Merge pull request #10338 from hmac/hmac/ar-model-create

Ruby: Treat ActiveRecord::Base.create as a model instantiation

Author: hmac

ruby/ql/lib/change-notes/2022-09-27-activerecord-create.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Calls to `ActiveRecord::Base.create` are now recognized as model
+  instantiations.

ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll

@@ -255,7 +255,7 @@ private string staticFinderMethodName() {
     result = baseName + ["", "!"]
   )
   or
-  result = "new"
+  result = ["new", "create"]
 }
 
 // Gets the "final" receiver in a chain of method calls.

ruby/ql/test/library-tests/frameworks/ActionController.expected

@@ -1,8 +1,8 @@
 actionControllerControllerClasses
 | active_record/ActiveRecord.rb:23:1:39:3 | FooController |
 | active_record/ActiveRecord.rb:41:1:64:3 | BarController |
-| active_record/ActiveRecord.rb:66:1:94:3 | BazController |
-| active_record/ActiveRecord.rb:96:1:104:3 | AnnotatedController |
+| active_record/ActiveRecord.rb:66:1:98:3 | BazController |
+| active_record/ActiveRecord.rb:100:1:108:3 | AnnotatedController |
 | active_storage/active_storage.rb:39:1:45:3 | PostsController |
 | app/controllers/comments_controller.rb:1:1:7:3 | CommentsController |
 | app/controllers/foo/bars_controller.rb:3:1:46:3 | BarsController |
@@ -17,11 +17,12 @@ actionControllerActionMethods
 | active_record/ActiveRecord.rb:71:3:73:5 | create1 |
 | active_record/ActiveRecord.rb:75:3:77:5 | create2 |
 | active_record/ActiveRecord.rb:79:3:81:5 | create3 |
-| active_record/ActiveRecord.rb:83:3:85:5 | update1 |
-| active_record/ActiveRecord.rb:87:3:89:5 | update2 |
-| active_record/ActiveRecord.rb:91:3:93:5 | update3 |
-| active_record/ActiveRecord.rb:97:3:99:5 | index |
-| active_record/ActiveRecord.rb:101:3:103:5 | unsafe_action |
+| active_record/ActiveRecord.rb:83:3:85:5 | create4 |
+| active_record/ActiveRecord.rb:87:3:89:5 | update1 |
+| active_record/ActiveRecord.rb:91:3:93:5 | update2 |
+| active_record/ActiveRecord.rb:95:3:97:5 | update3 |
+| active_record/ActiveRecord.rb:101:3:103:5 | index |
+| active_record/ActiveRecord.rb:105:3:107:5 | unsafe_action |
 | active_storage/active_storage.rb:40:3:44:5 | create |
 | app/controllers/comments_controller.rb:2:3:3:5 | index |
 | app/controllers/comments_controller.rb:5:3:6:5 | show |
@@ -55,12 +56,12 @@ paramsCalls
 | active_record/ActiveRecord.rb:76:49:76:54 | call to params |
 | active_record/ActiveRecord.rb:80:25:80:30 | call to params |
 | active_record/ActiveRecord.rb:80:50:80:55 | call to params |
-| active_record/ActiveRecord.rb:84:21:84:26 | call to params |
-| active_record/ActiveRecord.rb:88:27:88:32 | call to params |
-| active_record/ActiveRecord.rb:88:52:88:57 | call to params |
-| active_record/ActiveRecord.rb:92:28:92:33 | call to params |
-| active_record/ActiveRecord.rb:92:53:92:58 | call to params |
-| active_record/ActiveRecord.rb:102:59:102:64 | call to params |
+| active_record/ActiveRecord.rb:88:21:88:26 | call to params |
+| active_record/ActiveRecord.rb:92:27:92:32 | call to params |
+| active_record/ActiveRecord.rb:92:52:92:57 | call to params |
+| active_record/ActiveRecord.rb:96:28:96:33 | call to params |
+| active_record/ActiveRecord.rb:96:53:96:58 | call to params |
+| active_record/ActiveRecord.rb:106:59:106:64 | call to params |
 | active_storage/active_storage.rb:41:21:41:26 | call to params |
 | active_storage/active_storage.rb:42:24:42:29 | call to params |
 | app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
@@ -87,12 +88,12 @@ paramsSources
 | active_record/ActiveRecord.rb:76:49:76:54 | call to params |
 | active_record/ActiveRecord.rb:80:25:80:30 | call to params |
 | active_record/ActiveRecord.rb:80:50:80:55 | call to params |
-| active_record/ActiveRecord.rb:84:21:84:26 | call to params |
-| active_record/ActiveRecord.rb:88:27:88:32 | call to params |
-| active_record/ActiveRecord.rb:88:52:88:57 | call to params |
-| active_record/ActiveRecord.rb:92:28:92:33 | call to params |
-| active_record/ActiveRecord.rb:92:53:92:58 | call to params |
-| active_record/ActiveRecord.rb:102:59:102:64 | call to params |
+| active_record/ActiveRecord.rb:88:21:88:26 | call to params |
+| active_record/ActiveRecord.rb:92:27:92:32 | call to params |
+| active_record/ActiveRecord.rb:92:52:92:57 | call to params |
+| active_record/ActiveRecord.rb:96:28:96:33 | call to params |
+| active_record/ActiveRecord.rb:96:53:96:58 | call to params |
+| active_record/ActiveRecord.rb:106:59:106:64 | call to params |
 | active_storage/active_storage.rb:41:21:41:26 | call to params |
 | active_storage/active_storage.rb:42:24:42:29 | call to params |
 | app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |

ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected

@@ -16,6 +16,10 @@ activeRecordInstances
 | ActiveRecord.rb:56:7:56:40 | call to find_by |
 | ActiveRecord.rb:60:5:60:33 | call to find_by |
 | ActiveRecord.rb:62:5:62:34 | call to find |
+| ActiveRecord.rb:72:5:72:24 | call to create |
+| ActiveRecord.rb:76:5:76:66 | call to create |
+| ActiveRecord.rb:80:5:80:68 | call to create |
+| ActiveRecord.rb:84:5:84:16 | call to create |
 | associations.rb:19:1:19:20 | ... = ... |
 | associations.rb:19:1:19:20 | ... = ... |
 | associations.rb:19:11:19:20 | call to new |
@@ -109,7 +113,7 @@ activeRecordSqlExecutionRanges
 | ActiveRecord.rb:46:20:46:32 | ... + ... |
 | ActiveRecord.rb:52:16:52:28 | "name #{...}" |
 | ActiveRecord.rb:56:20:56:39 | "username = #{...}" |
-| ActiveRecord.rb:102:27:102:76 | "this is an unsafe annotation:..." |
+| ActiveRecord.rb:106:27:106:76 | "this is an unsafe annotation:..." |
 activeRecordModelClassMethodCalls
 | ActiveRecord.rb:2:3:2:17 | call to has_many |
 | ActiveRecord.rb:6:3:6:24 | call to belongs_to |
@@ -135,11 +139,12 @@ activeRecordModelClassMethodCalls
 | ActiveRecord.rb:72:5:72:24 | call to create |
 | ActiveRecord.rb:76:5:76:66 | call to create |
 | ActiveRecord.rb:80:5:80:68 | call to create |
-| ActiveRecord.rb:84:5:84:27 | call to update |
-| ActiveRecord.rb:88:5:88:69 | call to update |
-| ActiveRecord.rb:92:5:92:71 | call to update |
-| ActiveRecord.rb:98:13:98:54 | call to annotate |
-| ActiveRecord.rb:102:13:102:77 | call to annotate |
+| ActiveRecord.rb:84:5:84:16 | call to create |
+| ActiveRecord.rb:88:5:88:27 | call to update |
+| ActiveRecord.rb:92:5:92:69 | call to update |
+| ActiveRecord.rb:96:5:96:71 | call to update |
+| ActiveRecord.rb:102:13:102:54 | call to annotate |
+| ActiveRecord.rb:106:13:106:77 | call to annotate |
 | associations.rb:2:3:2:17 | call to has_many |
 | associations.rb:6:3:6:20 | call to belongs_to |
 | associations.rb:7:3:7:20 | call to has_many |
@@ -158,7 +163,7 @@ potentiallyUnsafeSqlExecutingMethodCall
 | ActiveRecord.rb:46:5:46:33 | call to delete_by |
 | ActiveRecord.rb:52:5:52:29 | call to order |
 | ActiveRecord.rb:56:7:56:40 | call to find_by |
-| ActiveRecord.rb:102:13:102:77 | call to annotate |
+| ActiveRecord.rb:106:13:106:77 | call to annotate |
 activeRecordModelInstantiations
 | ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:13:5:13:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup |
@@ -167,6 +172,10 @@ activeRecordModelInstantiations
 | ActiveRecord.rb:56:7:56:40 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:60:5:60:33 | call to find_by | ActiveRecord.rb:5:1:15:3 | User |
 | ActiveRecord.rb:62:5:62:34 | call to find | ActiveRecord.rb:5:1:15:3 | User |
+| ActiveRecord.rb:72:5:72:24 | call to create | ActiveRecord.rb:17:1:21:3 | Admin |
+| ActiveRecord.rb:76:5:76:66 | call to create | ActiveRecord.rb:17:1:21:3 | Admin |
+| ActiveRecord.rb:80:5:80:68 | call to create | ActiveRecord.rb:17:1:21:3 | Admin |
+| ActiveRecord.rb:84:5:84:16 | call to create | ActiveRecord.rb:17:1:21:3 | Admin |
 | associations.rb:19:11:19:20 | call to new | associations.rb:1:1:3:3 | Author |
 | associations.rb:21:9:21:21 | call to posts | associations.rb:5:1:9:3 | Post |
 | associations.rb:21:9:21:28 | call to create | associations.rb:5:1:9:3 | Post |
@@ -213,8 +222,8 @@ persistentWriteAccesses
 | ActiveRecord.rb:76:5:76:66 | call to create | ActiveRecord.rb:76:49:76:65 | ...[...] |
 | ActiveRecord.rb:80:5:80:68 | call to create | ActiveRecord.rb:80:25:80:37 | ...[...] |
 | ActiveRecord.rb:80:5:80:68 | call to create | ActiveRecord.rb:80:50:80:66 | ...[...] |
-| ActiveRecord.rb:84:5:84:27 | call to update | ActiveRecord.rb:84:21:84:26 | call to params |
-| ActiveRecord.rb:88:5:88:69 | call to update | ActiveRecord.rb:88:27:88:39 | ...[...] |
-| ActiveRecord.rb:88:5:88:69 | call to update | ActiveRecord.rb:88:52:88:68 | ...[...] |
-| ActiveRecord.rb:92:5:92:71 | call to update | ActiveRecord.rb:92:21:92:70 | call to [] |
+| ActiveRecord.rb:88:5:88:27 | call to update | ActiveRecord.rb:88:21:88:26 | call to params |
+| ActiveRecord.rb:92:5:92:69 | call to update | ActiveRecord.rb:92:27:92:39 | ...[...] |
+| ActiveRecord.rb:92:5:92:69 | call to update | ActiveRecord.rb:92:52:92:68 | ...[...] |
+| ActiveRecord.rb:96:5:96:71 | call to update | ActiveRecord.rb:96:21:96:70 | call to [] |
 | associations.rb:31:16:31:22 | ... = ... | associations.rb:31:16:31:22 | author2 |

ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.rb

@@ -80,6 +80,10 @@ def create3
     Admin.create({name: params[:name], password: params[:password]})
   end
 
+  def create4
+    Admin.create
+  end
+
   def update1
     Admin.update(1, params)
   end