Merge pull request #10673 from github/nickrolfe/no_abstract

Ruby: remove public abstract classes for Action{View,Controller}

Author: nickrolfe

ruby/ql/lib/change-notes/2022-10-04-actionview-controller-renames.md

@@ -0,0 +1,11 @@
+---
+category: minorAnalysis
+---
+* The following classes have been moved from `codeql.ruby.frameworks.ActionController` to `codeql.ruby.frameworks.Rails`:
+    * `ParamsCall`, now accessed as `Rails::ParamsCall`.
+    * `CookieCall`, now accessed as `Rails::CookieCall`.
+* The following classes have been moved from `codeql.ruby.frameworks.ActionView` to `codeql.ruby.frameworks.Rails`:
+    * `HtmlSafeCall`, now accessed as `Rails::HtmlSafeCall`.
+    * `HtmlEscapeCall`, now accessed as `Rails::HtmlEscapeCall`.
+    * `RenderCall`, now accessed as `Rails::RenderCall`.
+    * `RenderToCall`, now accessed as `Rails::RenderToCall`.

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -8,8 +8,20 @@ private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.ApiGraphs
-private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActionDispatch
+private import codeql.ruby.frameworks.ActionView
+private import codeql.ruby.frameworks.Rails
+private import codeql.ruby.frameworks.internal.Rails
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::ParamsCall` instead.
+ */
+deprecated class ParamsCall = Rails::ParamsCall;
+
+/**
+ * DEPRECATED: Import `codeql.ruby.frameworks.Rails` and use `Rails::CookiesCall` instead.
+ */
+deprecated class CookiesCall = Rails::CookiesCall;
 
 /**
  * A `ClassDeclaration` for a class that extends `ActionController::Base`.
@@ -72,7 +84,7 @@ class ActionControllerActionMethod extends Method, Http::Server::RequestHandler:
   override string getFramework() { result = "ActionController" }
 
   /** Gets a call to render from within this method. */
-  RenderCall getARenderCall() { result.getParent+() = this }
+  Rails::RenderCall getARenderCall() { result.getParent+() = this }
 
   /**
    * Gets the controller class containing this method.
@@ -119,62 +131,59 @@ private class ActionControllerContextCall extends MethodCall {
   ActionControllerControllerClass getControllerClass() { result = controllerClass }
 }
 
-/**
- * A call to the `params` method to fetch the request parameters.
- */
-abstract class ParamsCall extends MethodCall {
-  ParamsCall() { this.getMethodName() = "params" }
-}
-
 /**
  * A `RemoteFlowSource::Range` to represent accessing the
  * ActionController parameters available via the `params` method.
  */
 class ParamsSource extends Http::Server::RequestInputAccess::Range {
-  ParamsSource() { this.asExpr().getExpr() instanceof ParamsCall }
+  ParamsSource() { this.asExpr().getExpr() instanceof Rails::ParamsCall }
 
   override string getSourceType() { result = "ActionController::Metal#params" }
 }
 
-/**
- * A call to the `cookies` method to fetch the request parameters.
- */
-abstract class CookiesCall extends MethodCall {
-  CookiesCall() { this.getMethodName() = "cookies" }
-}
-
 /**
  * A `RemoteFlowSource::Range` to represent accessing the
  * ActionController parameters available via the `cookies` method.
  */
 class CookiesSource extends Http::Server::RequestInputAccess::Range {
-  CookiesSource() { this.asExpr().getExpr() instanceof CookiesCall }
+  CookiesSource() { this.asExpr().getExpr() instanceof Rails::CookiesCall }
 
   override string getSourceType() { result = "ActionController::Metal#cookies" }
 }
 
 /** A call to `cookies` from within a controller. */
-private class ActionControllerCookiesCall extends ActionControllerContextCall, CookiesCall { }
+private class ActionControllerCookiesCall extends ActionControllerContextCall, CookiesCallImpl {
+  ActionControllerCookiesCall() { this.getMethodName() = "cookies" }
+}
 
 /** A call to `params` from within a controller. */
-private class ActionControllerParamsCall extends ActionControllerContextCall, ParamsCall { }
+private class ActionControllerParamsCall extends ActionControllerContextCall, ParamsCallImpl {
+  ActionControllerParamsCall() { this.getMethodName() = "params" }
+}
 
 /** A call to `render` from within a controller. */
-private class ActionControllerRenderCall extends ActionControllerContextCall, RenderCall { }
+private class ActionControllerRenderCall extends ActionControllerContextCall, RenderCallImpl {
+  ActionControllerRenderCall() { this.getMethodName() = "render" }
+}
 
 /** A call to `render_to` from within a controller. */
-private class ActionControllerRenderToCall extends ActionControllerContextCall, RenderToCall { }
+private class ActionControllerRenderToCall extends ActionControllerContextCall, RenderToCallImpl {
+  ActionControllerRenderToCall() { this.getMethodName() = ["render_to_body", "render_to_string"] }
+}
 
 /** A call to `html_safe` from within a controller. */
-private class ActionControllerHtmlSafeCall extends HtmlSafeCall {
+private class ActionControllerHtmlSafeCall extends HtmlSafeCallImpl {
   ActionControllerHtmlSafeCall() {
+    this.getMethodName() = "html_safe" and
     this.getEnclosingModule() instanceof ActionControllerControllerClass
   }
 }
 
 /** A call to `html_escape` from within a controller. */
-private class ActionControllerHtmlEscapeCall extends HtmlEscapeCall {
+private class ActionControllerHtmlEscapeCall extends HtmlEscapeCallImpl {
   ActionControllerHtmlEscapeCall() {
+    // "h" is aliased to "html_escape" in ActiveSupport
+    this.getMethodName() = ["html_escape", "html_escape_once", "h", "sanitize"] and
     this.getEnclosingModule() instanceof ActionControllerControllerClass
   }
 }
@@ -291,7 +300,7 @@ ActionControllerControllerClass getAssociatedControllerClass(ErbFile f) {
   // template file, `fp`. In this case, `f` inherits the associated
   // controller classes from `fp`.
   f.isPartial() and
-  exists(RenderCall r, ErbFile fp |
+  exists(Rails::RenderCall r, ErbFile fp |
     r.getLocation().getFile() = fp and
     r.getTemplateFile() = f and
     result = getAssociatedControllerClass(fp)