Ruby: Fix bug with String flow summaries

hmac · hmac · commit f07ae35b8727 · 2022-02-22T16:41:16.000+13:00
Split summaries for methods with optional block parmaters into separate
classes. Also model the `exclusive` argument to `String#upto`.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/String.qll
@@ -224,26 +224,40 @@ module String {
 
   /**
    * A flow summary for `String#each_line` and `String#lines`.
+   * This is split into two summaries below - one for when a block is passed and one for when no block is passed.
    */
-  private class EachLineSummary extends SummarizedCallable {
+  abstract private class EachLineSummary extends SummarizedCallable {
     MethodCall mc;
 
-    EachLineSummary() { this = ["each_line", "lines"] and mc.getMethodName() = this }
+    bindingset[this]
+    EachLineSummary() { mc.getMethodName() = ["each_line", "lines"] }
 
     override MethodCall getACall() { result = mc }
+  }
 
-    predicate hasBlock() { exists(Block b | b = mc.getBlock()) }
+  /**
+   * A flow summary for `String#each_line` and `String#lines` when a block is passed.
+   */
+  private class EachLineBlockSummary extends EachLineSummary {
+    EachLineBlockSummary() { this = "each_line_with_block" and exists(mc.getBlock()) }
 
     override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
       preservesValue = false and
       input = "Receiver" and
-      (
-        output = "Parameter[0] of BlockArgument"
-        or
-        not this.hasBlock() and output = "ArrayElement[?] of ReturnValue"
-        or
-        this.hasBlock() and output = "ReturnValue"
-      )
+      output = ["Parameter[0] of BlockArgument", "ReturnValue"]
+    }
+  }
+
+  /**
+   * A flow summary for `String#each_line` and `String#lines` when no block is passed.
+   */
+  private class EachLineNoBlockSummary extends EachLineSummary {
+    EachLineNoBlockSummary() { this = "each_line_without_block" and not exists(mc.getBlock()) }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      preservesValue = false and
+      input = "Receiver" and
+      output = ["Parameter[0] of BlockArgument", "ArrayElement[?] of ReturnValue"]
     }
   }
 
@@ -399,45 +413,61 @@ module String {
   /**
    * A flow summary for `String#scan`.
    */
-  private class ScanSummary extends SummarizedCallable {
-    private MethodCall mc;
+  abstract private class ScanSummary extends SummarizedCallable {
+    MethodCall mc;
 
-    ScanSummary() { this = "scan" and mc.getMethodName() = this }
+    bindingset[this]
+    ScanSummary() { mc.getMethodName() = "scan" }
 
     override MethodCall getACall() { result = mc }
+  }
 
-    private predicate hasBlock() { exists(Block b | b = mc.getBlock()) }
+  private class ScanBlockSummary extends ScanSummary {
+    ScanBlockSummary() { this = "scan_with_block" and exists(mc.getBlock()) }
 
     override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
       input = "Receiver" and
       (
-        // scan(pattern) {|match, ...| block } -> str
-        not this.hasBlock() and
-        output = "ArrayElement[?] of ReturnValue" and
-        preservesValue = false
-        or
         // Parameter[_] doesn't seem to work
         output = "Parameter[" + [0 .. 10] + "] of BlockArgument" and preservesValue = false
         or
         // scan(pattern) -> array
-        this.hasBlock() and
         output = "ReturnValue" and
         preservesValue = true
       )
     }
   }
 
+  private class ScanNoBlockSummary extends ScanSummary {
+    ScanNoBlockSummary() { this = "scan_no_block" and not exists(mc.getBlock()) }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Receiver" and
+      (
+        // scan(pattern) {|match, ...| block } -> str
+        output = "ArrayElement[?] of ReturnValue" and
+        preservesValue = false
+        or
+        // Parameter[_] doesn't seem to work
+        output = "Parameter[" + [0 .. 10] + "] of BlockArgument" and preservesValue = false
+      )
+    }
+  }
+
   /**
    * A flow summary for `String#scrub(!)`.
    */
-  private class ScrubSummary extends SummarizedCallable {
-    private MethodCall mc;
+  abstract private class ScrubSummary extends SummarizedCallable {
+    MethodCall mc;
 
