Ruby: switch to local dataflow when dealing with Kernel/IO

asgerf · asgerf · commit 5b05e72d2703 · 2023-06-19T12:02:39.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -19,7 +19,8 @@ module Kernel {
    */
   class KernelMethodCall extends DataFlow::CallNode {
     KernelMethodCall() {
-      this = API::getTopLevelMember("Kernel").getAMethodCall(_)
+      // Match Kernel calls using local flow, to avoid finding singleton calls on subclasses
+      this = DataFlow::getConstant("Kernel").getAMethodCall(_)
       or
       this.asExpr().getExpr() instanceof UnknownMethodCall and
       (
diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
@@ -55,7 +55,8 @@ class AmbiguousPathCall extends DataFlow::CallNode {
 }
 
 private predicate methodCallOnlyOnIO(DataFlow::CallNode node, string methodName) {
-  node = API::getTopLevelMember("IO").getAMethodCall(methodName) and
+  // Use local flow to find calls to 'IO' without subclasses
+  node = DataFlow::getConstant("IO").getAMethodCall(methodName) and
   not node = API::getTopLevelMember("File").getAMethodCall(methodName) // needed in e.g. opal/opal, where some calls have both paths (opal implements an own corelib)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,8 @@ class AmbiguousPathCall extends DataFlow::CallNode {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`private predicate methodCallOnlyOnIO(DataFlow::CallNode node, string methodName) {`
`58`		`- node = API::getTopLevelMember("IO").getAMethodCall(methodName) and`
	`58`	`+ // Use local flow to find calls to 'IO' without subclasses`
	`59`	`+ node = DataFlow::getConstant("IO").getAMethodCall(methodName) and`
`59`	`60`	`not node = API::getTopLevelMember("File").getAMethodCall(methodName) // needed in e.g. opal/opal, where some calls have both paths (opal implements an own corelib)`
`60`	`61`	`}`
`61`	`62`