Ruby: include SSA param input step for flowsTo

asgerf · asgerf · commit ff02ba5965cd · 2022-10-31T13:33:41.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -327,7 +327,12 @@ private module Cached {
     FlowSummaryImpl::Private::Steps::summaryThroughStepValue(nodeFrom, nodeTo, _)
   }
 
-  /** This is the local flow predicate that is used in type tracking. */
+  /**
+   * This is the local flow predicate that is used in type tracking.
+   *
+   * This needs to exclude `localFlowSsaParamInput` due to a performance trick
+   * in type tracking, where such steps are treated as call steps.
+   */
   cached
   predicate localFlowStepTypeTracker(Node nodeFrom, Node nodeTo) {
     LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
@@ -326,9 +326,11 @@ private module Cached {
     source = sink and
     source instanceof LocalSourceNode
     or
-    exists(Node mid |
-      hasLocalSource(mid, source) and
+    exists(Node mid | hasLocalSource(mid, source) |
       localFlowStepTypeTracker(mid, sink)
+      or
+      // Explicitly include the SSA param input step as type-tracking omits this step.
+      LocalFlow::localFlowSsaParamInput(mid, sink)
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -326,9 +326,11 @@ private module Cached {`
`326`	`326`	`source = sink and`
`327`	`327`	`source instanceof LocalSourceNode`
`328`	`328`	`or`
`329`		`- exists(Node mid \|`
`330`		`- hasLocalSource(mid, source) and`
	`329`	`+ exists(Node mid \| hasLocalSource(mid, source) \|`
`331`	`330`	`localFlowStepTypeTracker(mid, sink)`
	`331`	`+ or`
	`332`	`+ // Explicitly include the SSA param input step as type-tracking omits this step.`
	`333`	`+ LocalFlow::localFlowSsaParamInput(mid, sink)`
`332`	`334`	`)`
`333`	`335`	`}`
`334`	`336`