-    ScrubSummary() { this = ["scrub", "scrub!"] and mc.getMethodName() = this }
+    bindingset[this]
+    ScrubSummary() { mc.getMethodName() = ["scrub", "scrub!"] }
 
     override MethodCall getACall() { result = mc }
+  }
 
-    private predicate hasBlock() { exists(Block b | b = mc.getBlock()) }
+  private class ScrubBlockSummary extends ScrubSummary {
+    ScrubBlockSummary() { this = "scrub_block" and exists(mc.getBlock()) }
 
     override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
       input = "Receiver" and
@@ -446,7 +476,6 @@ module String {
       or
       input = "Argument[0]" and output = "ReturnValue" and preservesValue = true
       or
-      this.hasBlock() and
       input = "ReturnValue of BlockArgument" and
       output = "ReturnValue" and
       preservesValue = true
@@ -455,6 +484,20 @@ module String {
     }
   }
 
+  private class ScrubNoBlockSummary extends ScrubSummary {
+    ScrubNoBlockSummary() { this = "scrub_no_block" and not exists(mc.getBlock()) }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Receiver" and
+      output = "Parameter[0] of BlockArgument" and
+      preservesValue = true
+      or
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = true
+      or
+      taintIdentityFlow(input, output, preservesValue)
+    }
+  }
+
   // TODO: what do we do about `String#shellescape`?
   /**
    * A flow summary for `String#shellsplit`.
@@ -515,15 +558,27 @@ module String {
 
   /**
    * A flow summary for `String#upto`.
+   * ```
+   * String#upto(stop, exclusive=false, &block)
+   * ```
    */
-  private class UptoSummary extends SummarizedCallable {
-    private MethodCall mc;
+  abstract private class UptoSummary extends SummarizedCallable {
+    MethodCall mc;
 
-    UptoSummary() { this = "upto" and mc.getMethodName() = this }
+    bindingset[this]
+    UptoSummary() { mc.getMethodName() = "upto" }
 
     override MethodCall getACall() { result = mc }
+  }
 
-    private predicate hasBlock() { exists(Block b | b = mc.getBlock()) }
+  /**
+   * A flow summary for `String#upto`, when `exclusive = false`.
+   */
+  private class UptoInclusiveSummary extends UptoSummary {
+    UptoInclusiveSummary() {
+      this = "upto_inclusive" and
+      (not exists(mc.getArgument(1)) or mc.getArgument(1).getConstantValue().isBoolean(false))
+    }
 
