temp

hvitved · hvitved · commit c085d9fdb4da · 2022-10-14T20:26:48.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -1005,23 +1005,20 @@ import OutNodes
 predicate jumpStep(Node pred, Node succ) {
   exists(Ssa::Definition def, BasicBlock bb, int i |
     SsaImpl::captureFlowIn(_, def, bb, i, succ.(SsaDefinitionNode).getDefinition())
-    or
-    SsaImpl::captureFlowOut(_, def, bb, i, succ.(SsaDefinitionNode).getDefinition())
   |
     pred = getSsaRefNode(def, bb, i)
     or
     pred.(PostUpdateNode).getPreUpdateNode() = getSsaRefNode(def, bb, i)
   )
   or
-  // TODO: expectsContent
+  SsaImpl::captureFlowOut(_, pred.(SsaDefinitionNode).getDefinition(),
+    succ.(SsaDefinitionNode).getDefinition())
+  or
   exists(
     Ssa::Definition outer, Ssa::Definition inner, BasicBlock bb1, int i1, BasicBlock bb2, int i2
   |
     SsaImpl::captureFlowOutSideEffects(_, outer, bb1, i1, inner, bb2, i2) and
-    succ = getSsaRefNode(outer, bb1, i1)
-  |
-    pred = getSsaRefNode(inner, bb2, i2)
-    or
+    succ = getSsaRefNode(outer, bb1, i1) and
     pred.(PostUpdateNode).getPreUpdateNode() = getSsaRefNode(inner, bb2, i2)
   )
   or
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/SsaImpl.qll
@@ -297,21 +297,15 @@ private module Cached {
 
   private import codeql.ruby.dataflow.SSA
 
-  pragma[nomagic]
+  pragma[noinline]
   private predicate defReachesExitReadInInnerScope(
-    Definition def, Cfg::BasicBlock bb, int i, LocalVariable v, Cfg::CfgScope scope
+    Definition def, LocalVariable v, Cfg::CfgScope scope
   ) {
-    exists(Cfg::BasicBlock bb2, int i2 |
-      adjacentDefRead(def, bb, i, bb2, i2) and
-      def.getSourceVariable() = pragma[only_bind_into](v) and
-      capturedExitRead(bb2, i2, pragma[only_bind_into](v)) and
-      scope = bb.getScope().getOuterCfgScope*()
-    )
-    or
-    exists(Cfg::BasicBlock bb2, int i2 |
-      defReachesExitReadInInnerScope(def, bb2, i2, v, scope) and
-      adjacentDefRead(def, bb, i, bb2, i2) and
-      SsaInput::variableRead(bb2, i2, v, false)
+    exists(Cfg::BasicBlock bb, int i |
+      ssaDefReachesRead(v, def, bb, i) and
+      capturedExitRead(bb, i, v) and
+      scope = bb.getScope().getOuterCfgScope*() and
+      not def instanceof Ssa::CapturedEntryDefinition
     )
   }
 
@@ -337,13 +331,10 @@ private module Cached {
    * ```
    */
   cached
-  predicate captureFlowOut(
-    CallCfgNode call, Definition def, Cfg::BasicBlock bb, int i, Definition exit
-  ) {
+  predicate captureFlowOut(CallCfgNode call, Definition def, Definition exit) {
     exists(LocalVariable v, Cfg::CfgScope scope |
-      defReachesExitReadInInnerScope(def, bb, i, v, scope) and
-      not SsaInput::variableRead(bb, i, v, false) and
-      hasCapturedExitRead(exit, call, v, scope) // ?
+      defReachesExitReadInInnerScope(def, v, scope) and
+      hasCapturedExitRead(exit, call, v, scope)
     |
       // If the read happens inside a block, we restrict to the call that
       // contains the block
@@ -353,6 +344,50 @@ private module Cached {
     )
   }
 
+  // /**
+  //  * Holds if there is outgoing flow for a captured variable that is updated in a block.
