From 2376f28983552cf6a7dc71f0a698f5f446c327c1 Mon Sep 17 00:00:00 2001 From: Harry Maclean Date: Tue, 15 Aug 2023 17:24:16 +0100 Subject: [PATCH] Ruby: Handle more splat arg flow Allow flow from a splat argument to a positional parameter in cases where there are positional arguments left of the splat. For example: def foo(x, y, z); end foo(1, *[2, 3]) --- .../dataflow/internal/DataFlowDispatch.qll | 12 ++- .../dataflow/internal/DataFlowPrivate.qll | 27 ++++-- .../dataflow/local/TaintStep.expected | 12 --- .../dataflow/params/params-flow.expected | 96 +++++++++++++++++++ .../dataflow/params/params_flow.rb | 20 ++-- .../type-tracker/TypeTracker.expected | 6 -- 6 files changed, 133 insertions(+), 40 deletions(-) diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll index b2517bc31f6a..146b639bfedd 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll @@ -471,7 +471,11 @@ private module Cached { TSplatParameterPosition(int pos) { exists(Parameter p | p.getPosition() = pos and p instanceof SplatParameter) } or - TSynthSplatParameterPosition() or + TSynthSplatParameterPosition(int pos) { + // `pos` is the position of the splat _argument_ that is matched to the + // `SynthSplatParameterNode` with this position. + exists(ArgumentPosition a | a.isSplat(pos)) + } or TSynthArgSplatParameterPosition() or TAnyParameterPosition() or TAnyKeywordParameterPosition() @@ -1293,7 +1297,7 @@ class ParameterPosition extends TParameterPosition { predicate isSynthHashSplat() { this = TSynthHashSplatParameterPosition() } - predicate isSynthSplat() { this = TSynthSplatParameterPosition() } + predicate isSynthSplat(int n) { this = TSynthSplatParameterPosition(n) } // A fake position to indicate that this parameter node holds content from a synth arg splat node predicate isSynthArgSplat() { this = TSynthArgSplatParameterPosition() } @@ -1329,7 +1333,7 @@ class ParameterPosition extends TParameterPosition { or this.isAnyNamed() and result = "any-named" or - this.isSynthSplat() and result = "synthetic *" + exists(int pos | this.isSynthSplat(pos) and result = "synthetic * (position " + pos + ")") or this.isSynthArgSplat() and result = "synthetic * (from *args)" or @@ -1419,7 +1423,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { or ppos.isSplat(0) and apos.isSynthSplat() or - ppos.isSynthSplat() and apos.isSplat(0) + exists(int n | ppos.isSynthSplat(n) and apos.isSplat(n)) or apos.isSynthSplat() and ppos.isSynthArgSplat() or diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll index d0990b630637..fcfed6c3d2f0 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll @@ -335,9 +335,11 @@ private module Cached { TSynthHashSplatParameterNode(DataFlowCallable c) { isParameterNode(_, c, any(ParameterPosition p | p.isKeyword(_))) } or - TSynthSplatParameterNode(DataFlowCallable c) { + TSynthSplatParameterNode(DataFlowCallable c, int n) { exists(c.asCallable()) and // exclude library callables - isParameterNode(_, c, any(ParameterPosition p | p.isPositional(_))) + isParameterNode(_, c, any(ParameterPosition p | p.isPositional(_))) and + // `n` is the position of the splat argument that is matched to this node + exists(ArgumentPosition pos | pos.isSplat(n)) } or TSynthSplatArgParameterNode(DataFlowCallable c) { exists(c.asCallable()) and // exclude library callables @@ -854,11 +856,20 @@ private module ParameterNodes { * ```rb * foo(a, *[b]) * ``` + * + * TODO: we do now support the above, but we don't support this case: + * + * ```rb + * foo(a, *[b], c) + * ``` + * + * Update this documentation. */ class SynthSplatParameterNode extends ParameterNodeImpl, TSynthSplatParameterNode { private DataFlowCallable callable; + private int n; - SynthSplatParameterNode() { this = TSynthSplatParameterNode(callable) } + SynthSplatParameterNode() { this = TSynthSplatParameterNode(callable, n) } /** * Gets a parameter which will contain the value given by `c`, assuming @@ -870,13 +881,13 @@ private module ParameterNodes { * end * ``` * - * Then `getAParameter(element 0) = x` and `getAParameter(element 1) = y`. + * then `getAParameter(element 0) = x` and `getAParameter(element 1) = y`. */ ParameterNode getAParameter(ContentSet c) { - exists(int n | - isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(n)))) and + exists(int m | + isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(m)))) and ( - c = getPositionalContent(n) + c = getPositionalContent(m - n) or c.isSingleton(TUnknownElementContent()) ) @@ -886,7 +897,7 @@ private module ParameterNodes { final override Parameter