Ruby: switch to local dataflow when dealing with Kernel/IO

2023-06-19 12:02:39 +02:00 · 2023-06-19 12:02:39 +02:00 · 5b05e72d27
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@ -19,7 +19,8 @@ module Kernel {
   */
  class KernelMethodCall extends DataFlow::CallNode {
    KernelMethodCall() {
-      this = API::getTopLevelMember("Kernel").getAMethodCall(_)
+      // Match Kernel calls using local flow, to avoid finding singleton calls on subclasses
+      this = DataFlow::getConstant("Kernel").getAMethodCall(_)
      or
      this.asExpr().getExpr() instanceof UnknownMethodCall and
      (
--- a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
@ -55,7 +55,8 @@ class AmbiguousPathCall extends DataFlow::CallNode {
 }

 private predicate methodCallOnlyOnIO(DataFlow::CallNode node, string methodName) {
-  node = API::getTopLevelMember("IO").getAMethodCall(methodName) and
+  // Use local flow to find calls to 'IO' without subclasses
+  node = DataFlow::getConstant("IO").getAMethodCall(methodName) and
  not node = API::getTopLevelMember("File").getAMethodCall(methodName) // needed in e.g. opal/opal, where some calls have both paths (opal implements an own corelib)
 }