     // TODO: if second arg ('exclusive') is true, the first arg is excluded
     override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
@@ -533,7 +588,26 @@ module String {
       output = "Parameter[0] of BlockArgument" and
       preservesValue = true
       or
-      not this.hasBlock() and
+      input = "ReturnValue of BlockArgument" and
+      output = "ArrayElement[?] of ReturnValue" and
+      preservesValue = true
+    }
+  }
+
+  /**
+   * A flow summary for `String#upto`, when `exclusive = true`.
+   */
+  private class UptoExclusiveSummary extends UptoSummary {
+    UptoExclusiveSummary() {
+      this = "upto_exclusive" and
+      mc.getArgument(1).getConstantValue().isBoolean(true)
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = ["Receiver"] and
+      output = "Parameter[0] of BlockArgument" and
+      preservesValue = true
+      or
       input = "ReturnValue of BlockArgument" and
       output = "ArrayElement[?] of ReturnValue" and
       preservesValue = true
diff --git a/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected b/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected
@@ -104,19 +104,19 @@ edges
 | string_flow.rb:131:9:131:9 | a :  | string_flow.rb:131:24:131:27 | line :  |
 | string_flow.rb:131:9:131:40 | call to each_line :  | string_flow.rb:132:10:132:10 | b |
 | string_flow.rb:131:24:131:27 | line :  | string_flow.rb:131:35:131:38 | line |
-| string_flow.rb:133:9:133:9 | a :  | string_flow.rb:133:9:133:19 | call to each_line :  |
-| string_flow.rb:133:9:133:19 | call to each_line :  | string_flow.rb:134:10:134:10 | c :  |
-| string_flow.rb:134:10:134:10 | c :  | string_flow.rb:134:10:134:15 | call to to_a :  |
-| string_flow.rb:134:10:134:15 | call to to_a :  | string_flow.rb:134:10:134:18 | ...[...] |
+| string_flow.rb:133:9:133:9 | a :  | string_flow.rb:133:9:133:19 | call to each_line [array element] :  |
+| string_flow.rb:133:9:133:19 | call to each_line [array element] :  | string_flow.rb:134:10:134:10 | c [array element] :  |
+| string_flow.rb:134:10:134:10 | c [array element] :  | string_flow.rb:134:10:134:15 | call to to_a [array element] :  |
+| string_flow.rb:134:10:134:15 | call to to_a [array element] :  | string_flow.rb:134:10:134:18 | ...[...] |
 | string_flow.rb:138:9:138:18 | call to source :  | string_flow.rb:139:9:139:9 | a :  |
 | string_flow.rb:138:9:138:18 | call to source :  | string_flow.rb:141:9:141:9 | a :  |
 | string_flow.rb:139:9:139:9 | a :  | string_flow.rb:139:9:139:36 | call to lines :  |
 | string_flow.rb:139:9:139:9 | a :  | string_flow.rb:139:20:139:23 | line :  |
 | string_flow.rb:139:9:139:36 | call to lines :  | string_flow.rb:140:10:140:10 | b |
 | string_flow.rb:139:20:139:23 | line :  | string_flow.rb:139:31:139:34 | line |
-| string_flow.rb:141:9:141:9 | a :  | string_flow.rb:141:9:141:15 | call to lines :  |
-| string_flow.rb:141:9:141:15 | call to lines :  | string_flow.rb:142:10:142:10 | c :  |
-| string_flow.rb:142:10:142:10 | c :  | string_flow.rb:142:10:142:13 | ...[...] |
+| string_flow.rb:141:9:141:9 | a :  | string_flow.rb:141:9:141:15 | call to lines [array element] :  |
+| string_flow.rb:141:9:141:15 | call to lines [array element] :  | string_flow.rb:142:10:142:10 | c [array element] :  |
+| string_flow.rb:142:10:142:10 | c [array element] :  | string_flow.rb:142:10:142:13 | ...[...] |
 | string_flow.rb:146:9:146:18 | call to source :  | string_flow.rb:147:10:147:10 | a :  |
