Ruby: Add Improper Memoization query

[hmac]

This query finds cases where a method memoizes its result but fails to
include one or more of its parameters in the memoization key (or doesn't
use memoization keys at all). This can lead to the method returning
incorrect results when subsequently called with different arguments.

I've added it to experimental initally, as it can flag methods which aren't security vulnerabilities.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp

errors/warnings:

./ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp:39:14: element "example" not allowed here; expected the element end-tag or element "blockquote", "img", "include", "ol", "p", "pre", "sample", "table", "ul" or "warning"
./ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp:54:58: element "cpde" not allowed anywhere; expected the element end-tag, text or element "a", "b", "code", "em", "i", "img", "strong", "sub", "sup" or "tt"
./ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp:54:76: The element type "cpde" must be terminated by the matching end-tag "</cpde>".
A fatal error occurred: 1 qhelp files could not be processed.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp

errors/warnings:

./ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp:39:14: element "example" not allowed here; expected the element end-tag or element "blockquote", "img", "include", "ol", "p", "pre", "sample", "table", "ul" or "warning"
./ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp:83:3: The end-tag for element type "example" must end with a '>' delimiter.
A fatal error occurred: 1 qhelp files could not be processed.

[github-actions]

QHelp previews:

ruby/ql/src/experimental/improper-memoization/ImproperMemoization.qhelp

Improper Memoization

A common pattern in Ruby is to memoize the result of a method by storing it in an instance variable. If the method has no parameters, it can simply be stored directly in a variable.

      def answer
        @answer ||= calculate_answer
      end
    

If the method takes parameters, then there are multiple results to store (one for each combination of parameter value). In this case the values should be stored in a hash, keyed by the parameter values.

      def answer(x, y)
        @answer ||= {}
        @answer[x] ||= {}
        @answer[x][y] ||= calculate_answer
      end
    

If a memoization method takes parameters but does not include them in the memoization key, subsequent calls to the method with different parameter values may incorrectly return the same result. This can lead to the method returning stale data, or leaking sensitive information.

Example

In this example, the method does not include its parameters in the memoization key. The first call to this method will cache the result, and subsequent calls will return the same result regardless of what arguments are given.

      def answer(x, y)
        @answer ||= calculate_answer(x, y)
      end
    

This can be fixed by storing the result of calculate_answer in a hash, keyed by the parameter values.

      def answer(x, y)
        @answer ||= {}
        @answer[x] ||= {}
        @answer[x][y] ||= calculate_answer(x, y)
      end
    

Note that if the result of calculate_answer is false or nil, then it will not be cached. To cache these values you can use a different pattern:

      def answer(x, y)
        @answer ||= Hash.new do |h1, x|
          h1[x] = Hash.new do |h2, y|
            h2[y] = calculate_answer(x, y)
          end
        end
        @answer[x][y]
      end
    

[nickrolfe]

Looks like a nice query! I have just a few questions and nitpicks.

[nickrolfe]

👍🚀