Ruby: Fix Hash#keys flow summary

github · Mar 19, 2024 · 7e479e3 · 7e479e3
1 parent dde148e
commit 7e479e3
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 40 deletions.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
@@ -530,8 +530,8 @@ private class KeysSummary extends SimpleSummarizedCallable {
   KeysSummary() { this = "keys" }
 
   override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    input = "Argument[self].Element[any]" and
+    input = "Argument[self]" and
     output = "ReturnValue.Element[?]" and
-    preservesValue = true
+    preservesValue = false
   }
 }
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected b/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
@@ -1089,19 +1089,13 @@ edges
 | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:994:14:994:47 | ...[...] [element :b] | provenance |  |
 | hash_flow.rb:996:14:996:15 | h2 [element :b] | hash_flow.rb:996:14:996:19 | ...[...] | provenance |  |
 | hash_flow.rb:998:14:998:15 | h2 [element :b] | hash_flow.rb:998:14:998:18 | ...[...] | provenance |  |
-| hash_flow.rb:1006:5:1006:5 | [post] h [element] | hash_flow.rb:1007:12:1007:12 | h [element] | provenance |  |
-| hash_flow.rb:1006:14:1006:24 | call to taint | hash_flow.rb:1006:5:1006:5 | [post] h [element] | provenance |  |
-| hash_flow.rb:1007:5:1007:8 | keys [element] | hash_flow.rb:1008:10:1008:13 | keys [element] | provenance |  |
-| hash_flow.rb:1007:12:1007:12 | h [element] | hash_flow.rb:1007:12:1007:17 | call to keys [element] | provenance |  |
-| hash_flow.rb:1007:12:1007:17 | call to keys [element] | hash_flow.rb:1007:5:1007:8 | keys [element] | provenance |  |
-| hash_flow.rb:1008:10:1008:13 | keys [element] | hash_flow.rb:1008:10:1008:17 | ...[...] | provenance |  |
-| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1013:5:1013:5 | h [element :a] | provenance |  |
-| hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | hash_flow.rb:1012:5:1012:5 | h [element :a] | provenance |  |
-| hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | provenance |  |
-| hash_flow.rb:1013:5:1013:5 | h [element :a] | hash_flow.rb:1013:15:1013:15 | k | provenance |  |
-| hash_flow.rb:1013:5:1013:5 | h [element :a] | hash_flow.rb:1013:18:1013:18 | v | provenance |  |
-| hash_flow.rb:1013:15:1013:15 | k | hash_flow.rb:1015:14:1015:14 | k | provenance |  |
-| hash_flow.rb:1013:18:1013:18 | v | hash_flow.rb:1014:14:1014:14 | v | provenance |  |
+| hash_flow.rb:1011:5:1011:5 | h [element :a] | hash_flow.rb:1012:5:1012:5 | h [element :a] | provenance |  |
+| hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | hash_flow.rb:1011:5:1011:5 | h [element :a] | provenance |  |
+| hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | provenance |  |
+| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1012:15:1012:15 | k | provenance |  |
+| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1012:18:1012:18 | v | provenance |  |
+| hash_flow.rb:1012:15:1012:15 | k | hash_flow.rb:1014:14:1014:14 | k | provenance |  |
+| hash_flow.rb:1012:18:1012:18 | v | hash_flow.rb:1013:14:1013:14 | v | provenance |  |
 nodes
 | hash_flow.rb:10:5:10:8 | hash [element 0] | semmle.label | hash [element 0] |
 | hash_flow.rb:10:5:10:8 | hash [element :a] | semmle.label | hash [element :a] |
@@ -2264,21 +2258,14 @@ nodes
 | hash_flow.rb:996:14:996:19 | ...[...] | semmle.label | ...[...] |
 | hash_flow.rb:998:14:998:15 | h2 [element :b] | semmle.label | h2 [element :b] |
 | hash_flow.rb:998:14:998:18 | ...[...] | semmle.label | ...[...] |
-| hash_flow.rb:1006:5:1006:5 | [post] h [element] | semmle.label | [post] h [element] |
-| hash_flow.rb:1006:14:1006:24 | call to taint | semmle.label | call to taint |
-| hash_flow.rb:1007:5:1007:8 | keys [element] | semmle.label | keys [element] |
-| hash_flow.rb:1007:12:1007:12 | h [element] | semmle.label | h [element] |
-| hash_flow.rb:1007:12:1007:17 | call to keys [element] | semmle.label | call to keys [element] |
-| hash_flow.rb:1008:10:1008:13 | keys [element] | semmle.label | keys [element] |
-| hash_flow.rb:1008:10:1008:17 | ...[...] | semmle.label | ...[...] |
+| hash_flow.rb:1011:5:1011:5 | h [element :a] | semmle.label | h [element :a] |
+| hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | semmle.label | call to [] [element :a] |
+| hash_flow.rb:1011:14:1011:24 | call to taint | semmle.label | call to taint |
 | hash_flow.rb:1012:5:1012:5 | h [element :a] | semmle.label | h [element :a] |
-| hash_flow.rb:1012:9:1012:45 | call to [] [element :a] | semmle.label | call to [] [element :a] |
-| hash_flow.rb:1012:14:1012:24 | call to taint | semmle.label | call to taint |
-| hash_flow.rb:1013:5:1013:5 | h [element :a] | semmle.label | h [element :a] |
-| hash_flow.rb:1013:15:1013:15 | k | semmle.label | k |
-| hash_flow.rb:1013:18:1013:18 | v | semmle.label | v |
-| hash_flow.rb:1014:14:1014:14 | v | semmle.label | v |
-| hash_flow.rb:1015:14:1015:14 | k | semmle.label | k |
+| hash_flow.rb:1012:15:1012:15 | k | semmle.label | k |
+| hash_flow.rb:1012:18:1012:18 | v | semmle.label | v |
+| hash_flow.rb:1013:14:1013:14 | v | semmle.label | v |
+| hash_flow.rb:1014:14:1014:14 | k | semmle.label | k |
 subpaths
 hashLiteral
 | hash_flow.rb:10:12:21:5 | call to [] |
@@ -2352,8 +2339,7 @@ hashLiteral
 | hash_flow.rb:946:13:950:5 | call to [] |
 | hash_flow.rb:971:9:971:38 | ...[...] |
 | hash_flow.rb:994:14:994:47 | ...[...] |
-| hash_flow.rb:1005:9:1005:10 | call to [] |
-| hash_flow.rb:1012:9:1012:45 | call to [] |
+| hash_flow.rb:1011:9:1011:45 | call to [] |
 #select
 | hash_flow.rb:22:10:22:17 | ...[...] | hash_flow.rb:11:15:11:24 | call to taint | hash_flow.rb:22:10:22:17 | ...[...] | $@ | hash_flow.rb:11:15:11:24 | call to taint | call to taint |
 | hash_flow.rb:24:10:24:17 | ...[...] | hash_flow.rb:13:12:13:21 | call to taint | hash_flow.rb:24:10:24:17 | ...[...] | $@ | hash_flow.rb:13:12:13:21 | call to taint | call to taint |
@@ -2599,6 +2585,5 @@ hashLiteral
 | hash_flow.rb:975:10:975:13 | ...[...] | hash_flow.rb:971:23:971:31 | call to taint | hash_flow.rb:975:10:975:13 | ...[...] | $@ | hash_flow.rb:971:23:971:31 | call to taint | call to taint |
 | hash_flow.rb:996:14:996:19 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:996:14:996:19 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
 | hash_flow.rb:998:14:998:18 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:998:14:998:18 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
-| hash_flow.rb:1008:10:1008:17 | ...[...] | hash_flow.rb:1006:14:1006:24 | call to taint | hash_flow.rb:1008:10:1008:17 | ...[...] | $@ | hash_flow.rb:1006:14:1006:24 | call to taint | call to taint |
-| hash_flow.rb:1014:14:1014:14 | v | hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1014:14:1014:14 | v | $@ | hash_flow.rb:1012:14:1012:24 | call to taint | call to taint |
-| hash_flow.rb:1015:14:1015:14 | k | hash_flow.rb:1012:14:1012:24 | call to taint | hash_flow.rb:1015:14:1015:14 | k | $@ | hash_flow.rb:1012:14:1012:24 | call to taint | call to taint |
+| hash_flow.rb:1013:14:1013:14 | v | hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1013:14:1013:14 | v | $@ | hash_flow.rb:1011:14:1011:24 | call to taint | call to taint |
+| hash_flow.rb:1014:14:1014:14 | k | hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1014:14:1014:14 | k | $@ | hash_flow.rb:1011:14:1011:24 | call to taint | call to taint |
diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.ql b/ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.ql
@@ -5,7 +5,7 @@
 import codeql.ruby.AST
 import codeql.ruby.CFG
 import TestUtilities.InlineFlowTest
-import ValueFlowTest<DefaultFlowConfig>
+import DefaultFlowTest
 import ValueFlow::PathGraph
 
 query predicate hashLiteral(CfgNodes::ExprNodes::HashLiteralCfgNode n) { any() }

diff --git a/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb b/ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb
@@ -59,7 +59,7 @@ def m3()
     x = {a: taint(3.2), b: 1}
     hash2 = Hash[x]
     sink(hash2[:a]) # $ hasValueFlow=3.2
-    sink(hash2[:b])
+    sink(hash2[:b]) # $ hasTaintFlow=3.2
 
     hash3 = Hash[[[:a, taint(3.3)], [:b, 1]]]
     sink(hash3[:a]) # $ hasValueFlow=3.3
@@ -75,7 +75,7 @@ def m3()
 
     hash6 = Hash[{"a" => taint(3.6), "b" => 1}]
     sink(hash6["a"]) # $ hasValueFlow=3.6
-    sink(hash6["b"])
+    sink(hash6["b"]) # $ hasTaintFlow=3.6
 end
 
 m3()
@@ -1002,10 +1002,9 @@ def m54(i)
 M54.new.m54(:b)
 
 def m55
-    h = {}
-    h[f()] = taint(55.1)
+    h = taint(55.1)
     keys = h.keys
-    sink(keys[:a]) # $ hasValueFlow=55.1
+    sink(keys[f()]) # $ hasTaintFlow=55.1
 end
 
 def m56