  | semmle.label | tainted :  |
+| summaries.rb:54:40:54:40 | x :  | semmle.label | x :  |
+| summaries.rb:55:8:55:8 | x | semmle.label | x |
+| summaries.rb:62:8:62:31 | call to preserveTaint | semmle.label | call to preserveTaint |
+| summaries.rb:62:24:62:30 | "taint" :  | semmle.label | "taint" :  |
+| summaries.rb:65:8:65:33 | call to preserveTaint | semmle.label | call to preserveTaint |
+| summaries.rb:65:26:65:32 | "taint" :  | semmle.label | "taint" :  |
 subpaths
 invalidSpecComponent
 invalidOutputSpecComponent
@@ -90,6 +106,10 @@ invalidOutputSpecComponent
 | summaries.rb:42:8:42:25 | call to matchedByName | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:42:8:42:25 | call to matchedByName | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:44:8:44:27 | call to matchedByNameRcv | summaries.rb:40:7:40:13 | "taint" :  | summaries.rb:44:8:44:27 | call to matchedByNameRcv | $@ | summaries.rb:40:7:40:13 | "taint" :  | "taint" :  |
 | summaries.rb:48:8:48:31 | call to preserveTaint | summaries.rb:48:24:48:30 | "taint" :  | summaries.rb:48:8:48:31 | call to preserveTaint | $@ | summaries.rb:48:24:48:30 | "taint" :  | "taint" :  |
+| summaries.rb:51:6:51:31 | call to namedArg | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:51:6:51:31 | call to namedArg | $@ | summaries.rb:1:20:1:26 | "taint" :  | "taint" :  |
+| summaries.rb:55:8:55:8 | x | summaries.rb:1:20:1:26 | "taint" :  | summaries.rb:55:8:55:8 | x | $@ | summaries.rb:1:20:1:26 | "taint" :  | "taint" :  |
+| summaries.rb:62:8:62:31 | call to preserveTaint | summaries.rb:62:24:62:30 | "taint" :  | summaries.rb:62:8:62:31 | call to preserveTaint | $@ | summaries.rb:62:24:62:30 | "taint" :  | "taint" :  |
+| summaries.rb:65:8:65:33 | call to preserveTaint | summaries.rb:65:26:65:32 | "taint" :  | summaries.rb:65:8:65:33 | call to preserveTaint | $@ | summaries.rb:65:26:65:32 | "taint" :  | "taint" :  |
 warning
 | CSV type row should have 5 columns but has 2: test;TooFewColumns |
 | CSV type row should have 5 columns but has 8: test;TooManyColumns;;;Member[Foo].Instance;too;many;columns |

ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql

@@ -76,6 +76,11 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {
         ";;Member[Foo].Method[onlyWithoutBlock].WithoutBlock;Argument[0];ReturnValue;taint",
         ";;Member[Foo].Method[onlyWithBlock].WithBlock;Argument[0];ReturnValue;taint",
         ";;Member[Foo].Method[blockArg].Argument[block].Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
+        ";;Member[Foo].Method[namedArg];Argument[foo:];ReturnValue;taint",
+        ";;Member[Foo].Method[intoNamedCallback];Argument[0];Argument[foo:].Parameter[0];taint",
+        ";;Member[Foo].Method[intoNamedParameter];Argument[0];Argument[0].Parameter[foo:];taint",
+        ";;Member[Foo].Method[startInNamedCallback].Argument[foo:].Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
+        ";;Member[Foo].Method[startInNamedParameter].Argument[0].Parameter[foo:].Method[preserveTaint];Argument[0];ReturnValue;taint",
         ";any;Method[matchedByName];Argument[0];ReturnValue;taint",
         ";any;Method[matchedByNameRcv];Argument[self];ReturnValue;taint",
       ]

ruby/ql/test/library-tests/dataflow/summaries/summaries.rb

@@ -47,3 +47,20 @@ def userDefinedFunction(x, y)
 Foo.blockArg do |x|
   sink(x.preserveTaint("taint"))
 end
+
+sink(Foo.namedArg(foo: tainted))
+sink(Foo.namedArg(tainted))
+
+Foo.intoNamedCallback(tainted, foo: ->(x) {
+  sink(x)
+})
+Foo.intoNamedParameter(tainted, ->(foo:) {
+  sink(foo)
+})
+
+Foo.startInNamedCallback(foo: ->(x) {
+  sink(x.preserveTaint("taint"))
+})
+Foo.startInNamedParameter(->(foo:) {
+  sink(foo.preserveTaint("taint"))
+})