Skip to content

Ruby: summarize unary splat operators and add local field step#10685

Merged
asgerf merged 5 commits intogithub:mainfrom
asgerf:rb/splat-and-local-field-step
Oct 11, 2022
Merged

Ruby: summarize unary splat operators and add local field step#10685
asgerf merged 5 commits intogithub:mainfrom
asgerf:rb/splat-and-local-field-step

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Oct 4, 2022

Adds the local field step to type-tracking, such that any write to an instance variable can flow to a read.

class Foo
  def foo(x)
    @field = Bar.new
  end
  def bar
    @field # 'Bar.new' flows here
  end
end

For the time being it doesn't take inheritance into account.

This initially caused a regression in opal. Investigating it I noticed some dubious API graph edges, and concluded that we should not propagate use/def nodes through self-argument passing.

I wonder if we should remove self-argument passing from type-tracking altogether, since some parts of the call-graph construction also block this. But tracking of singleton methods still relies on self-argument passing so I didn't go that far in this PR, and just blocked it directly in API graphs instead.

Also marks the unary * operator as a simple callable.

Evaluation shows

  • 39k new call edges
  • Lost some taint sinks and sources inside the source code of libraries for which we have a model. AFAICT a model would find a use of a class which then flows into self in one of its methods, and then starts flagging up sinks inside the class. If we want to flag these sinks, the better solution is to directly treat self in the class as uses of it, and not rely on finding a call site. I don't believe we currently lose any sources/sinks in clients of these libraries.
  • Gained a few taint sinks and sources which seem legit.
  • Gained a new cleartext-storage alert due to the new call edges. It seems to be a FP due to HashLiteralPasswordSource treating an entire hash literal as a source, but where the value being read in the end isn't the key containing the password

@asgerf asgerf force-pushed the rb/splat-and-local-field-step branch from 029ee3a to d5c9d96 Compare October 5, 2022 17:39
@github-actions github-actions bot removed the Python label Oct 5, 2022
@asgerf asgerf force-pushed the rb/splat-and-local-field-step branch 3 times, most recently from 5f8ae4b to a583672 Compare October 10, 2022 12:49
@asgerf asgerf force-pushed the rb/splat-and-local-field-step branch from 1a52427 to b6e07c0 Compare October 11, 2022 07:04
@asgerf asgerf marked this pull request as ready for review October 11, 2022 07:49
@asgerf asgerf requested a review from a team as a code owner October 11, 2022 07:49
@asgerf asgerf added the no-change-note-required This PR does not need a change note label Oct 11, 2022
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@asgerf asgerf merged commit 02656b1 into github:main Oct 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-change-note-required This PR does not need a change note Ruby

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants