Ruby

Author: hvitved

ruby/ql/lib/codeql/ruby/ast/Parameter.qll

@@ -134,7 +134,7 @@ class BlockParameter extends NamedParameter, TBlockParameter {
   final override string getName() { result = g.getName().getValue() }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -164,7 +164,7 @@ class HashSplatParameter extends NamedParameter, THashSplatParameter {
   final override string getAPrimaryQlClass() { result = "HashSplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -212,7 +212,9 @@ class KeywordParameter extends NamedParameter, TKeywordParameter {
 
   final override string getAPrimaryQlClass() { result = "KeywordParameter" }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   /**
    * Gets the default value, i.e. the value assigned to the parameter when one
@@ -262,7 +264,9 @@ class OptionalParameter extends NamedParameter, TOptionalParameter {
    */
   final Expr getDefaultValue() { toGenerated(result) = g.getValue() }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   final override string toString() { result = this.getName() }
 
@@ -293,7 +297,7 @@ class SplatParameter extends NamedParameter, TSplatParameter {
   final override string getAPrimaryQlClass() { result = "SplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 

ruby/ql/lib/codeql/ruby/ast/internal/Parameter.qll

@@ -33,7 +33,7 @@ class SimpleParameterRealImpl extends SimpleParameterImpl, TSimpleParameterReal
 
   SimpleParameterRealImpl() { this = TSimpleParameterReal(g) }
 
-  override LocalVariable getVariableImpl() { result = TLocalVariableReal(_, _, g) }
+  override LocalVariable getVariableImpl() { result.(LocalVariableReal).getDefiningNode() = g }
 
   override string getNameImpl() { result = g.getValue() }
 }

ruby/ql/lib/codeql/ruby/ast/internal/Scope.qll

@@ -118,7 +118,7 @@ private Ruby::AstNode specialParentOf(Ruby::AstNode n) {
     ]
 }
 
-private Ruby::AstNode parentOf(Ruby::AstNode n) {
+Ruby::AstNode parentOf(Ruby::AstNode n) {
   n = getHereDocBody(result)
   or
   result = specialParentOf(n).getParent()

ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll

@@ -296,9 +296,12 @@ private predicate hasLocation(AstNode n, Location l) {
 private module ImplicitSelfSynthesis {
   pragma[nomagic]
   private predicate identifierMethodCallSelfSynthesis(AstNode mc, int i, Child child) {
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    mc = TIdentifierMethodCall(_) and
-    i = 0
+    exists(SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      mc = TIdentifierMethodCall(_) and
+      i = 0
+    )
   }
 
   private class IdentifierMethodCallSelfSynthesis extends Synthesis {
@@ -309,13 +312,14 @@ private module ImplicitSelfSynthesis {
 
   pragma[nomagic]
   private predicate regularMethodCallSelfSynthesis(TRegularMethodCall mc, int i, Child child) {
-    exists(Ruby::AstNode g |
+    exists(Ruby::AstNode g, SelfVariableImpl self |
       mc = TRegularMethodCall(g) and
       // If there's no explicit receiver, then the receiver is implicitly `self`.
-      not exists(g.(Ruby::Call).getReceiver())
-    ) and
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    i = 0
+      not exists(g.(Ruby::Call).getReceiver()) and
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      i = 0
+    )
   }
 
   private class RegularMethodCallSelfSynthesis extends Synthesis {
@@ -338,9 +342,10 @@ private module ImplicitSelfSynthesis {
    */
   pragma[nomagic]
   private SelfKind getSelfKind(InstanceVariableAccess var) {
-    exists(Ruby::AstNode owner |
+    exists(Ruby::AstNode owner, SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(owner).getEnclosingSelfScope() and
       owner = toGenerated(instanceVarAccessSynthParentStar(var)) and
-      result = SelfKind(TSelfVariable(scopeOf(owner).getEnclosingSelfScope()))
+      result = SelfKind(self)
     )
   }
 

ruby/ql/lib/codeql/ruby/ast/internal/Variable.qll

@@ -2,6 +2,7 @@ overlay[local]
 module;
 
 private import TreeSitter
+private import codeql.namebinding.LocalNameBinding
 private import codeql.ruby.AST
 private import codeql.ruby.CFG
 private import codeql.ruby.ast.internal.AST
@@ -137,11 +138,97 @@ private predicate scopeAssigns(Scope::Range scope, string name, Ruby::AstNode i)
   name = variableNameInScope(i, scope)
 }
 
+private module Input implements LocalNameBindingInputSig<Location> {
+  predicate cacheRevRef() { exists(TVariable v) implies any() }
+
+  class AstNode = Ruby::AstNode;
+
+  AstNode getChild(AstNode parent, int index) {
+    parent = parentOf(result) and
+    (
+      index = result.getParentIndex()
+      or
+      not exists(result.getParentIndex()) and
+      index = -1
+    )
+  }
+
+  class Conditional extends AstNode {
+    Conditional() { none() }
+
+    AstNode getCondition() { none() }
+
+    AstNode getThen() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  class ShadowingDecl extends AstNode {
+    ShadowingDecl() { none() }
+
+    AstNode getLhs() { none() }
+
+    AstNode getRhs() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  predicate declInScope(AstNode definingNode, string name, AstNode scope) {
+    scopeDefinesParameterVariable(scope, name, definingNode, _)
+    or
+    definingNode =
+      min(Ruby::AstNode other |
+        scopeAssigns(scope, name, other)
+      |
+        other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+      ) and
+    not scopeDefinesParameterVariable(scope, name, _, _) and
+    not inherits(scope, name, _)
+  }
+
+  predicate implicitDeclInScope(string name, AstNode scope) {
+    name = "self" and
+    scope instanceof SelfBase::Range
+  }
+
+  predicate isTopScope(AstNode scope) {
+    scope instanceof Scope::Range and
+    not (
+      scope instanceof Ruby::Block or
+      scope instanceof Ruby::DoBlock or
+      scope instanceof Ruby::Lambda
+    )
+  }
+
+  predicate accessCand(AstNode n, string name) {
+    name = variableNameInScope(n, _) and
+    (
+      explicitAssignmentNode(n, _)
+      or
+      implicitAssignmentNode(n)
+      or
+      scopeDefinesParameterVariable(_, _, n, _)
+      or
+      vcall(n)
+      // or
+      // n = any(Ruby::VariableReferencePattern vr).getName()
+    )
+    or
+    n instanceof Ruby::Self and
+    name = "self"
+  }
+}
+
+private import LocalNameBinding<Location, Input>
+
 cached
 private module Cached {
   cached
   newtype TVariable =
-    TGlobalVariable(string name) { name = any(Ruby::GlobalVariable var).getValue() } or
+    TGlobalVariable(string name) {
+      CachedStage::ref() and
+      name = any(Ruby::GlobalVariable var).getValue()
+    } or
     TClassVariable(Scope::Range scope, string name, Ruby::AstNode decl) {
       decl =
         min(Ruby::ClassVariable other |
@@ -158,19 +245,7 @@ private module Cached {
           other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
         )
     } or
-    TLocalVariableReal(Scope::Range scope, string name, Ruby::AstNode i) {
-      scopeDefinesParameterVariable(scope, name, i, _)
-      or
-      i =
-        min(Ruby::AstNode other |
-          scopeAssigns(scope, name, other)
-        |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
-        ) and
-      not scopeDefinesParameterVariable(scope, name, _, _) and
-      not inherits(scope, name, _)
-    } or
-    TSelfVariable(SelfBase::Range scope) or
+    TLocalVariableReal(Local l) or
     TLocalVariableSynth(AstNode n, int i) { any(Synthesis s).localVariable(n, i) }
 
   // Db types that can be vcalls
@@ -321,39 +396,20 @@ private module Cached {
     i = any(Ruby::ExpressionReferencePattern x).getValue()
   }
 
-  pragma[nomagic]
-  private predicate hasScopeAndName(VariableReal variable, Scope::Range scope, string name) {
-    variable.getNameImpl() = name and
-    scope = variable.getDeclaringScopeImpl()
-  }
-
   cached
   predicate access(Ruby::AstNode access, VariableReal variable) {
-    exists(string name, Scope::Range scope |
-      pragma[only_bind_into](name) = variableNameInScope(access, scope)
-    |
-      hasScopeAndName(variable, scope, name) and
-      not access.getLocation().strictlyBefore(variable.getLocationImpl()) and
-      // In case of overlapping parameter names, later parameters should not
-      // be considered accesses to the first parameter
-      if parameterAssignment(_, _, access, _)
-      then scopeDefinesParameterVariable(_, _, access, _)
-      else any()
-      or
-      exists(Scope::Range declScope |
-        hasScopeAndName(variable, declScope, pragma[only_bind_into](name)) and
-        inherits(scope, name, declScope)
-      )
+    exists(Local l | variable = TLocalVariableReal(l) |
+      access = l.getAnAccess() and
+      not access.getLocation().strictlyBefore(l.getDefiningNode().getLocation())
     )
   }
 
