temp

Author: hvitved

ruby/ql/lib/codeql/ruby/dataflow/SSA.qll

@@ -178,6 +178,9 @@ module Ssa {
 
     /** Gets the location of this SSA definition. */
     Location getLocation() { result = this.getControlFlowNode().getLocation() }
+
+    /** Gets the scope of this SSA definition. */
+    CfgScope getScope() { result = this.getBasicBlock().getScope() }
   }
 
   /**
@@ -289,7 +292,7 @@ module Ssa {
       )
     }
 
-    final override string toString() { result = "<captured> " + this.getSourceVariable() }
+    final override string toString() { result = "<captured entry> " + this.getSourceVariable() }
 
     override Location getLocation() { result = this.getBasicBlock().getLocation() }
   }
@@ -324,7 +327,7 @@ module Ssa {
      */
     final Definition getPriorDefinition() { result = SsaImpl::uncertainWriteDefinitionInput(this) }
 
-    override string toString() { result = this.getControlFlowNode().toString() }
+    override string toString() { result = "<captured exit> " + this.getSourceVariable() }
   }
 
   /**

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll

@@ -8,10 +8,17 @@ private import FlowSummaryImpl as FlowSummaryImpl
 private import FlowSummaryImplSpecific as FlowSummaryImplSpecific
 private import codeql.ruby.dataflow.FlowSummary
 private import codeql.ruby.dataflow.SSA
+private import codeql.ruby.dataflow.internal.SsaImpl as SsaImpl
 
 newtype TReturnKind =
   TNormalReturnKind() or
-  TBreakReturnKind()
+  TBreakReturnKind() or
+  TCapturedReturnKind(LocalVariable v) {
+    exists(Ssa::Definition def |
+      SsaImpl::captureFlowOut(_, def, _) and
+      v = def.getSourceVariable()
+    )
+  }
 
 /**
  * Gets a node that can read the value returned from `call` with return kind
@@ -43,6 +50,19 @@ class BreakReturnKind extends ReturnKind, TBreakReturnKind {
   override string toString() { result = "break" }
 }
 
+/**
+ * A value implicitly returned from a capturing callable.
+ */
+class CapturedReturnKind extends ReturnKind, TCapturedReturnKind {
+  LocalVariable v;
+
+  CapturedReturnKind() { this = TCapturedReturnKind(v) }
+
+  LocalVariable getVariable() { result = v }
+
+  override string toString() { result = "captured write to " + v }
+}
+
 /** A callable defined in library code, identified by a unique string. */
 abstract class LibraryCallable extends string {
   bindingset[this]
@@ -151,6 +171,28 @@ private class NormalCall extends DataFlowCall, TNormalCall {
   override Location getLocation() { result = c.getLocation() }
 }
 
+class CapturedCall extends DataFlowCall, TCapturedCall {
+  private CfgNodes::ExprNodes::CallCfgNode c;
+
+  CapturedCall() { this = TCapturedCall(c) }
+
+  Callable getTarget() {
+    exists(Ssa::Definition def | result = def.getScope() |
+      SsaImpl::captureFlowIn(c, _, _, _, def)
+      or
+      SsaImpl::captureFlowOut(c, def, _)
+    )
+  }
+
+  override CfgNodes::ExprNodes::CallCfgNode asCall() { none() }
+
+  override DataFlowCallable getEnclosingCallable() { result = TCfgScope(c.getScope()) }
+
+  override string toString() { result = "<captured> " + c.toString() }
+
+  override Location getLocation() { result = c.getLocation() }
+}
+
 /** A call for which we want to compute call targets. */
 private class RelevantCall extends CfgNodes::ExprNodes::CallCfgNode {
   pragma[nomagic]
@@ -341,6 +383,11 @@ private module Cached {
     TNormalCall(CfgNodes::ExprNodes::CallCfgNode c) or
     TSummaryCall(FlowSummaryImpl::Public::SummarizedCallable c, DataFlow::Node receiver) {
       FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+    } or
+    TCapturedCall(CfgNodes::ExprNodes::CallCfgNode c) {
+      SsaImpl::captureFlowIn(c, _, _, _, _)
+      or
+      SsaImpl::captureFlowOut(c, _, _)
     }
 
   pragma[nomagic]
@@ -478,6 +525,8 @@ private module Cached {
     result = viableSourceCallable(call)
     or
     result = viableLibraryCallable(call)
+    or
+    result.asCallable() = call.(CapturedCall).getTarget()
   }
 
   cached
@@ -499,7 +548,8 @@ private module Cached {
     THashSplatArgumentPosition() or
     TSplatAllArgumentPosition() or
     TAnyArgumentPosition() or
-    TAnyKeywordArgumentPosition()
+    TAnyKeywordArgumentPosition() or
+    TCapturedArgumentPosition(LocalVariable v)
 
   cached
   newtype TParameterPosition =
@@ -521,7 +571,8 @@ private module Cached {
     THashSplatParameterPosition() or
     TSplatAllParameterPosition() or
     TAnyParameterPosition() or
-    TAnyKeywordParameterPosition()
+    TAnyKeywordParameterPosition() or
+    TCapturedParameterPosition(LocalVariable v)
 }
 
 import Cached
@@ -921,7 +972,7 @@ private predicate paramReturnFlow(
   DataFlow::Node nodeFrom, DataFlow::PostUpdateNode nodeTo, StepSummary summary
 ) {
   exists(RelevantCall call, DataFlow::Node arg, DataFlow::ParameterNode p, Expr nodeFromPreExpr |
-    TypeTrackerSpecific::callStep(call, arg, p) and
+    TypeTrackerSpecific::callStep(TNormalCall(call), arg, p) and
     nodeTo.getPreUpdateNode() = arg and
     summary.toString() = "return" and
     (
@@ -1151,6 +1202,8 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
 
+  predicate isCapturedVariable(LocalVariable v) { this = TCapturedParameterPosition(v) }
+
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -1170,6 +1223,8 @@ class ParameterPosition extends TParameterPosition {
     this.isAny() and result = "any"
     or
     this.isAnyNamed() and result = "any-named"
+    or
+    exists(LocalVariable v | this.isCapturedVariable(v) and result = "captured " + v)
   }
 }
 
@@ -1196,6 +1251,8 @@ class ArgumentPosition extends TArgumentPosition {
   /** Holds if this position represents any positional parameter. */
   predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
 
+  predicate isCapturedVariable(LocalVariable v) { this = TCapturedArgumentPosition(v) }
+
   /**
    * Holds if this position represents a synthesized argument containing all keyword
    * arguments wrapped in a hash.
@@ -1221,6 +1278,8 @@ class ArgumentPosition extends TArgumentPosition {
     this.isHashSplat() and result = "**"
     or
     this.isSplatAll() and result = "*"
+    or
+    exists(LocalVariable v | this.isCapturedVariable(v) and result = "captured " + v)
   }
 }
 
@@ -1256,4 +1315,6 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   ppos.isAnyNamed() and apos.isKeyword(_)
   or
   apos.isAnyNamed() and ppos.isKeyword(_)
+  or
+  exists(LocalVariable v | apos.isCapturedVariable(v) and ppos.isCapturedVariable(v))
 }