getParameter() { none() } final override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { - c = callable and pos.isSynthSplat() + c = callable and pos.isSynthSplat(n) } final override CfgScope getCfgScope() { result = callable.asCallable() } diff --git a/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected b/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected index 237c067be1be..534ba42e2880 100644 --- a/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected +++ b/ruby/ql/test/library-tests/dataflow/local/TaintStep.expected @@ -2796,7 +2796,6 @@ | UseUseExplosion.rb:21:3675:21:3680 | call to use | UseUseExplosion.rb:21:3670:21:3680 | else ... | | UseUseExplosion.rb:21:3686:21:3696 | else ... | UseUseExplosion.rb:21:9:21:3700 | if ... | | UseUseExplosion.rb:21:3691:21:3696 | call to use | UseUseExplosion.rb:21:3686:21:3696 | else ... | -| UseUseExplosion.rb:24:5:25:7 | synthetic *args | UseUseExplosion.rb:24:13:24:13 | i | | UseUseExplosion.rb:24:5:25:7 | use | UseUseExplosion.rb:1:1:26:3 | C | | file://:0:0:0:0 | [summary param] position 0 in & | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in & | | file://:0:0:0:0 | [summary param] position 0 in + | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in + | @@ -2841,7 +2840,6 @@ | file://:0:0:0:0 | [summary] read: Argument[0].Element[any] in Hash[] | file://:0:0:0:0 | [summary] read: Argument[0].Element[any].Element[1] in Hash[] | | local_dataflow.rb:1:1:7:3 | self (foo) | local_dataflow.rb:3:8:3:10 | self | | local_dataflow.rb:1:1:7:3 | self in foo | local_dataflow.rb:1:1:7:3 | self (foo) | -| local_dataflow.rb:1:1:7:3 | synthetic *args | local_dataflow.rb:1:9:1:9 | a | | local_dataflow.rb:1:1:150:3 | | local_dataflow.rb:10:9:10:9 | x | | local_dataflow.rb:1:1:150:3 | self (local_dataflow.rb) | local_dataflow.rb:49:1:53:3 | self | | local_dataflow.rb:1:9:1:9 | a | local_dataflow.rb:1:9:1:9 | a | @@ -2879,7 +2877,6 @@ | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:5:13:3 | __synth__0__1 | | local_dataflow.rb:10:5:13:3 | __synth__0__1 | local_dataflow.rb:10:9:10:9 | x | | local_dataflow.rb:10:5:13:3 | call to each | local_dataflow.rb:10:5:13:3 | ... | -| local_dataflow.rb:10:5:13:3 | synthetic *args | local_dataflow.rb:10:5:13:3 | __synth__0__1 | | local_dataflow.rb:10:9:10:9 | ... = ... | local_dataflow.rb:10:9:10:9 | if ... | | local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [false] ! ... | | local_dataflow.rb:10:9:10:9 | defined? ... | local_dataflow.rb:10:9:10:9 | [true] ! ... | @@ -2898,7 +2895,6 @@ | local_dataflow.rb:15:1:17:3 | __synth__0__1 | local_dataflow.rb:15:1:17:3 | __synth__0__1 | | local_dataflow.rb:15:1:17:3 | __synth__0__1 | local_dataflow.rb:15:5:15:5 | x | | local_dataflow.rb:15:1:17:3 | call to each | local_dataflow.rb:15:1:17:3 | ... | -| local_dataflow.rb:15:1:17:3 | synthetic *args | local_dataflow.rb:15:1:17:3 | __synth__0__1 | | local_dataflow.rb:15:5:15:5 | ... = ... | local_dataflow.rb:15:5:15:5 | if ... | | local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [false] ! ... | | local_dataflow.rb:15:5:15:5 | defined? ... | local_dataflow.rb:15:5:15:5 | [true] ! ... | @@ -2914,7 +2910,6 @@ | local_dataflow.rb:19:1:21:3 | __synth__0__1 | local_dataflow.rb:19:1:21:3 | __synth__0__1 | | local_dataflow.rb:19:1:21:3 | __synth__0__1 | local_dataflow.rb:19:5:19:5 | x | | local_dataflow.rb:19:1:21:3 | call to each | local_dataflow.rb:19:1:21:3 | ... | -| local_dataflow.rb:19:1:21:3 | synthetic *args | local_dataflow.rb:19:1:21:3 | __synth__0__1 | | local_dataflow.rb:19:5:19:5 | ... = ... | local_dataflow.rb:19:5:19:5 | if ... | | local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [false] ! ... | | local_dataflow.rb:19:5:19:5 | defined? ... | local_dataflow.rb:19:5:19:5 | [true] ! ... | @@ -2933,13 +2928,11 @@ | local_dataflow.rb:30:14:30:20 | "class" | local_dataflow.rb:30:5:30:24 | C | | local_dataflow.rb:32:5:32:25 | bar | local_dataflow.rb:32:1:32:1 | x | | local_dataflow.rb:32:5:32:25 | bar | local_dataflow.rb:32:1:32:25 | ... = ... | -| local_dataflow.rb:34:1:39:3 | synthetic *args | local_dataflow.rb:34:7:34:7 | x | | local_dataflow.rb:34:7:34:7 | x | local_dataflow.rb:34:7:34:7 | x | | local_dataflow.rb:34:7:34:7 | x | local_dataflow.rb:35:6:35:6 | x | | local_dataflow.rb:35:6:35:6 | x | local_dataflow.rb:35:6:35:11 | ... == ... | | local_dataflow.rb:35:11:35:11 | 4 | local_dataflow.rb:35:6:35:11 | ... == ... | | local_dataflow.rb:36:13:36:13 | 7 | local_dataflow.rb:36:6:36:13 | return | -| local_dataflow.rb:41:1:47:3 | synthetic *args | local_dataflow.rb:41:7:41:7 | x | | local_dataflow.rb:41:7:41:7 | x | local_dataflow.rb:41:7:41:7 | x | | local_dataflow.rb:41:7:41:7 | x | local_dataflow.rb:42:6:42:6 | x | | local_dataflow.rb:42:6:42:6 | x | local_dataflow.rb:42:6:42:11 | ... == ... | @@ -2958,10 +2951,8 @@ | local_dataflow.rb:51:20:51:20 | x | local_dataflow.rb:51:20:51:24 | ... < ... | | local_dataflow.rb:51:24:51:24 | 9 | local_dataflow.rb:51:20:51:24 | ... < ... | | local_dataflow.rb:55:5:55:13 | Array | local_dataflow.rb:55:5:55:13 | call to [] | -| local_dataflow.rb:57:1:58:3 | synthetic *args | local_dataflow.rb:57:9:57:9 | x | | local_dataflow.rb:60:1:90:3 | self (test_case) | local_dataflow.rb:78:12:78:20 | self | | local_dataflow.rb:60:1:90:3 | self in test_case | local_dataflow.rb:60:1:90:3 | self (test_case) | -| local_dataflow.rb:60:1:90:3 | synthetic *args | local_dataflow.rb:60:15:60:15 | x | | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:60:15:60:15 | x | | local_dataflow.rb:60:15:60:15 | x | local_dataflow.rb:61:12:61:12 | x | | local_dataflow.rb:61:7:68:5 | SSA phi read(x) | local_dataflow.rb:69:12:69:12 | x | @@ -3134,7 +3125,6 @@ | local_dataflow.rb:118:3:118:11 | call to source | local_dataflow.rb:118:3:118:31 | call to tap | | local_dataflow.rb:118:3:118:11 | self | local_dataflow.rb:119:3:119:31 | self | | local_dataflow.rb:118:17:118:31 | self | local_dataflow.rb:118:23:118:29 | self | -| local_dataflow.rb:118:17:118:31 | synthetic *args | local_dataflow.rb:118:20:118:20 | x | | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:20:118:20 | x | | local_dataflow.rb:118:20:118:20 | x | local_dataflow.rb:118:28:118:28 | x | | local_dataflow.rb:119:3:119:31 | [post] self | local_dataflow.rb:119:8:119:16 | self | @@ -3149,10 +3139,8 @@ | local_dataflow.rb:123:8:123:20 | call to dup | local_dataflow.rb:123:8:123:45 | call to tap | | local_dataflow.rb:123:8:123:45 | call to tap | local_dataflow.rb:123:8:123:49 | call to dup | | local_dataflow.rb:123:26:123:45 | self | local_dataflow.rb:123:32:123:43 | self | -| local_dataflow.rb:123:26:123:45 | synthetic *args | local_dataflow.rb:123:29:123:29 | x | | local_dataflow.rb:126:1:128:3 | self (use) | local_dataflow.rb:127:3:127:8 | self | | local_dataflow.rb:126:1:128:3 | self in use | local_dataflow.rb:126:1:128:3 | self (use) | -| local_dataflow.rb:126:1:128:3 | synthetic *args | local_dataflow.rb:126:9:126:9 | x | | local_dataflow.rb:130:1:150:3 | self (use_use_madness) | local_dataflow.rb:132:6:132:11 | self | | local_dataflow.rb:130:1:150:3 | self in use_use_madness | local_dataflow.rb:130:1:150:3 | self (use_use_madness) | | local_dataflow.rb:131:3:131:3 | x | local_dataflow.rb:132:10:132:10 | x | diff --git a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected index 435072bf90b6..1a838b3fbb1c 100644 --- a/ruby/ql/test/library-tests/dataflow/params/params-flow.expected +++ b/ruby/ql/test/library-tests/dataflow/params/params-flow.expected @@ -41,7 +41,11 @@ edges | params_flow.rb:41:13:41:21 | call to taint | params_flow.rb:16:18:16:19 | p2 | | params_flow.rb:41:24:41:29 | ** ... [element :p1] | params_flow.rb:16:13:16:14 | p1 | | params_flow.rb:41:26:41:29 | args [element :p1] | params_flow.rb:41:24:41:29 | ** ... [element :p1] | +| params_flow.rb:43:1:43:4 | args [element 0] | params_flow.rb:44:24:44:27 | args [element 0] | +| params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:43:1:43:4 | args [element 0] | | params_flow.rb:44:12:44:20 | call to taint | params_flow.rb:9:16:9:17 | p1 | +| params_flow.rb:44:23:44:27 | * ... [element 0] | params_flow.rb:9:20:9:21 | p2 | +| params_flow.rb:44:24:44:27 | args [element 0] | params_flow.rb:44:23:44:27 | * ... [element 0] | | params_flow.rb:46:1:46:4 | args [element 0] | params_flow.rb:47:13:47:16 | args [element 0] | | params_flow.rb:46:1:46:4 | args [element 1] | params_flow.rb:47:13:47:16 | args [element 1] | | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:46:1:46:4 | args [element 0] | @@ -79,20 +83,57 @@ edges | params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:69:17:69:17 | y | | params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:69:24:69:24 | w | | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:69:27:69:27 | r | +| params_flow.rb:80:1:80:4 | args [element 0] | params_flow.rb:81:22:81:25 | args [element 0] | +| params_flow.rb:80:1:80:4 | args [element 2] | params_flow.rb:81:22:81:25 | args [element 2] | +| params_flow.rb:80:1:80:4 | args [element 3] | params_flow.rb:81:22:81:25 | args [element 3] | +| params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:80:1:80:4 | args [element 0] | +| params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:80:1:80:4 | args [element 2] | +| params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:80:1:80:4 | args [element 3] | | params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:69:14:69:14 | x | +| params_flow.rb:81:21:81:25 | * ... [element 0] | params_flow.rb:69:17:69:17 | y | +| params_flow.rb:81:21:81:25 | * ... [element 2] | params_flow.rb:69:24:69:24 | w | +| params_flow.rb:81:21:81:25 | * ... [element 3] | params_flow.rb:69:27:69:27 | r | +| params_flow.rb:81:22:81:25 | args [element 0] | params_flow.rb:81:21:81:25 | * ... [element 0] | +| params_flow.rb:81:22:81:25 | args [element 2] | params_flow.rb:81:21:81:25 | * ... [element 2] | +| params_flow.rb:81:22:81:25 | args [element 3] | params_flow.rb:81:21:81:25 | * ... [element 3] | | params_flow.rb:83:14:83:14 | t | params_flow.rb:84:10:84:10 | t | | params_flow.rb:83:17:83:17 | u | params_flow.rb:85:10:85:10 | u | +| params_flow.rb:83:20:83:20 | v | params_flow.rb:86:10:86:10 | v | | params_flow.rb:83:23:83:23 | w | params_flow.rb:87:10:87:10 | w | +| params_flow.rb:83:26:83:26 | x | params_flow.rb:88:10:88:10 | x | +| params_flow.rb:83:29:83:29 | y | params_flow.rb:89:10:89:10 | y | +| params_flow.rb:93:1:93:4 | args [element 0] | params_flow.rb:94:33:94:36 | args [element 0] | +| params_flow.rb:93:1:93:4 | args [element 1] | params_flow.rb:94:33:94:36 | args [element 1] | +| params_flow.rb:93:1:93:4 | args [element 2] | params_flow.rb:94:33:94:36 | args [element 2] | +| params_flow.rb:93:1:93:4 | args [element 3] | params_flow.rb:94:33:94:36 | args [element 3] | +| params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:93:1:93:4 | args [element 0] | +| params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:93:1:93:4 | args [element 1] | +| params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:93:1:93:4 | args [element 2] | +| params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:93:1:93:4 | args [element 3] | | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:83:14:83:14 | t | | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:83:17:83:17 | u | +| params_flow.rb:94:32:94:36 | * ... [element 0] | params_flow.rb:83:20:83:20 | v | +| params_flow.rb:94:32:94:36 | * ... [element 1] | params_flow.rb:83:23:83:23 | w | +| params_flow.rb:94:32:94:36 | * ... [element 2] | params_flow.rb:83:26:83:26 | x | +| params_flow.rb:94:32:94:36 | * ... [element 3] | params_flow.rb:83:29:83:29 | y | +| params_flow.rb:94:33:94:36 | args [element 0] | params_flow.rb:94:32:94:36 | * ... [element 0] | +| params_flow.rb:94:33:94:36 | args [element 1] | params_flow.rb:94:32:94:36 | * ... [element 1] | +| params_flow.rb:94:33:94:36 | args [element 2] | params_flow.rb:94:32:94:36 | * ... [element 2] | +| params_flow.rb:94:33:94:36 | args [element 3] | params_flow.rb:94:32:94:36 | * ... [element 3] | | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:83:23:83:23 | w | | params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:69:14:69:14 | x | | params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:69:17:69:17 | y | +| params_flow.rb:96:32:96:65 | * ... [element 1] | params_flow.rb:69:24:69:24 | w | +| params_flow.rb:96:32:96:65 | * ... [element 2] | params_flow.rb:69:27:69:27 | r | +| params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 1] | +| params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:96:32:96:65 | * ... [element 2] | | params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:69:24:69:24 | w | | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:69:27:69:27 | r | | params_flow.rb:98:19:98:19 | a | params_flow.rb:99:10:99:10 | a | | params_flow.rb:98:31:98:31 | b | params_flow.rb:102:10:102:10 | b | | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:98:19:98:19 | a | +| params_flow.rb:105:26:105:48 | * ... [element 1] | params_flow.rb:98:31:98:31 | b | +| params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:105:26:105:48 | * ... [element 1] | | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:98:19:98:19 | a | | params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:98:31:98:31 | b | | params_flow.rb:108:37:108:37 | a | params_flow.rb:109:10:109:10 | a | @@ -168,7 +209,11 @@ nodes | params_flow.rb:41:13:41:21 | call to taint | semmle.label | call to taint | | params_flow.rb:41:24:41:29 | ** ... [element :p1] | semmle.label | ** ... [element :p1] | | params_flow.rb:41:26:41:29 | args [element :p1] | semmle.label | args [element :p1] | +| params_flow.rb:43:1:43:4 | args [element 0] | semmle.label | args [element 0] | +| params_flow.rb:43:9:43:17 | call to taint | semmle.label | call to taint | | params_flow.rb:44:12:44:20 | call to taint | semmle.label | call to taint | +| params_flow.rb:44:23:44:27 | * ... [element 0] | semmle.label | * ... [element 0] | +| params_flow.rb:44:24:44:27 | args [element 0] | semmle.label | args [element 0] | | params_flow.rb:46:1:46:4 | args [element 0] | semmle.label | args [element 0] | | params_flow.rb:46:1:46:4 | args [element 1] | semmle.label | args [element 1] | | params_flow.rb:46:9:46:17 | call to taint | semmle.label | call to taint | @@ -213,18 +258,56 @@ nodes | params_flow.rb:78:21:78:29 | call to taint | semmle.label | call to taint | | params_flow.rb:78:43:78:51 | call to taint | semmle.label | call to taint | | params_flow.rb:78:54:78:62 | call to taint | semmle.label | call to taint | +| params_flow.rb:80:1:80:4 | args [element 0] | semmle.label | args [element 0] | +| params_flow.rb:80:1:80:4 | args [element 2] | semmle.label | args [element 2] | +| params_flow.rb:80:1:80:4 | args [element 3] | semmle.label | args [element 3] | +| params_flow.rb:80:9:80:17 | call to taint | semmle.label | call to taint | +| params_flow.rb:80:31:80:39 | call to taint | semmle.label | call to taint | +| params_flow.rb:80:42:80:50 | call to taint | semmle.label | call to taint | | params_flow.rb:81:10:81:18 | call to taint | semmle.label | call to taint | +| params_flow.rb:81:21:81:25 | * ... [element 0] | semmle.label | * ... [element 0] | +| params_flow.rb:81:21:81:25 | * ... [element 2] | semmle.label | * ... [element 2] | +| params_flow.rb:81:21:81:25 | * ... [element 3] | semmle.label | * ... [element 3] | +| params_flow.rb:81:22:81:25 | args [element 0] | semmle.label | args [element 0] | +| params_flow.rb:81:22:81:25 | args [element 2] | semmle.label | args [element 2] | +| params_flow.rb:81:22:81:25 | args [element 3] | semmle.label | args [element 3] | | params_flow.rb:83:14:83:14 | t | semmle.label | t | | params_flow.rb:83:17:83:17 | u | semmle.label | u | +| params_flow.rb:83:20:83:20 | v | semmle.label | v | | params_flow.rb:83:23:83:23 | w | semmle.label | w | +| params_flow.rb:83:26:83:26 | x | semmle.label | x | +| params_flow.rb:83:29:83:29 | y | semmle.label | y | | params_flow.rb:84:10:84:10 | t | semmle.label | t | | params_flow.rb:85:10:85:10 | u | semmle.label | u | +| params_flow.rb:86:10:86:10 | v | semmle.label | v | | params_flow.rb:87:10:87:10 | w | semmle.label | w | +| params_flow.rb:88:10:88:10 | x | semmle.label | x | +| params_flow.rb:89:10:89:10 | y | semmle.label | y | +| params_flow.rb:93:1:93:4 | args [element 0] | semmle.label | args [element 0] | +| params_flow.rb:93:1:93:4 | args [element 1] | semmle.label | args [element 1] | +| params_flow.rb:93:1:93:4 | args [element 2] | semmle.label | args [element 2] | +| params_flow.rb:93:1:93:4 | args [element 3] | semmle.label | args [element 3] | +| params_flow.rb:93:9:93:17 | call to taint | semmle.label | call to taint | +| params_flow.rb:93:20:93:28 | call to taint | semmle.label | call to taint | +| params_flow.rb:93:31:93:39 | call to taint | semmle.label | call to taint | +| params_flow.rb:93:42:93:50 | call to taint | semmle.label | call to taint | | params_flow.rb:94:10:94:18 | call to taint | semmle.label | call to taint | | params_flow.rb:94:21:94:29 | call to taint | semmle.label | call to taint | +| params_flow.rb:94:32:94:36 | * ... [element 0] | semmle.label | * ... [element 0] | +| params_flow.rb:94:32:94:36 | * ... [element 1] | semmle.label | * ... [element 1] | +| params_flow.rb:94:32:94:36 | * ... [element 2] | semmle.label | * ... [element 2] | +| params_flow.rb:94:32:94:36 | * ... [element 3] | semmle.label | * ... [element 3] | +| params_flow.rb:94:33:94:36 | args [element 0] | semmle.label | args [element 0] | +| params_flow.rb:94:33:94:36 | args [element 1] | semmle.label | args [element 1] | +| params_flow.rb:94:33:94:36 | args [element 2] | semmle.label | args [element 2] | +| params_flow.rb:94:33:94:36 | args [element 3] | semmle.label | args [element 3] | | params_flow.rb:94:39:94:47 | call to taint | semmle.label | call to taint | | params_flow.rb:96:10:96:18 | call to taint | semmle.label | call to taint | | params_flow.rb:96:21:96:29 | call to taint | semmle.label | call to taint | +| params_flow.rb:96:32:96:65 | * ... [element 1] | semmle.label | * ... [element 1] | +| params_flow.rb:96:32:96:65 | * ... [element 2] | semmle.label | * ... [element 2] | +| params_flow.rb:96:45:96:53 | call to taint | semmle.label | call to taint | +| params_flow.rb:96:56:96:64 | call to taint | semmle.label | call to taint | | params_flow.rb:96:68:96:76 | call to taint | semmle.label | call to taint | | params_flow.rb:96:79:96:87 | call to taint | semmle.label | call to taint | | params_flow.rb:98:19:98:19 | a | semmle.label | a | @@ -232,6 +315,8 @@ nodes | params_flow.rb:99:10:99:10 | a | semmle.label | a | | params_flow.rb:102:10:102:10 | b | semmle.label | b | | params_flow.rb:105:15:105:23 | call to taint | semmle.label | call to taint | +| params_flow.rb:105:26:105:48 | * ... [element 1] | semmle.label | * ... [element 1] | +| params_flow.rb:105:39:105:47 | call to taint | semmle.label | call to taint | | params_flow.rb:106:15:106:23 | call to taint | semmle.label | call to taint | | params_flow.rb:106:37:106:45 | call to taint | semmle.label | call to taint | | params_flow.rb:108:37:108:37 | a | semmle.label | a | @@ -269,6 +354,7 @@ subpaths | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:46:9:46:17 | call to taint | call to taint | | params_flow.rb:10:10:10:11 | p1 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint | | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint | call to taint | +| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:43:9:43:17 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:43:9:43:17 | call to taint | call to taint | | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:46:20:46:28 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:46:20:46:28 | call to taint | call to taint | | params_flow.rb:11:10:11:11 | p2 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint | | params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint | call to taint | @@ -296,19 +382,29 @@ subpaths | params_flow.rb:70:10:70:10 | x | params_flow.rb:81:10:81:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:81:10:81:18 | call to taint | call to taint | | params_flow.rb:70:10:70:10 | x | params_flow.rb:96:10:96:18 | call to taint | params_flow.rb:70:10:70:10 | x | $@ | params_flow.rb:96:10:96:18 | call to taint | call to taint | | params_flow.rb:71:10:71:10 | y | params_flow.rb:78:21:78:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:78:21:78:29 | call to taint | call to taint | +| params_flow.rb:71:10:71:10 | y | params_flow.rb:80:9:80:17 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:80:9:80:17 | call to taint | call to taint | | params_flow.rb:71:10:71:10 | y | params_flow.rb:96:21:96:29 | call to taint | params_flow.rb:71:10:71:10 | y | $@ | params_flow.rb:96:21:96:29 | call to taint | call to taint | | params_flow.rb:74:10:74:10 | w | params_flow.rb:78:43:78:51 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:78:43:78:51 | call to taint | call to taint | +| params_flow.rb:74:10:74:10 | w | params_flow.rb:80:31:80:39 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:80:31:80:39 | call to taint | call to taint | +| params_flow.rb:74:10:74:10 | w | params_flow.rb:96:45:96:53 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:45:96:53 | call to taint | call to taint | | params_flow.rb:74:10:74:10 | w | params_flow.rb:96:68:96:76 | call to taint | params_flow.rb:74:10:74:10 | w | $@ | params_flow.rb:96:68:96:76 | call to taint | call to taint | | params_flow.rb:75:10:75:10 | r | params_flow.rb:78:54:78:62 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:78:54:78:62 | call to taint | call to taint | +| params_flow.rb:75:10:75:10 | r | params_flow.rb:80:42:80:50 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:80:42:80:50 | call to taint | call to taint | +| params_flow.rb:75:10:75:10 | r | params_flow.rb:96:56:96:64 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:56:96:64 | call to taint | call to taint | | params_flow.rb:75:10:75:10 | r | params_flow.rb:96:79:96:87 | call to taint | params_flow.rb:75:10:75:10 | r | $@ | params_flow.rb:96:79:96:87 | call to taint | call to taint | | params_flow.rb:84:10:84:10 | t | params_flow.rb:94:10:94:18 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:94:10:94:18 | call to taint | call to taint | | params_flow.rb:84:10:84:10 | t | params_flow.rb:130:9:130:17 | call to taint | params_flow.rb:84:10:84:10 | t | $@ | params_flow.rb:130:9:130:17 | call to taint | call to taint | | params_flow.rb:85:10:85:10 | u | params_flow.rb:94:21:94:29 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:94:21:94:29 | call to taint | call to taint | | params_flow.rb:85:10:85:10 | u | params_flow.rb:130:20:130:28 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:130:20:130:28 | call to taint | call to taint | | params_flow.rb:85:10:85:10 | u | params_flow.rb:131:17:131:25 | call to taint | params_flow.rb:85:10:85:10 | u | $@ | params_flow.rb:131:17:131:25 | call to taint | call to taint | +| params_flow.rb:86:10:86:10 | v | params_flow.rb:93:9:93:17 | call to taint | params_flow.rb:86:10:86:10 | v | $@ | params_flow.rb:93:9:93:17 | call to taint | call to taint | +| params_flow.rb:87:10:87:10 | w | params_flow.rb:93:20:93:28 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:93:20:93:28 | call to taint | call to taint | | params_flow.rb:87:10:87:10 | w | params_flow.rb:94:39:94:47 | call to taint | params_flow.rb:87:10:87:10 | w | $@ | params_flow.rb:94:39:94:47 | call to taint | call to taint | +| params_flow.rb:88:10:88:10 | x | params_flow.rb:93:31:93:39 | call to taint | params_flow.rb:88:10:88:10 | x | $@ | params_flow.rb:93:31:93:39 | call to taint | call to taint | +| params_flow.rb:89:10:89:10 | y | params_flow.rb:93:42:93:50 | call to taint | params_flow.rb:89:10:89:10 | y | $@ | params_flow.rb:93:42:93:50 | call to taint | call to taint | | params_flow.rb:99:10:99:10 | a | params_flow.rb:105:15:105:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:105:15:105:23 | call to taint | call to taint | | params_flow.rb:99:10:99:10 | a | params_flow.rb:106:15:106:23 | call to taint | params_flow.rb:99:10:99:10 | a | $@ | params_flow.rb:106:15:106:23 | call to taint | call to taint | +| params_flow.rb:102:10:102:10 | b | params_flow.rb:105:39:105:47 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:105:39:105:47 | call to taint | call to taint | | params_flow.rb:102:10:102:10 | b | params_flow.rb:106:37:106:45 | call to taint | params_flow.rb:102:10:102:10 | b | $@ | params_flow.rb:106:37:106:45 | call to taint | call to taint | | params_flow.rb:109:10:109:10 | a | params_flow.rb:114:33:114:41 | call to taint | params_flow.rb:109:10:109:10 | a | $@ | params_flow.rb:114:33:114:41 | call to taint | call to taint | | params_flow.rb:110:10:110:13 | ...[...] | params_flow.rb:114:44:114:52 | call to taint | params_flow.rb:110:10:110:13 | ...[...] | $@ | params_flow.rb:114:44:114:52 | call to taint | call to taint | diff --git a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb index 7d664613dea9..b83fa45eb74e 100644 --- a/ruby/ql/test/library-tests/dataflow/params/params_flow.rb +++ b/ruby/ql/test/library-tests/dataflow/params/params_flow.rb @@ -8,7 +8,7 @@ def sink x def positional(p1, p2) sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18 $ hasValueFlow=61 - sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ MISSING: hasValueFlow=17 + sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ hasValueFlow=17 end positional(taint(1), taint(2)) @@ -68,11 +68,11 @@ def splatstuff(*x) def splatmid(x, y, *z, w, r) sink x # $ hasValueFlow=27 $ hasValueFlow=32 $ hasValueFlow=45 - sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ MISSING: hasValueFlow=33 + sink y # $ hasValueFlow=28 $ hasValueFlow=46 $ hasValueFlow=33 sink z[0] # MISSING: $ hasValueFlow=47 $ hasValueFlow=29 $ hasValueFlow=34 sink z[1] # $ MISSING: hasValueFlow=48 $ hasValueFlow=35 - sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36 - sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37 + sink w # $ hasValueFlow=30 $ hasValueFlow=50 $ MISSING: hasValueFlow=36 $ SPURIOUS: hasValueFlow=35 $ hasValueFlow=48 + sink r # $ hasValueFlow=31 $ hasValueFlow=51 $ MISSING: hasValueFlow=37 $ SPURIOUS: hasValueFlow=36 $ hasValueFlow=49 end splatmid(taint(27), taint(28), taint(29), taint(30), taint(31)) @@ -83,10 +83,10 @@ def splatmid(x, y, *z, w, r) def pos_many(t, u, v, w, x, y, z) sink t # $ hasValueFlow=38 $ hasValueFlow=66 sink u # $ hasValueFlow=39 $ hasValueFlow=67 $ SPURIOUS: hasValueFlow=68 - sink v # $ MISSING: hasValueFlow=40 - sink w # $ MISSING: hasValueFlow=41 $ SPURIOUS: hasValueFlow=44 - sink x # $ MISSING: hasValueFlow=42 - sink y # $ MISSING: hasValueFlow=43 + sink v # $ hasValueFlow=40 + sink w # $ hasValueFlow=41 $ SPURIOUS: hasValueFlow=44 + sink x # $ hasValueFlow=42 + sink y # $ hasValueFlow=43 sink z # $ MISSING: hasValueFlow=44 end @@ -98,8 +98,8 @@ def pos_many(t, u, v, w, x, y, z) def splatmidsmall(a, *splats, b) sink a # $ hasValueFlow=52 $ hasValueFlow=55 sink splats[0] # $ MISSING: hasValueFlow=53 - sink splats[1] # $ MISSING: hasValueFlow=54 - sink b # $ hasValueFlow=57 + sink splats[1] + sink b # $ hasValueFlow=57 $ hasValueFlow=54 end splatmidsmall(taint(52), *[taint(53), taint(54)]) diff --git a/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected b/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected index 15884246b73e..9f2ed4725f50 100644 --- a/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected +++ b/ruby/ql/test/library-tests/dataflow/type-tracker/TypeTracker.expected @@ -7,7 +7,6 @@ track | type_tracker.rb:2:5:5:7 | field= | type tracker without call steps | type_tracker.rb:2:5:5:7 | field= | | type_tracker.rb:2:5:5:7 | self in field= | type tracker with call steps | type_tracker.rb:7:5:9:7 | self in field | | type_tracker.rb:2:5:5:7 | self in field= | type tracker without call steps | type_tracker.rb:2:5:5:7 | self in field= | -| type_tracker.rb:2:5:5:7 | synthetic *args | type tracker without call steps | type_tracker.rb:2:5:5:7 | synthetic *args | | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val | | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:2:16:2:18 | val | | type_tracker.rb:2:16:2:18 | val | type tracker without call steps | type_tracker.rb:3:14:3:23 | call to field | @@ -58,7 +57,6 @@ track | type_tracker.rb:18:1:21:3 | &block | type tracker without call steps | type_tracker.rb:18:1:21:3 | &block | | type_tracker.rb:18:1:21:3 | positional | type tracker without call steps | type_tracker.rb:18:1:21:3 | positional | | type_tracker.rb:18:1:21:3 | self in positional | type tracker without call steps | type_tracker.rb:18:1:21:3 | self in positional | -| type_tracker.rb:18:1:21:3 | synthetic *args | type tracker without call steps | type_tracker.rb:18:1:21:3 | synthetic *args | | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps | type_tracker.rb:18:16:18:17 | p1 | | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps | type_tracker.rb:18:16:18:17 | p1 | | type_tracker.rb:18:16:18:17 | p1 | type tracker without call steps with content element 0 | type_tracker.rb:19:5:19:11 | * | @@ -150,7 +148,6 @@ track | type_tracker.rb:32:26:32:26 | 8 | type tracker without call steps with content element :p1 | type_tracker.rb:32:1:32:27 | ** | | type_tracker.rb:34:1:53:3 | &block | type tracker without call steps | type_tracker.rb:34:1:53:3 | &block | | type_tracker.rb:34:1:53:3 | self in throughArray | type tracker without call steps | type_tracker.rb:34:1:53:3 | self in throughArray | -| type_tracker.rb:34:1:53:3 | synthetic *args | type tracker without call steps | type_tracker.rb:34:1:53:3 | synthetic *args | | type_tracker.rb:34:1:53:3 | throughArray | type tracker without call steps | type_tracker.rb:34:1:53:3 | throughArray | | type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:34:18:34:20 | obj | | type_tracker.rb:34:18:34:20 | obj | type tracker without call steps | type_tracker.rb:34:18:34:20 | obj | @@ -357,7 +354,6 @@ trackEnd | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:7:5:9:7 | self (field) | | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:7:5:9:7 | self in field | | type_tracker.rb:2:5:5:7 | self in field= | type_tracker.rb:8:9:8:14 | self | -| type_tracker.rb:2:5:5:7 | synthetic *args | type_tracker.rb:2:5:5:7 | synthetic *args | | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val | | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val | | type_tracker.rb:2:16:2:18 | val | type_tracker.rb:2:16:2:18 | val | @@ -429,7 +425,6 @@ trackEnd | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:18:1:21:3 | self in positional | | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:19:5:19:11 | self | | type_tracker.rb:18:1:21:3 | self in positional | type_tracker.rb:20:5:20:11 | self | -| type_tracker.rb:18:1:21:3 | synthetic *args | type_tracker.rb:18:1:21:3 | synthetic *args | | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 | | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 | | type_tracker.rb:18:16:18:17 | p1 | type_tracker.rb:18:16:18:17 | p1 | @@ -522,7 +517,6 @@ trackEnd | type_tracker.rb:32:26:32:26 | 8 | type_tracker.rb:32:26:32:26 | 8 | | type_tracker.rb:34:1:53:3 | &block | type_tracker.rb:34:1:53:3 | &block | | type_tracker.rb:34:1:53:3 | self in throughArray | type_tracker.rb:34:1:53:3 | self in throughArray | -| type_tracker.rb:34:1:53:3 | synthetic *args | type_tracker.rb:34:1:53:3 | synthetic *args | | type_tracker.rb:34:1:53:3 | throughArray | type_tracker.rb:34:1:53:3 | throughArray | | type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:34:18:34:20 | obj | | type_tracker.rb:34:18:34:20 | obj | type_tracker.rb:34:18:34:20 | obj |