 | string_flow.rb:146:9:146:18 | call to source :  | string_flow.rb:148:10:148:10 | a :  |
 | string_flow.rb:146:9:146:18 | call to source :  | string_flow.rb:149:10:149:10 | a :  |
@@ -233,11 +233,11 @@ edges
 | string_flow.rb:236:9:236:37 | call to scan :  | string_flow.rb:237:10:237:10 | b |
 | string_flow.rb:236:9:236:37 | call to scan :  | string_flow.rb:237:10:237:10 | b |
 | string_flow.rb:236:27:236:27 | y :  | string_flow.rb:236:35:236:35 | y |
-| string_flow.rb:238:9:238:9 | a :  | string_flow.rb:238:9:238:19 | call to scan :  |
-| string_flow.rb:238:9:238:19 | call to scan :  | string_flow.rb:239:10:239:10 | b :  |
-| string_flow.rb:238:9:238:19 | call to scan :  | string_flow.rb:240:10:240:10 | b :  |
-| string_flow.rb:239:10:239:10 | b :  | string_flow.rb:239:10:239:13 | ...[...] |
-| string_flow.rb:240:10:240:10 | b :  | string_flow.rb:240:10:240:13 | ...[...] |
+| string_flow.rb:238:9:238:9 | a :  | string_flow.rb:238:9:238:19 | call to scan [array element] :  |
+| string_flow.rb:238:9:238:19 | call to scan [array element] :  | string_flow.rb:239:10:239:10 | b [array element] :  |
+| string_flow.rb:238:9:238:19 | call to scan [array element] :  | string_flow.rb:240:10:240:10 | b [array element] :  |
+| string_flow.rb:239:10:239:10 | b [array element] :  | string_flow.rb:239:10:239:13 | ...[...] |
+| string_flow.rb:240:10:240:10 | b [array element] :  | string_flow.rb:240:10:240:13 | ...[...] |
 | string_flow.rb:244:5:244:18 | ... = ... :  | string_flow.rb:248:26:248:26 | a :  |
 | string_flow.rb:244:5:244:18 | ... = ... :  | string_flow.rb:248:26:248:26 | a :  |
 | string_flow.rb:244:5:244:18 | ... = ... :  | string_flow.rb:256:27:256:27 | a :  |
@@ -351,20 +351,22 @@ edges
 | string_flow.rb:303:25:303:25 | a :  | string_flow.rb:303:10:303:26 | call to tr_s! |
 | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:308:5:308:5 | a :  |
 | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:308:5:308:5 | a :  |
-| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:14:309:14 | a :  |
-| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:14:309:14 | a :  |
-| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:310:9:310:9 | a :  |
+| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:5:309:5 | a :  |
+| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:5:309:5 | a :  |
+| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:310:14:310:14 | a :  |
+| string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:310:14:310:14 | a :  |
 | string_flow.rb:308:5:308:5 | a :  | string_flow.rb:308:20:308:20 | x :  |
 | string_flow.rb:308:5:308:5 | a :  | string_flow.rb:308:20:308:20 | x :  |
 | string_flow.rb:308:20:308:20 | x :  | string_flow.rb:308:28:308:28 | x |
 | string_flow.rb:308:20:308:20 | x :  | string_flow.rb:308:28:308:28 | x |
-| string_flow.rb:309:14:309:14 | a :  | string_flow.rb:309:20:309:20 | x :  |
-| string_flow.rb:309:14:309:14 | a :  | string_flow.rb:309:20:309:20 | x :  |
-| string_flow.rb:309:20:309:20 | x :  | string_flow.rb:309:28:309:28 | x |
-| string_flow.rb:309:20:309:20 | x :  | string_flow.rb:309:28:309:28 | x |
-| string_flow.rb:310:9:310:9 | a :  | string_flow.rb:310:9:310:19 | call to upto :  |
-| string_flow.rb:310:9:310:19 | call to upto :  | string_flow.rb:311:10:311:10 | c :  |
-| string_flow.rb:311:10:311:10 | c :  | string_flow.rb:311:10:311:13 | ...[...] |
+| string_flow.rb:309:5:309:5 | a :  | string_flow.rb:309:26:309:26 | x :  |
+| string_flow.rb:309:5:309:5 | a :  | string_flow.rb:309:26:309:26 | x :  |
