Model more Faraday behaviour

hmac · hmac · commit 38ff58430708 · 2021-11-19T11:28:09.000Z
You can instantiate a Faraday connection by passing a URL as an keyword argument: conn = Faraday.new(url: "http://example.com")
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll
@@ -11,6 +11,9 @@ private import codeql.ruby.ApiGraphs
  * # connection re-use
  * connection = Faraday.new("http://example.com")
  * connection.get("/").body
+ *
+ * connection = Faraday.new(url: "http://example.com")
+ * connection.get("/").body
  * ```
  */
 class FaradayHttpRequest extends HTTP::Client::Request::Range {
@@ -38,7 +41,8 @@ class FaradayHttpRequest extends HTTP::Client::Request::Range {
 
   override DataFlow::Node getURL() {
     result = requestUse.getArgument(0) or
-    result = connectionUse.(DataFlow::CallNode).getArgument(0)
+    result = connectionUse.(DataFlow::CallNode).getArgument(0) or
+    result = connectionUse.(DataFlow::CallNode).getKeywordArgument("url")
   }
 
   override predicate disablesCertificateValidation(DataFlow::Node disablingNode) {
diff --git a/ruby/ql/test/library-tests/frameworks/http_clients/Faraday.rb b/ruby/ql/test/library-tests/frameworks/http_clients/Faraday.rb
@@ -29,4 +29,8 @@
 resp9.body
 
 resp10 = connection.post("/foo", some: "data")
-resp10.body
+resp10.body
+
+connection = Faraday.new(url: "http://example.com")
+resp11 = connection.get("/")
+resp11.body
diff --git a/ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected b/ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected
@@ -25,6 +25,9 @@
 | Faraday.rb:28:9:28:27 | call to get | Faraday | Faraday.rb:28:24:28:26 | "/" | Faraday.rb:29:1:29:10 | call to body |
 | Faraday.rb:31:10:31:46 | call to post | Faraday | Faraday.rb:27:26:27:45 | "http://example.com" | Faraday.rb:32:1:32:11 | call to body |
 | Faraday.rb:31:10:31:46 | call to post | Faraday | Faraday.rb:31:26:31:31 | "/foo" | Faraday.rb:32:1:32:11 | call to body |
+| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:34:26:34:50 | Pair | Faraday.rb:36:1:36:11 | call to body |
+| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:34:31:34:50 | "http://example.com" | Faraday.rb:36:1:36:11 | call to body |
+| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:35:25:35:27 | "/" | Faraday.rb:36:1:36:11 | call to body |
 | HttpClient.rb:3:9:3:45 | call to get | HTTPClient | HttpClient.rb:3:24:3:44 | "http://example.com/" | HttpClient.rb:4:1:4:10 | call to body |
 | HttpClient.rb:6:9:6:65 | call to post | HTTPClient | HttpClient.rb:6:25:6:45 | "http://example.com/" | HttpClient.rb:7:1:7:13 | call to content |
 | HttpClient.rb:9:9:9:64 | call to put | HTTPClient | HttpClient.rb:9:24:9:44 | "http://example.com/" | HttpClient.rb:10:1:10:15 | call to http_body |
