Skip to content

Ruby: overhaul API graphs #13496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
asgerf merged 28 commits into from
Jun 28, 2023
Merged

Ruby: overhaul API graphs #13496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
0110610
Ruby: overhaul API graphs
asgerf Jun 19, 2023
5b05e72
Ruby: switch to local dataflow when dealing with Kernel/IO
asgerf Jun 19, 2023
61cda97
Ruby: rename some call sites
asgerf Jun 19, 2023
2ef010f
Ruby: update GraphQL model
asgerf Jun 19, 2023
b305c13
Ruby: update SQLite3 model
asgerf Jun 19, 2023
f8ae530
Ruby: update Twirp
asgerf Jun 19, 2023
1ae4148
Ruby: Use new features in ActionMailbox model
asgerf Jun 19, 2023
fbfa319
Ruby: use new features in ActionMailer
asgerf Jun 19, 2023
bb3b973
Ruby: use new features in ActionController
asgerf Jun 19, 2023
8bc4193
Ruby: minor overhaul of ActiveRecord model
asgerf Jun 19, 2023
e3a0449
Ruby: minor overhaul of ActiveResource model
asgerf Jun 19, 2023
ce0073b
Ruby: update StoredXSS test results
asgerf Jun 19, 2023
f392af2
Ruby: benign changes to SQLi tests (fixed FNs)
asgerf Jun 19, 2023
8539db0
Ruby: Update ActiveDispatch due to change in toString
asgerf Jun 19, 2023
0039cb1
Merge branch 'main' into rb/tracking-on-demand
asgerf Jun 23, 2023
ef9d910
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll
asgerf Jun 26, 2023
b61e823
Ruby: clarify qldoc for getADescendentModule
asgerf Jun 26, 2023
f6e2449
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll
asgerf Jun 26, 2023
174ab25
Ruby: address some review comments
asgerf Jun 28, 2023
67032b5
Ruby: add test for self.class call
asgerf Jun 28, 2023
f171c21
Ruby: remove forwarder for getADescendentModule
asgerf Jun 28, 2023
6feda75
Ruby: preserve comment in SQLite3
asgerf Jun 28, 2023
dd86843
Ruby: add asCallable()
asgerf Jun 28, 2023
423da55
Ruby: use asCallable() in Twirp model
asgerf Jun 28, 2023
129e634
Ruby: expand Twirp test
asgerf Jun 28, 2023
7af3d22
Ruby: simplify Twirp model
asgerf Jun 28, 2023
2f12234
Ruby: add change note
asgerf Jun 28, 2023
39789d4
Ruby: use a valid change note category
asgerf Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 41 additions & 4 deletions python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,9 @@ private module Cached {
)
}

pragma[nomagic]
private TypeTracker noContentTypeTracker(boolean hasCall) {
result = MkTypeTracker(hasCall, noContent())
}
/** Gets a type tracker with no content and the call bit set to the given value. */
cached
TypeTracker noContentTypeTracker(boolean hasCall) { result = MkTypeTracker(hasCall, noContent()) }

/** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */
cached
Expand Down Expand Up @@ -340,6 +339,8 @@ class StepSummary extends TStepSummary {

/** Provides predicates for updating step summaries (`StepSummary`s). */
module StepSummary {
predicate append = Cached::append/2;

/**
* Gets the summary that corresponds to having taken a forwards
* inter-procedural step from `nodeFrom` to `nodeTo`.
Expand Down Expand Up @@ -400,6 +401,35 @@ module StepSummary {
}

deprecated predicate localSourceStoreStep = flowsToStoreStep/3;

/** Gets the step summary for a level step. */
StepSummary levelStep() { result = LevelStep() }

/** Gets the step summary for a call step. */
StepSummary callStep() { result = CallStep() }

/** Gets the step summary for a return step. */
StepSummary returnStep() { result = ReturnStep() }

/** Gets the step summary for storing into `content`. */
StepSummary storeStep(TypeTrackerContent content) { result = StoreStep(content) }

/** Gets the step summary for loading from `content`. */
StepSummary loadStep(TypeTrackerContent content) { result = LoadStep(content) }

/** Gets the step summary for loading from `load` and then storing into `store`. */
StepSummary loadStoreStep(TypeTrackerContent load, TypeTrackerContent store) {
result = LoadStoreStep(load, store)
}

/** Gets the step summary for a step that only permits contents matched by `filter`. */
StepSummary withContent(ContentFilter filter) { result = WithContent(filter) }

/** Gets the step summary for a step that blocks contents matched by `filter`. */
StepSummary withoutContent(ContentFilter filter) { result = WithoutContent(filter) }

/** Gets the step summary for a jump step. */
StepSummary jumpStep() { result = JumpStep() }
}

/**
Expand Down Expand Up @@ -545,6 +575,13 @@ module TypeTracker {
* Gets a valid end point of type tracking.
*/
TypeTracker end() { result.end() }

/**
* INTERNAL USE ONLY.
*
* Gets a valid end point of type tracking with the call bit set to the given value.
*/
predicate end = Cached::noContentTypeTracker/1;
}

pragma[nomagic]
Expand Down
7 changes: 7 additions & 0 deletions ruby/ql/lib/change-notes/2023-06-28-tracking-on-demand.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
category: majorAnalysis
---
* The API graph library (`codeql.ruby.ApiGraphs`) has been significantly improved, with better support for inheritance,
and data-flow nodes can now be converted to API nodes by calling `.track()` or `.backtrack()` on the node.
API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base
are consumed by a library. See the documentation for `API::Node` for details and examples.
Loading