+| string_flow.rb:309:26:309:26 | x :  | string_flow.rb:309:34:309:34 | x |
+| string_flow.rb:309:26:309:26 | x :  | string_flow.rb:309:34:309:34 | x |
+| string_flow.rb:310:14:310:14 | a :  | string_flow.rb:310:20:310:20 | x :  |
+| string_flow.rb:310:14:310:14 | a :  | string_flow.rb:310:20:310:20 | x :  |
+| string_flow.rb:310:20:310:20 | x :  | string_flow.rb:310:28:310:28 | x |
+| string_flow.rb:310:20:310:20 | x :  | string_flow.rb:310:28:310:28 | x |
 nodes
 | string_flow.rb:2:9:2:18 | call to source :  | semmle.label | call to source :  |
 | string_flow.rb:2:9:2:18 | call to source :  | semmle.label | call to source :  |
@@ -489,9 +491,9 @@ nodes
 | string_flow.rb:131:35:131:38 | line | semmle.label | line |
 | string_flow.rb:132:10:132:10 | b | semmle.label | b |
 | string_flow.rb:133:9:133:9 | a :  | semmle.label | a :  |
-| string_flow.rb:133:9:133:19 | call to each_line :  | semmle.label | call to each_line :  |
-| string_flow.rb:134:10:134:10 | c :  | semmle.label | c :  |
-| string_flow.rb:134:10:134:15 | call to to_a :  | semmle.label | call to to_a :  |
+| string_flow.rb:133:9:133:19 | call to each_line [array element] :  | semmle.label | call to each_line [array element] :  |
+| string_flow.rb:134:10:134:10 | c [array element] :  | semmle.label | c [array element] :  |
+| string_flow.rb:134:10:134:15 | call to to_a [array element] :  | semmle.label | call to to_a [array element] :  |
 | string_flow.rb:134:10:134:18 | ...[...] | semmle.label | ...[...] |
 | string_flow.rb:138:9:138:18 | call to source :  | semmle.label | call to source :  |
 | string_flow.rb:139:9:139:9 | a :  | semmle.label | a :  |
@@ -500,8 +502,8 @@ nodes
 | string_flow.rb:139:31:139:34 | line | semmle.label | line |
 | string_flow.rb:140:10:140:10 | b | semmle.label | b |
 | string_flow.rb:141:9:141:9 | a :  | semmle.label | a :  |
-| string_flow.rb:141:9:141:15 | call to lines :  | semmle.label | call to lines :  |
-| string_flow.rb:142:10:142:10 | c :  | semmle.label | c :  |
+| string_flow.rb:141:9:141:15 | call to lines [array element] :  | semmle.label | call to lines [array element] :  |
+| string_flow.rb:142:10:142:10 | c [array element] :  | semmle.label | c [array element] :  |
 | string_flow.rb:142:10:142:13 | ...[...] | semmle.label | ...[...] |
 | string_flow.rb:146:9:146:18 | call to source :  | semmle.label | call to source :  |
 | string_flow.rb:147:10:147:10 | a :  | semmle.label | a :  |
@@ -637,10 +639,10 @@ nodes
 | string_flow.rb:237:10:237:10 | b | semmle.label | b |
 | string_flow.rb:237:10:237:10 | b | semmle.label | b |
 | string_flow.rb:238:9:238:9 | a :  | semmle.label | a :  |
-| string_flow.rb:238:9:238:19 | call to scan :  | semmle.label | call to scan :  |
-| string_flow.rb:239:10:239:10 | b :  | semmle.label | b :  |
+| string_flow.rb:238:9:238:19 | call to scan [array element] :  | semmle.label | call to scan [array element] :  |
+| string_flow.rb:239:10:239:10 | b [array element] :  | semmle.label | b [array element] :  |
 | string_flow.rb:239:10:239:13 | ...[...] | semmle.label | ...[...] |
-| string_flow.rb:240:10:240:10 | b :  | semmle.label | b :  |
+| string_flow.rb:240:10:240:10 | b [array element] :  | semmle.label | b [array element] :  |
 | string_flow.rb:240:10:240:13 | ...[...] | semmle.label | ...[...] |
 | string_flow.rb:244:5:244:18 | ... = ... :  | semmle.label | ... = ... :  |
 | string_flow.rb:244:5:244:18 | ... = ... :  | semmle.label | ... = ... :  |