+  //  * ```rb
+  //  * foo = 0
+  //  * bar {
+  //  *   foo += 10
+  //  * }
+  //  * puts foo
+  //  * ```
+  //  */
+  // cached
+  // predicate captureFlowOut(
+  //   CallCfgNode call, Definition def, Cfg::BasicBlock bb, int i, Definition exit
+  // ) {
+  //   exists(LocalVariable v, Cfg::CfgScope scope |
+  //     defReachesExitReadInInnerScope(def, bb, i, v, scope) and
+  //     not SsaInput::variableRead(bb, i, v, false) and
+  //     hasCapturedExitRead(exit, call, v, scope) // ?
+  //   |
+  //     // If the read happens inside a block, we restrict to the call that
+  //     // contains the block
+  //     not scope instanceof Block
+  //     or
+  //     scope = call.getExpr().(MethodCall).getBlock()
+  //   )
+  // }
+  pragma[nomagic]
+  private predicate defReachesExitReadInInnerScope2(
+    Definition def, Cfg::BasicBlock bb, int i, LocalVariable v, Cfg::CfgScope scope
+  ) {
+    exists(Cfg::BasicBlock bb2, int i2 |
+      adjacentDefRead(def, bb, i, bb2, i2) and
+      def.getSourceVariable() = pragma[only_bind_into](v) and
+      capturedExitRead(bb2, i2, pragma[only_bind_into](v)) and
+      scope = bb.getScope().getOuterCfgScope*()
+    )
+    or
+    exists(Cfg::BasicBlock bb2, int i2 |
+      defReachesExitReadInInnerScope2(def, bb2, i2, v, scope) and
+      adjacentDefRead(def, bb, i, bb2, i2) and
+      SsaInput::variableRead(bb2, i2, v, false)
+    )
+  }
+
   pragma[noinline]
   private predicate hasCapturedExitRead2(
     CallCfgNode call, Cfg::BasicBlock bb, int i, LocalVariable v, Cfg::CfgScope scope
@@ -366,7 +401,7 @@ private module Cached {
     Cfg::BasicBlock bb2, int i2, LocalVariable v
   ) {
     exists(Cfg::CfgScope scope |
-      defReachesExitReadInInnerScope(def, bb2, i2, v, scope) and
+      defReachesExitReadInInnerScope2(def, bb2, i2, v, scope) and
       not SsaInput::variableRead(bb2, i2, v, false) and
       hasCapturedExitRead2(call, bb1, i1, v, scope) and
       ssaDefReachesRead(v, exit, bb1, i1)
@@ -380,7 +415,6 @@ private module Cached {
     or
     exists(Cfg::BasicBlock bbMid, int iMid |
       captureFlowOutSideEffects0(call, exit, bbMid, iMid, def, bb2, i2, v) and
-      // defReachesExitReadInInnerScope(def, bb2, i2, v, scope) and
       adjacentDefRead(exit, bbMid, iMid, bb1, i1) and
       SsaInput::variableRead(bbMid, iMid, v, false)
     )
diff --git a/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected b/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
@@ -710,16 +710,16 @@ edges
 | array_flow.rb:399:10:399:10 | b [element 2] :  | array_flow.rb:399:10:399:13 | ...[...] |
 | array_flow.rb:403:16:403:25 | call to source :  | array_flow.rb:404:18:404:18 | a [element 2] :  |
 | array_flow.rb:403:16:403:25 | call to source :  | array_flow.rb:404:18:404:18 | a [element 2] :  |
+| array_flow.rb:404:9:406:7 | ... = ... :  | array_flow.rb:407:10:407:10 | x |
+| array_flow.rb:404:9:406:7 | ... = ... :  | array_flow.rb:407:10:407:10 | x |
+| array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:404:9:406:7 | ... = ... :  |
+| array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:404:9:406:7 | ... = ... :  |
 | array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:405:14:405:14 | x |
 | array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:405:14:405:14 | x |
-| array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:405:14:405:14 | x :  |
-| array_flow.rb:404:9:406:7 | __synth__0__1 :  | array_flow.rb:405:14:405:14 | x :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | array_flow.rb:404:9:406:7 | __synth__0__1 :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | array_flow.rb:404:9:406:7 | __synth__0__1 :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | array_flow.rb:408:10:408:10 | b [element 2] :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | array_flow.rb:408:10:408:10 | b [element 2] :  |
