Ruby: SimpleParameter is not an Expr

aibaars · aibaars · commit cdbd8b27d347 · 2021-12-16T15:38:40.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/ast/Erb.qll b/ruby/ql/lib/codeql/ruby/ast/Erb.qll
@@ -159,7 +159,7 @@ class ErbDirective extends TDirectiveNode, ErbAstNode {
    */
   Stmt getAChildStmt() {
     this.containsStmtStart(result) and
-    not this.containsStmtStart(result.getParent())
+    not this.containsStmtStart(parent*(result).getParent())
   }
 
   /**
@@ -183,6 +183,11 @@ class ErbDirective extends TDirectiveNode, ErbAstNode {
   override string getAPrimaryQlClass() { result = "ErbDirective" }
 }
 
+private AstNode parent(AstNode n) {
+  result = n.getParent() and
+  not result instanceof Stmt
+}
+
 /**
  * A comment directive in an ERB template.
  * ```erb
diff --git a/ruby/ql/lib/codeql/ruby/ast/Pattern.qll b/ruby/ql/lib/codeql/ruby/ast/Pattern.qll
@@ -28,14 +28,12 @@ deprecated class Pattern extends AstNode {
   Variable getAVariable() { none() }
 }
 
-deprecated private class TVariablePattern = TVariableAccess or TSimpleParameter;
-
 /**
  * DEPRECATED
  *
  * A simple variable pattern.
  */
-deprecated class VariablePattern extends Pattern, LhsExpr, TVariablePattern {
+deprecated class VariablePattern extends Pattern, LhsExpr, TVariableAccess {
   override Variable getAVariable() { result = this.(VariableAccess).getVariable() }
 }
 
diff --git a/ruby/ql/lib/codeql/ruby/ast/internal/AST.qll b/ruby/ql/lib/codeql/ruby/ast/internal/AST.qll
@@ -660,7 +660,7 @@ class TExpr =
   TSelf or TArgumentList or TInClause or TRescueClause or TRescueModifierExpr or TPair or
       TStringConcatenation or TCall or TBlockArgument or TConstantAccess or TControlExpr or
       TWhenExpr or TLiteral or TCallable or TVariableAccess or TStmtSequence or TOperation or
-      TSimpleParameter or TForwardArgument or TDestructuredLhsExpr;
+      TForwardArgument or TDestructuredLhsExpr;
 
 class TSplatExpr = TSplatExprReal or TSplatExprSynth;
 
diff --git a/ruby/ql/lib/codeql/ruby/security/XSS.qll b/ruby/ql/lib/codeql/ruby/security/XSS.qll
@@ -227,7 +227,7 @@ private module Shared {
       isHelperMethod(helperMethod, name, template) and
       isMethodCall(helperMethodCall.getExpr(), name, template) and
       helperMethodCall.getArgument(pragma[only_bind_into](argIdx)) = node1.asExpr() and
-      helperMethod.getParameter(pragma[only_bind_into](argIdx)) = node2.asExpr().getExpr()
+      helperMethod.getParameter(pragma[only_bind_into](argIdx)) = node2.asParameter()
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -28,14 +28,12 @@ deprecated class Pattern extends AstNode {`
`28`	`28`	`Variable getAVariable() { none() }`
`29`	`29`	`}`
`30`	`30`
`31`		`-deprecated private class TVariablePattern = TVariableAccess or TSimpleParameter;`
`32`		`-`
`33`	`31`	`/**`
`34`	`32`	`* DEPRECATED`
`35`	`33`	`*`
`36`	`34`	`* A simple variable pattern.`
`37`	`35`	`*/`
`38`		`-deprecated class VariablePattern extends Pattern, LhsExpr, TVariablePattern {`
	`36`	`+deprecated class VariablePattern extends Pattern, LhsExpr, TVariableAccess {`
`39`	`37`	`override Variable getAVariable() { result = this.(VariableAccess).getVariable() }`
`40`	`38`	`}`
`41`	`39`
Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ private module Shared {`
`227`	`227`	`isHelperMethod(helperMethod, name, template) and`
`228`	`228`	`isMethodCall(helperMethodCall.getExpr(), name, template) and`
`229`	`229`	`helperMethodCall.getArgument(pragma[only_bind_into](argIdx)) = node1.asExpr() and`
`230`		`- helperMethod.getParameter(pragma[only_bind_into](argIdx)) = node2.asExpr().getExpr()`
	`230`	`+ helperMethod.getParameter(pragma[only_bind_into](argIdx)) = node2.asParameter()`
`231`	`231`	`)`
`232`	`232`	`}`
`233`	`233`