   private class Access extends Ruby::Token {
     Access() {
-      access(this.(Ruby::Identifier), _) or
+      access(this, _) or
       this instanceof Ruby::GlobalVariable or
       this instanceof Ruby::InstanceVariable or
-      this instanceof Ruby::ClassVariable or
-      this instanceof Ruby::Self
+      this instanceof Ruby::ClassVariable
     }
   }
 
@@ -429,10 +485,9 @@ abstract class VariableImpl extends TVariable {
   abstract Location getLocationImpl();
 }
 
-class TVariableReal =
-  TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal or TSelfVariable;
+class TVariableReal = TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal;
 
-class TLocalVariable = TLocalVariableReal or TLocalVariableSynth or TSelfVariable;
+class TLocalVariable = TLocalVariableReal or TLocalVariableSynth;
 
 /**
  * A "real" (i.e. non-synthesized) variable. This class only exists to
@@ -458,19 +513,19 @@ private class VariableRealAdapter extends VariableImpl, TVariableReal instanceof
 }
 
 class LocalVariableReal extends VariableReal, TLocalVariableReal {
-  private Scope::Range scope;
-  private string name;
-  private Ruby::AstNode i;
+  private Local l;
 
-  LocalVariableReal() { this = TLocalVariableReal(scope, name, i) }
+  LocalVariableReal() { this = TLocalVariableReal(l) }
 
-  final override string getNameImpl() { result = name }
+  Ruby::AstNode getDefiningNode() { result = l.getDefiningNode() }
 
-  final override Location getLocationImpl() { result = i.getLocation() }
+  final override string getNameImpl() { result = l.getName() }
 
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  final override Location getLocationImpl() { result = l.getLocation() }
+
+  final override Scope::Range getDeclaringScopeImpl() { result = l.getScope() }
 
-  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = i }
+  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = l.getDefiningNode() }
 }
 
 class LocalVariableSynth extends VariableImpl, TLocalVariableSynth {
@@ -531,32 +586,18 @@ class ClassVariableImpl extends VariableReal, TClassVariable {
   final override Scope::Range getDeclaringScopeImpl() { result = scope }
 }
 
-class SelfVariableImpl extends VariableReal, TSelfVariable {
-  private SelfBase::Range scope;
-
-  SelfVariableImpl() { this = TSelfVariable(scope) }
+class SelfVariableImpl extends LocalVariableReal {
+  private ImplicitLocal l;
 
-  final override string getNameImpl() { result = "self" }
-
-  final override Location getLocationImpl() { result = scope.getLocation() }
-
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  SelfVariableImpl() { this = TLocalVariableReal(l) }
 }
 
 abstract class VariableAccessImpl extends Expr, TVariableAccess {
   abstract VariableImpl getVariableImpl();
 }
 
 module LocalVariableAccess {
-  predicate range(Ruby::Identifier id, TLocalVariableReal v) {
-    access(id, v) and
-    (
-      explicitWriteAccess(id, _) or
-      implicitWriteAccess(id) or
-      vcall(id) or
-      id = any(Ruby::VariableReferencePattern vr).getName()
-    )
-  }
+  predicate range(Ruby::AstNode n, TLocalVariableReal v) { access(n, v) }
 }
 
 class TVariableAccessReal =
@@ -681,7 +722,8 @@ private class SelfVariableAccessReal extends SelfVariableAccessImpl, TSelfReal {
 
   SelfVariableAccessReal() {
     exists(Ruby::Self self |
-      this = TSelfReal(self) and var = TSelfVariable(scopeOf(self).getEnclosingSelfScope())
+      this = TSelfReal(self) and
+      LocalVariableAccess::range(self, var)
     )
   }
 

ruby/ql/lib/qlpack.yml

@@ -14,6 +14,7 @@ dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
+  codeql/namebinding: ${workspace}
 dataExtensions:
   - codeql/ruby/frameworks/**/model.yml
   - codeql/ruby/frameworks/**/*.model.yml