Merge pull request #7061 from github/hmac/actiondispatch

Ruby: Rails route resolution

Author: hmac

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -13,3 +13,4 @@ private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files
 private import codeql.ruby.frameworks.HttpClients
 private import codeql.ruby.frameworks.XmlParsing
+private import codeql.ruby.frameworks.ActionDispatch

ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll

@@ -6,6 +6,7 @@ private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.ast.internal.Module
 private import codeql.ruby.ApiGraphs
 private import ActionView
+private import codeql.ruby.frameworks.ActionDispatch
 
 /**
  * A `ClassDeclaration` for a class that extends `ActionController::Base`.
@@ -69,6 +70,26 @@ class ActionControllerActionMethod extends Method, HTTP::Server::RequestHandler:
   // not end at an explicit render or redirect
   /** Gets the controller class containing this method. */
   ActionControllerControllerClass getControllerClass() { result = controllerClass }
+
+  /**
+   * Gets a route to this handler, if one exists.
+   * May return multiple results.
+   */
+  ActionDispatch::Route getARoute() {
+    exists(string name |
+      isRoute(result, name, controllerClass) and
+      isActionControllerMethod(this, name, controllerClass)
+    )
+  }
+}
+
+pragma[nomagic]
+private predicate isRoute(
+  ActionDispatch::Route route, string name, ActionControllerControllerClass controllerClass
+) {
+  route.getController() + "_controller" =
+    ActionDispatch::underscore(namespaceDeclaration(controllerClass)) and
+  name = route.getAction()
 }
 
 // A method call with a `self` receiver from within a controller class