Ruby: Add alert provenance plumbing.

Author: aschackmull

ruby/ql/lib/codeql/ruby/dataflow/FlowSummary.qll

@@ -32,9 +32,22 @@ abstract class SummarizedCallable extends LibraryCallable, Impl::Public::Summari
    * DEPRECATED: Use `propagatesFlow` instead.
    */
   deprecated predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
-    this.propagatesFlow(input, output, preservesValue)
+    this.propagatesFlow(input, output, preservesValue, _)
   }
 
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    this.propagatesFlow(input, output, preservesValue) and model = ""
+  }
+
+  /**
+   * Holds if data may flow from `input` to `output` through this callable.
+   *
+   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+   */
+  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
+
   /**
    * Gets the synthesized parameter that results from an input specification
    * that starts with `Argument[s]` for this library callable.
@@ -100,7 +113,9 @@ private module LibraryCallbackSummaries {
       libraryCallHasLambdaArg(result.getAControlFlowNode(), _)
     }
 
-    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    override predicate propagatesFlow(
+      string input, string output, boolean preservesValue, string model
+    ) {
       (
         input = "Argument[block]" and
         output = "Argument[block].Parameter[lambda-self]"
@@ -111,7 +126,8 @@ private module LibraryCallbackSummaries {
           output = "Argument[" + i + "].Parameter[lambda-self]"
         )
       ) and
-      preservesValue = true
+      preservesValue = true and
+      model = "heuristic-callback"
     }
   }
 }

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll

@@ -237,10 +237,11 @@ module LocalFlow {
   }
 
   predicate flowSummaryLocalStep(
-    FlowSummaryNode nodeFrom, FlowSummaryNode nodeTo, FlowSummaryImpl::Public::SummarizedCallable c
+    FlowSummaryNode nodeFrom, FlowSummaryNode nodeTo, FlowSummaryImpl::Public::SummarizedCallable c,
+    string model
   ) {
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.getSummaryNode(),
-      nodeTo.getSummaryNode(), true) and
+      nodeTo.getSummaryNode(), true, model) and
     c = nodeFrom.getSummarizedCallable()
   }
 
@@ -264,7 +265,7 @@ module LocalFlow {
     node1 =
       unique(FlowSummaryNode n1 |
         FlowSummaryImpl::Private::Steps::summaryLocalStep(n1.getSummaryNode(),
-          node2.(FlowSummaryNode).getSummaryNode(), true)
+          node2.(FlowSummaryNode).getSummaryNode(), true, _)
       )
   }
 }
@@ -596,25 +597,28 @@ private module Cached {
    * data flow.
    */
   cached
-  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-    LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
-    or
-    exists(SsaImpl::DefinitionExt def |
-      // captured variables are handled by the shared `VariableCapture` library
-      not def instanceof VariableCapture::CapturedSsaDefinitionExt
-    |
-      LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo)
+  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
+    (
+      LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
       or
-      LocalFlow::localSsaFlowStepUseUse(def, nodeFrom, nodeTo) and
-      not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
+      exists(SsaImpl::DefinitionExt def |
+        // captured variables are handled by the shared `VariableCapture` library
+        not def instanceof VariableCapture::CapturedSsaDefinitionExt
+      |
+        LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo)
+        or
+        LocalFlow::localSsaFlowStepUseUse(def, nodeFrom, nodeTo) and
+        not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
+        or
+        LocalFlow::localFlowSsaInputFromRead(def, nodeFrom, nodeTo) and
+        not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
+      )
       or
-      LocalFlow::localFlowSsaInputFromRead(def, nodeFrom, nodeTo) and
-      not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
-    )
+      VariableCapture::valueStep(nodeFrom, nodeTo)
+    ) and
+    model = ""
     or
-    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, _)
-    or
-    VariableCapture::valueStep(nodeFrom, nodeTo)
+    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, _, model)
   }
 
   /** This is the local flow predicate that is exposed. */
@@ -646,7 +650,8 @@ private module Cached {
     or
     VariableCapture::flowInsensitiveStep(nodeFrom, nodeTo)
     or
-    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, any(LibraryCallableToIncludeInTypeTracking c))
+    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, any(LibraryCallableToIncludeInTypeTracking c),
+      _)
   }
 
   /** Holds if `n` wraps an SSA definition without ingoing flow. */
@@ -742,7 +747,7 @@ private module Cached {
       // external model data. This, unfortunately, does not included any field names used
       // in models defined in QL code.
       exists(string input, string output |
-        ModelOutput::relevantSummaryModel(_, _, input, output, _)
+        ModelOutput::relevantSummaryModel(_, _, input, output, _, _)
       |
         name = [input, output].regexpFind("(?<=(^|\\.)Field\\[)[^\\]]+(?=\\])", _, _).trim()
       )
@@ -2178,6 +2183,14 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
+predicate knownSourceModel(Node source, string model) {
+  source = ModelOutput::getASourceNode(_, model).asSource()
+}
+
+predicate knownSinkModel(Node sink, string model) {
+  sink = ModelOutput::getASinkNode(_, model).asSink()
+}
+
 /**
  * Holds if flow is allowed to pass from parameter `p` and back to itself as a
  * side-effect, resulting in a summary from `p` to itself.

ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll

@@ -77,38 +77,41 @@ private module Cached {
    * in all global taint flow configurations.
    */
   cached
-  predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    // value of `case` expression into variables in patterns
-    exists(
-      CfgNodes::ExprNodes::CaseExprCfgNode case, CfgNodes::ExprCfgNode value,
-      CfgNodes::ExprNodes::InClauseCfgNode clause, Ssa::Definition def
-    |
-      nodeFrom.asExpr() = value and
-      value = case.getValue() and
-      clause = case.getBranch(_) and
-      def = nodeTo.(SsaDefinitionExtNode).getDefinitionExt() and
-      def.getControlFlowNode() = variablesInPattern(clause.getPattern()) and
-      not LocalFlow::ssaDefAssigns(def, value)
-    )
-    or
-    // operation involving `nodeFrom`
-    exists(CfgNodes::ExprNodes::OperationCfgNode op |
-      op = nodeTo.asExpr() and
-      op.getAnOperand() = nodeFrom.asExpr() and
-      not op.getExpr() =
-        any(Expr e |
-          // included in normal data-flow
-          e instanceof AssignExpr or
-          e instanceof BinaryLogicalOperation or
-          // has flow summary
-          e instanceof SplatExpr
-        )
-    )
+  predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
+    (
+      // value of `case` expression into variables in patterns
+      exists(
+        CfgNodes::ExprNodes::CaseExprCfgNode case, CfgNodes::ExprCfgNode value,
+        CfgNodes::ExprNodes::InClauseCfgNode clause, Ssa::Definition def
+      |
+        nodeFrom.asExpr() = value and
+        value = case.getValue() and
+        clause = case.getBranch(_) and
+        def = nodeTo.(SsaDefinitionExtNode).getDefinitionExt() and
+        def.getControlFlowNode() = variablesInPattern(clause.getPattern()) and
+        not LocalFlow::ssaDefAssigns(def, value)
+      )
+      or
+      // operation involving `nodeFrom`
+      exists(CfgNodes::ExprNodes::OperationCfgNode op |
+        op = nodeTo.asExpr() and
+        op.getAnOperand() = nodeFrom.asExpr() and
+        not op.getExpr() =
+          any(Expr e |
+            // included in normal data-flow
+            e instanceof AssignExpr or
+            e instanceof BinaryLogicalOperation or
+            // has flow summary
+            e instanceof SplatExpr
+          )
+      )
+    ) and
+    model = ""
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(),
-      nodeTo.(FlowSummaryNode).getSummaryNode(), false)
+      nodeTo.(FlowSummaryNode).getSummaryNode(), false, model)
     or
-    any(FlowSteps::AdditionalTaintStep s).step(nodeFrom, nodeTo)
+    any(FlowSteps::AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "AdditionalTaintStep"
     or
     // Although flow through collections is modeled precisely using stores/reads, we still
     // allow flow out of a _tainted_ collection. This is needed in order to support taint-
@@ -119,7 +122,8 @@ private module Cached {
       c.isKnownOrUnknownElement(_)
       or
       c.isAnyElement()
-    )
+    ) and
+    model = ""
   }
 
   cached
@@ -136,7 +140,7 @@ private module Cached {
   cached
   predicate localTaintStepCached(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     DataFlow::localFlowStep(nodeFrom, nodeTo) or
-    defaultAdditionalTaintStep(nodeFrom, nodeTo) or
+    defaultAdditionalTaintStep(nodeFrom, nodeTo, _) or
     // Simple flow through library code is included in the exposed local
     // step relation, even though flow is technically inter-procedural
     summaryThroughStepTaint(nodeFrom, nodeTo, _)

ruby/ql/lib/codeql/ruby/frameworks/data/ModelsAsData.qll

@@ -37,7 +37,7 @@ private class SummarizedCallableFromModel extends SummarizedCallable {
   string path;
 
   SummarizedCallableFromModel() {
-    ModelOutput::relevantSummaryModel(type, path, _, _, _) and
+    ModelOutput::relevantSummaryModel(type, path, _, _, _, _) and
     this = type + ";" + path
   }
 
@@ -48,8 +48,10 @@ private class SummarizedCallableFromModel extends SummarizedCallable {
     )
   }
 
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind) |
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) |
       kind = "value" and
       preservesValue = true
       or