@@ -761,16 +763,18 @@ nodes
 | string_flow.rb:308:20:308:20 | x :  | semmle.label | x :  |
 | string_flow.rb:308:28:308:28 | x | semmle.label | x |
 | string_flow.rb:308:28:308:28 | x | semmle.label | x |
-| string_flow.rb:309:14:309:14 | a :  | semmle.label | a :  |
-| string_flow.rb:309:14:309:14 | a :  | semmle.label | a :  |
-| string_flow.rb:309:20:309:20 | x :  | semmle.label | x :  |
-| string_flow.rb:309:20:309:20 | x :  | semmle.label | x :  |
-| string_flow.rb:309:28:309:28 | x | semmle.label | x |
-| string_flow.rb:309:28:309:28 | x | semmle.label | x |
-| string_flow.rb:310:9:310:9 | a :  | semmle.label | a :  |
-| string_flow.rb:310:9:310:19 | call to upto :  | semmle.label | call to upto :  |
-| string_flow.rb:311:10:311:10 | c :  | semmle.label | c :  |
-| string_flow.rb:311:10:311:13 | ...[...] | semmle.label | ...[...] |
+| string_flow.rb:309:5:309:5 | a :  | semmle.label | a :  |
+| string_flow.rb:309:5:309:5 | a :  | semmle.label | a :  |
+| string_flow.rb:309:26:309:26 | x :  | semmle.label | x :  |
+| string_flow.rb:309:26:309:26 | x :  | semmle.label | x :  |
+| string_flow.rb:309:34:309:34 | x | semmle.label | x |
+| string_flow.rb:309:34:309:34 | x | semmle.label | x |
+| string_flow.rb:310:14:310:14 | a :  | semmle.label | a :  |
+| string_flow.rb:310:14:310:14 | a :  | semmle.label | a :  |
+| string_flow.rb:310:20:310:20 | x :  | semmle.label | x :  |
+| string_flow.rb:310:20:310:20 | x :  | semmle.label | x :  |
+| string_flow.rb:310:28:310:28 | x | semmle.label | x |
+| string_flow.rb:310:28:310:28 | x | semmle.label | x |
 subpaths
 #select
 | string_flow.rb:3:10:3:22 | call to new | string_flow.rb:2:9:2:18 | call to source :  | string_flow.rb:3:10:3:22 | call to new | $@ | string_flow.rb:2:9:2:18 | call to source :  | call to source :  |
@@ -809,4 +813,5 @@ subpaths
 | string_flow.rb:290:10:290:17 | call to to_str | string_flow.rb:289:9:289:18 | call to source :  | string_flow.rb:290:10:290:17 | call to to_str | $@ | string_flow.rb:289:9:289:18 | call to source :  | call to source :  |
 | string_flow.rb:291:10:291:15 | call to to_s | string_flow.rb:289:9:289:18 | call to source :  | string_flow.rb:291:10:291:15 | call to to_s | $@ | string_flow.rb:289:9:289:18 | call to source :  | call to source :  |
 | string_flow.rb:308:28:308:28 | x | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:308:28:308:28 | x | $@ | string_flow.rb:307:9:307:18 | call to source :  | call to source :  |
-| string_flow.rb:309:28:309:28 | x | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:28:309:28 | x | $@ | string_flow.rb:307:9:307:18 | call to source :  | call to source :  |
+| string_flow.rb:309:34:309:34 | x | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:309:34:309:34 | x | $@ | string_flow.rb:307:9:307:18 | call to source :  | call to source :  |
+| string_flow.rb:310:28:310:28 | x | string_flow.rb:307:9:307:18 | call to source :  | string_flow.rb:310:28:310:28 | x | $@ | string_flow.rb:307:9:307:18 | call to source :  | call to source :  |
diff --git a/ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb b/ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb
@@ -306,7 +306,7 @@ def m_tr
 def m_upto(i)
     a = source "a"
     a.upto("b") { |x| sink x } # $ hasValueFlow=a
+    a.upto("b", true) { |x| sink x } # $ hasValueFlow=a
     "b".upto(a) { |x| sink x } # $ hasValueFlow=a
-    c = a.upto("b")
-    sink c[i] # $ hasTaintFlow=a
+    "b".upto(a, true) { |x| sink x }
 end