-| array_flow.rb:405:14:405:14 | x :  | array_flow.rb:407:10:407:10 | x |
-| array_flow.rb:405:14:405:14 | x :  | array_flow.rb:407:10:407:10 | x |
 | array_flow.rb:408:10:408:10 | b [element 2] :  | array_flow.rb:408:10:408:13 | ...[...] |
 | array_flow.rb:408:10:408:10 | b [element 2] :  | array_flow.rb:408:10:408:13 | ...[...] |
 | array_flow.rb:412:16:412:25 | call to source :  | array_flow.rb:413:5:413:5 | a [element 2] :  |
@@ -4230,14 +4230,14 @@ nodes
 | array_flow.rb:399:10:399:13 | ...[...] | semmle.label | ...[...] |
 | array_flow.rb:403:16:403:25 | call to source :  | semmle.label | call to source :  |
 | array_flow.rb:403:16:403:25 | call to source :  | semmle.label | call to source :  |
+| array_flow.rb:404:9:406:7 | ... = ... :  | semmle.label | ... = ... :  |
+| array_flow.rb:404:9:406:7 | ... = ... :  | semmle.label | ... = ... :  |
 | array_flow.rb:404:9:406:7 | __synth__0__1 :  | semmle.label | __synth__0__1 :  |
 | array_flow.rb:404:9:406:7 | __synth__0__1 :  | semmle.label | __synth__0__1 :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | semmle.label | a [element 2] :  |
 | array_flow.rb:404:18:404:18 | a [element 2] :  | semmle.label | a [element 2] :  |
 | array_flow.rb:405:14:405:14 | x | semmle.label | x |
 | array_flow.rb:405:14:405:14 | x | semmle.label | x |
-| array_flow.rb:405:14:405:14 | x :  | semmle.label | x :  |
-| array_flow.rb:405:14:405:14 | x :  | semmle.label | x :  |
 | array_flow.rb:407:10:407:10 | x | semmle.label | x |
 | array_flow.rb:407:10:407:10 | x | semmle.label | x |
 | array_flow.rb:408:10:408:10 | b [element 2] :  | semmle.label | b [element 2] :  |
diff --git a/ruby/ql/test/library-tests/dataflow/capture-flow/CaptureFlow.expected b/ruby/ql/test/library-tests/dataflow/capture-flow/CaptureFlow.expected
@@ -20,8 +20,6 @@ edges
 | capture_flow.rb:22:16:22:21 | self [@field] :  | capture_flow.rb:22:16:22:21 | @field :  |
 | capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:29:10:29:12 | foo [@field] :  |
 | capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:29:10:29:12 | foo [@field] :  |
-| capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:30:5:30:7 | foo [@field] :  |
-| capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:30:5:30:7 | foo [@field] :  |
 | capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
 | capture_flow.rb:27:1:27:3 | [post] foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
 | capture_flow.rb:27:15:27:22 | call to taint :  | capture_flow.rb:18:19:18:19 | x :  |
@@ -34,8 +32,6 @@ edges
 | capture_flow.rb:29:10:29:12 | foo [@field] :  | capture_flow.rb:29:10:29:22 | call to get_field |
 | capture_flow.rb:30:5:30:7 | [post] foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
 | capture_flow.rb:30:5:30:7 | [post] foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
-| capture_flow.rb:30:5:30:7 | foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
-| capture_flow.rb:30:5:30:7 | foo [@field] :  | capture_flow.rb:33:6:33:8 | foo [@field] :  |
 | capture_flow.rb:30:19:30:26 | call to taint :  | capture_flow.rb:18:19:18:19 | x :  |
 | capture_flow.rb:30:19:30:26 | call to taint :  | capture_flow.rb:18:19:18:19 | x :  |
 | capture_flow.rb:30:19:30:26 | call to taint :  | capture_flow.rb:30:5:30:7 | [post] foo [@field] :  |
@@ -81,8 +77,6 @@ nodes
 | capture_flow.rb:29:10:29:22 | call to get_field | semmle.label | call to get_field |
