Ruby: instantiate ApiGraphModels library in Ruby

asgerf · asgerf · commit a33e89279d99 · 2022-03-01T14:08:20.000+01:00
diff --git a/config/identical-files.json b/config/identical-files.json
@@ -508,5 +508,9 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",
     "ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"
+  ],
+  "ApiGraphModels": [
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"
   ]
 }
diff --git a/ruby/ql/lib/codeql/ruby/ApiGraphs.qll b/ruby/ql/lib/codeql/ruby/ApiGraphs.qll
@@ -266,6 +266,9 @@ module API {
   /** A node corresponding to the method being invoked at a method call. */
   class MethodAccessNode extends Node, Impl::MkMethodAccessNode {
     override string toString() { result = "MethodAccessNode " + tryGetPath(this) }
+
+    /** Gets the call node corresponding to this method access. */
+    DataFlow::CallNode getCallNode() { this = Impl::MkMethodAccessNode(result) }
   }
 
   /** Gets the root node. */
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll b/ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll
@@ -2,6 +2,8 @@
 
 import ruby
 import codeql.ruby.DataFlow
+private import codeql.ruby.frameworks.data.ModelsAsData
+private import codeql.ruby.ApiGraphs
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch
 private import internal.DataFlowPrivate
@@ -165,3 +167,33 @@ private class SummarizedCallableAdapter extends Impl::Public::SummarizedCallable
 }
 
 class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;
+
+private class SummarizedCallableFromModel extends SummarizedCallable {
+  string input;
+  string output;
+  string kind;
+
+  SummarizedCallableFromModel() {
+    ModelOutput::summaryModel(input, output, kind) and
+    this = input + ";" + output + ";" + kind
+  }
+
+  override Call getACall() {
+    exists(API::MethodAccessNode base |
+      ModelOutput::resolvedSummaryBase(base, input, output, kind) and
+      result = base.getCallNode().asExpr().getExpr()
+    )
+  }
+
+  override predicate propagatesFlowExt(string input_, string output_, boolean preservesValue) {
+    input_ = input and
+    output_ = output and
+    (
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
+  }
+}
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides classes for contributing a model, or using the interpreted results
+ * of a model represented as data.
+ *
+ * - Use the `ModelInput` module to contribute new models.
+ * - Use the `ModelOutput` module to access the model results in terms of API nodes.
+ *
+ * The `package` part of a CSV row should be the name of a Ruby gem, or the empty
+ * string if it's referring to the standard library.
+ *
+ * The `type` part can be one of the following:
+ *   - the empty string, referring to the global scope,
+ *   - the string `any`, referring to any expression, or
+ *   - the name of a type definition from `ModelInput::TypeModelCsv`
+ *
+ * The `path` part is a dot
+ */
+
+private import ruby
+private import internal.ApiGraphModels as Shared
+private import internal.ApiGraphModelsSpecific as Specific
+import Shared::ModelInput as ModelInput
+import Shared::ModelOutput as ModelOutput
+private import codeql.ruby.dataflow.RemoteFlowSources
+
+/**
+ * A remote flow source originating from a CSV source row.
+ */
+private class RemoteFlowSourceFromCsv extends RemoteFlowSource::Range {
+  RemoteFlowSourceFromCsv() { this = ModelOutput::getASourceNode("remote").getAnImmediateUse() }
+
+  override string getSourceType() { result = "Remote flow" }
+}
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll

Original file line number	Diff line number	Diff line change
`@@ -508,5 +508,9 @@`
`508`	`508`	`"java/ql/lib/semmle/code/java/dataflow/internal/AccessPathSyntax.qll",`
`509`	`509`	`"javascript/ql/lib/semmle/javascript/frameworks/data/internal/AccessPathSyntax.qll",`
`510`	`510`	`"ruby/ql/lib/codeql/ruby/dataflow/internal/AccessPathSyntax.qll"`
	`511`	`+ ],`
	`512`	`+ "ApiGraphModels": [`
	`513`	`+ "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",`
	`514`	`+ "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll"`
`511`	`515`	`]`
`512`	`516`	`}`
Original file line number	Diff line number	Diff line change
`@@ -266,6 +266,9 @@ module API {`
`266`	`266`	`/** A node corresponding to the method being invoked at a method call. */`
`267`	`267`	`class MethodAccessNode extends Node, Impl::MkMethodAccessNode {`
`268`	`268`	`override string toString() { result = "MethodAccessNode " + tryGetPath(this) }`
	`269`	`+`
	`270`	`+ /** Gets the call node corresponding to this method access. */`
	`271`	`+ DataFlow::CallNode getCallNode() { this = Impl::MkMethodAccessNode(result) }`
`269`	`272`	`}`
`270`	`273`
`271`	`274`	`/** Gets the root node. */`