Ruby: support splat type-tracking step

asgerf · asgerf · commit d55925d8d4cf · 2022-10-11T09:03:51.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Core.qll b/ruby/ql/lib/codeql/ruby/frameworks/Core.qll
@@ -58,7 +58,7 @@ class SubshellHeredocExecution extends SystemCommandExecution::Range {
 private class SplatSummary extends SummarizedCallable {
   SplatSummary() { this = "*(splat)" }
 
-  override SplatExpr getACall() { any() }
+  override SplatExpr getACallSimple() { any() }
 
   override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
     (
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -325,9 +325,18 @@ private predicate hasStoreSummary(
   SummarizedCallable callable, DataFlow::ContentSet contents, SummaryComponentStack input,
   SummaryComponentStack output
 ) {
-  callable.propagatesFlow(input, push(SummaryComponent::content(contents), output), true) and
   not isNonLocal(input.head()) and
-  not isNonLocal(output.head())
+  not isNonLocal(output.head()) and
+  (
+    callable.propagatesFlow(input, push(SummaryComponent::content(contents), output), true)
+    or
+    // Allow the input to start with an arbitrary WithoutContent[X].
+    // Since type-tracking only tracks one content deep, and we're about to store into another content,
+    // we're already preventing the input from being in a content.
+    callable
+        .propagatesFlow(push(SummaryComponent::withoutContent(_), input),
+          push(SummaryComponent::content(contents), output), true)
+  )
 }
 
 pragma[nomagic]
@@ -460,6 +469,9 @@ private predicate dependsOnSummaryComponentStack(
     callable.propagatesFlow(stack, _, true)
     or
     callable.propagatesFlow(_, stack, true)
+    or
+    // include store summaries as they may skip an initial step at the input
+    hasStoreSummary(callable, _, stack, _)
   )
   or
   dependsOnSummaryComponentStackCons(callable, _, stack)
diff --git a/ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.expected b/ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.expected
@@ -1,6 +1,3 @@
-| array_flow.rb:3:16:3:35 | # $ hasValueFlow=0.1 | Missing result:hasValueFlow=0.1 |
-| array_flow.rb:5:16:5:35 | # $ hasValueFlow=0.1 | Missing result:hasValueFlow=0.1 |
-| array_flow.rb:83:13:83:30 | # $ hasValueFlow=9 | Missing result:hasValueFlow=9 |
 | array_flow.rb:107:10:107:13 | ...[...] | Unexpected result: hasValueFlow=11.2 |
 | array_flow.rb:179:28:179:46 | # $ hasValueFlow=19 | Missing result:hasValueFlow=19 |
 | array_flow.rb:180:28:180:46 | # $ hasValueFlow=19 | Missing result:hasValueFlow=19 |

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ class SubshellHeredocExecution extends SystemCommandExecution::Range {`
`58`	`58`	`private class SplatSummary extends SummarizedCallable {`
`59`	`59`	`SplatSummary() { this = "*(splat)" }`
`60`	`60`
`61`		`- override SplatExpr getACall() { any() }`
	`61`	`+ override SplatExpr getACallSimple() { any() }`
`62`	`62`
`63`	`63`	`override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {`
`64`	`64`	`(`