 | capture_flow.rb:30:5:30:7 | [post] foo [@field] :  | semmle.label | [post] foo [@field] :  |
 | capture_flow.rb:30:5:30:7 | [post] foo [@field] :  | semmle.label | [post] foo [@field] :  |
-| capture_flow.rb:30:5:30:7 | foo [@field] :  | semmle.label | foo [@field] :  |
-| capture_flow.rb:30:5:30:7 | foo [@field] :  | semmle.label | foo [@field] :  |
 | capture_flow.rb:30:19:30:26 | call to taint :  | semmle.label | call to taint :  |
 | capture_flow.rb:30:19:30:26 | call to taint :  | semmle.label | call to taint :  |
 | capture_flow.rb:33:6:33:8 | foo [@field] :  | semmle.label | foo [@field] :  |
diff --git a/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected b/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected
@@ -211,9 +211,7 @@ edges
 | string_flow.rb:249:5:249:5 | a :  | string_flow.rb:250:26:250:26 | a :  |
 | string_flow.rb:249:16:249:16 | x :  | string_flow.rb:249:24:249:24 | x |
 | string_flow.rb:250:26:250:26 | a :  | string_flow.rb:250:10:250:28 | call to scrub |
-| string_flow.rb:250:26:250:26 | a :  | string_flow.rb:252:10:252:10 | a :  |
 | string_flow.rb:252:10:252:10 | a :  | string_flow.rb:252:10:252:22 | call to scrub! |
-| string_flow.rb:252:10:252:10 | a :  | string_flow.rb:253:21:253:21 | a :  |
 | string_flow.rb:253:21:253:21 | a :  | string_flow.rb:253:10:253:22 | call to scrub! |
 | string_flow.rb:255:9:255:18 | call to source :  | string_flow.rb:256:5:256:5 | a :  |
 | string_flow.rb:256:5:256:5 | a :  | string_flow.rb:256:17:256:17 | x :  |
diff --git a/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected b/ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected
@@ -4,12 +4,9 @@ edges
 | app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
 | app/controllers/users_controller.rb:15:19:15:30 | ...[...] :  | app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  |
 | app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 |
-| app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 :  |
 | app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  | app/controllers/users_controller.rb:23:20:23:44 | call to sub :  |
 | app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | app/controllers/users_controller.rb:23:5:23:44 | ... = ... :  |
 | app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
-| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 :  | app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 :  |
-| app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 :  | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
 | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | app/controllers/users_controller.rb:34:33:34:43 | unsanitized |
 | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
 | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  |
@@ -23,9 +20,7 @@ nodes
 | app/controllers/users_controller.rb:23:20:23:30 | unsanitized :  | semmle.label | unsanitized :  |
 | app/controllers/users_controller.rb:23:20:23:44 | call to sub :  | semmle.label | call to sub :  |
 | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | semmle.label | unsanitized2 |
-| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 :  | semmle.label | unsanitized2 :  |
 | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | semmle.label | ... + ... |
-| app/controllers/users_controller.rb:27:28:27:39 | unsanitized2 :  | semmle.label | unsanitized2 :  |
 | app/controllers/users_controller.rb:33:5:33:31 | ... = ... :  | semmle.label | ... = ... :  |
 | app/controllers/users_controller.rb:33:19:33:25 | call to cookies :  | semmle.label | call to cookies :  |
 | app/controllers/users_controller.rb:33:19:33:31 | ...[...] :  | semmle.label | ...[...] :  |
