Ruby: Restrict summaries and type trackers to relevant contents

asgerf · asgerf · commit 1c4c05810fc9 · 2022-09-28T18:59:23.000+02:00
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll
@@ -12,8 +12,8 @@ private module Cached {
     LevelStep() or
     CallStep() or
     ReturnStep() or
-    StoreStep(TypeTrackerContent content) or
-    LoadStep(TypeTrackerContent content) or
+    StoreStep(TypeTrackerContent content) { basicStoreStep(_, _, content) } or
+    LoadStep(TypeTrackerContent content) { basicLoadStep(_, _, content) } or
     JumpStep()
 
   pragma[nomagic]
@@ -218,7 +218,10 @@ module StepSummary {
   }
 }
 
-private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContent content)
+private newtype TTypeTracker =
+  MkTypeTracker(Boolean hasCall, OptionalTypeTrackerContent content) {
+    content = noContent() or basicStoreStep(_, _, content)
+  }
 
 /**
  * A summary of the steps needed to track a value to a given dataflow node.
@@ -372,7 +375,9 @@ module TypeTracker {
 }
 
 private newtype TTypeBackTracker =
-  MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContent content)
+  MkTypeBackTracker(Boolean hasReturn, OptionalTypeTrackerContent content) {
+    content = noContent() or basicLoadStep(_, _, content)
+  }
 
 /**
  * A summary of the steps needed to back-track a use of a value to a given dataflow node.
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -167,7 +167,7 @@ predicate returnStep(Node nodeFrom, Node nodeTo) {
  * to `z` inside `bar`, even though this content write happens _after_ `bar` is
  * called.
  */
-predicate basicStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent contents) {
+predicate basicStoreStep(Node nodeFrom, Node nodeTo, DataFlow::ContentSet contents) {
   postUpdateStoreStep(nodeFrom, nodeTo, contents)
   or
   exists(
@@ -185,7 +185,7 @@ predicate basicStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent contents
  * Holds if a store step `nodeFrom -> nodeTo` with `contents` exists, where the destination node
  * is a post-update node that should be treated as a local source node.
  */
-predicate postUpdateStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent contents) {
+predicate postUpdateStoreStep(Node nodeFrom, Node nodeTo, DataFlow::ContentSet contents) {
   // TODO: support SetterMethodCall inside TuplePattern
   exists(ExprNodes::MethodCallCfgNode call |
     contents
@@ -202,7 +202,7 @@ predicate postUpdateStoreStep(Node nodeFrom, Node nodeTo, TypeTrackerContent con
 /**
  * Holds if `nodeTo` is the result of accessing the `content` content of `nodeFrom`.
  */
-predicate basicLoadStep(Node nodeFrom, Node nodeTo, TypeTrackerContent contents) {
+predicate basicLoadStep(Node nodeFrom, Node nodeTo, DataFlow::ContentSet contents) {
   exists(ExprNodes::MethodCallCfgNode call |
     call.getExpr().getNumberOfArguments() = 0 and
     contents.isSingleton(DataFlowPublic::Content::getAttributeName(call.getExpr().getMethodName())) and
@@ -231,7 +231,7 @@ class Boolean extends boolean {
 private import SummaryComponentStack
 
 private predicate hasStoreSummary(
-  SummarizedCallable callable, TypeTrackerContent contents, SummaryComponent input,
+  SummarizedCallable callable, DataFlow::ContentSet contents, SummaryComponent input,
   SummaryComponent output
 ) {
   callable
@@ -240,7 +240,7 @@ private predicate hasStoreSummary(
 }
 
 private predicate hasLoadSummary(
-  SummarizedCallable callable, TypeTrackerContent contents, SummaryComponent input,
+  SummarizedCallable callable, DataFlow::ContentSet contents, SummaryComponent input,
   SummaryComponent output
 ) {
   callable
