github · hvitved · Aug 18, 2022 · Aug 17, 2022
@@ -207,6 +207,7 @@ private class Argument extends CfgNodes::ExprCfgNode {
 cached
 private module Cached {
   private import TaintTrackingPrivate as TaintTrackingPrivate
+  private import codeql.ruby.typetracking.TypeTrackerSpecific as TypeTrackerSpecific
 
   cached
   newtype TNode =
@@ -332,21 +333,22 @@ private module Cached {
 
   cached
   predicate isLocalSourceNode(Node n) {
-    not n instanceof SynthHashSplatParameterNode and
-    (
-      n instanceof ParameterNode
-      or
-      n instanceof PostUpdateNodes::ExprPostUpdateNode
-      or
-      // Nodes that can't be reached from another entry definition or expression.
-      not reachedFromExprOrEntrySsaDef(n)
-      or
-      // Ensure all entry SSA definitions are local sources -- for parameters, this
-      // is needed by type tracking. Note that when the parameter has a default value,
-      // it will be reachable from an expression (the default value) and therefore
-      // won't be caught by the rule above.
-      entrySsaDefinition(n)
-    )
+    n instanceof ParameterNode and
+    not n instanceof SynthHashSplatParameterNode
+    or
+    // Expressions that can't be reached from another entry definition or expression
+    n instanceof ExprNode and
+    not reachedFromExprOrEntrySsaDef(n)
+    or
+    // Ensure all entry SSA definitions are local sources -- for parameters, this
+    // is needed by type tracking
+    entrySsaDefinition(n)
+    or
+    // Needed for flow out in type tracking
+    n instanceof SynthReturnNode
+    or
+    // Needed for stores in type tracking
+    TypeTrackerSpecific::basicStoreStep(_, n, _)
   }
 
   cached

@@ -104,11 +104,10 @@ predicate allBackslashesEscaped(DataFlow::Node node) {
   allBackslashesEscaped(node.getAPredecessor())
   or
   // general data flow from a (destructive) [g]sub!
-  exists(DataFlow::PostUpdateNode post, StringSubstitutionCall sub |
+  exists(StringSubstitutionCall sub |
     sub.isDestructive() and
     allBackslashesEscaped(sub) and
-    post.getPreUpdateNode() = sub.getReceiver() and
-    post.getASuccessor() = node
+    node.(DataFlow::PostUpdateNode).getPreUpdateNode() = sub.getReceiver()
   )
 }
 
@@ -125,19 +124,18 @@ predicate removesFirstOccurrence(StringSubstitutionCall sub, string str) {
  * call.
  */
 DataFlow::CallNode getAMethodCall(StringSubstitutionCall call) {
-  exists(DataFlow::Node receiver |
-    receiver = result.getReceiver() and
-    (
-      // for a non-destructive string substitution, is there flow from it to the
-      // receiver of another method call?
-      not call.isDestructive() and call.(DataFlow::LocalSourceNode).flowsTo(receiver)
-      or
-      // for a destructive string substitution, is there flow from its
-      // post-update receiver to the receiver of another method call?
-      call.isDestructive() and
-      exists(DataFlow::PostUpdateNode post | post.getPreUpdateNode() = call.getReceiver() |
-        post.(DataFlow::LocalSourceNode).flowsTo(receiver)
-      )
+  exists(DataFlow::Node receiver | receiver = result.getReceiver() |
+    // for a non-destructive string substitution, is there flow from it to the
+    // receiver of another method call?
+    not call.isDestructive() and
+    DataFlow::localFlow(call, receiver)
+    or
+    // for a destructive string substitution, is there flow from its
+    // post-update receiver to the receiver of another method call?
+    call.isDestructive() and
+    exists(DataFlow::PostUpdateNode post |
+      post.getPreUpdateNode() = call.getReceiver() and
+      DataFlow::localFlowStep+(post, receiver)
     )
   )
 }