Skip to content

Add StaticMap for static dependency mapping#2

Closed
ngan wants to merge 1 commit intomainfrom
np-nesting-aware-constant-resolution
Closed

Add StaticMap for static dependency mapping#2
ngan wants to merge 1 commit intomainfrom
np-nesting-aware-constant-resolution

Conversation

@ngan
Copy link
Copy Markdown
Collaborator

@ngan ngan commented Feb 9, 2026
edited
Loading

Summary

  • add FastCov::StaticMap as a build-time API for static Ruby dependency mapping
  • add a Prism-based reference extractor that expands lexical constant candidates and resolves them to source files
  • support both direct-graph output with build and transitive closure output with build_transitive
  • document the new API and add focused specs for nesting, cycles, deep graphs, autoloads, and path filtering

Why

Static dependency analysis is useful, but it should live outside the runtime coverage hot path. StaticMap keeps that behavior available as an explicit build-time API without reintroducing constant_references into CoverageTracker.

Validation

  • bundle exec rspec --fail-fast spec/lib/fast_cov/static_map_spec.rb spec/lib/fast_cov/static_map/reference_extractor_spec.rb
  • bundle exec rspec --fail-fast

@ngan ngan force-pushed the np-nesting-aware-constant-resolution branch from ba818e2 to b1128a1 Compare February 10, 2026 04:30
@ngan ngan changed the title Add nesting-aware constant resolution mode Use boolean constant_references with nesting-aware expansion Feb 19, 2026
@ngan ngan force-pushed the np-nesting-aware-constant-resolution branch from 43e1d06 to 5ac67a4 Compare February 19, 2026 04:12
@ngan ngan force-pushed the np-nesting-aware-constant-resolution branch from c34499b to d732f2f Compare March 11, 2026 17:05
@ngan ngan changed the title Use boolean constant_references with nesting-aware expansion Remove constant_references and add StaticMap Mar 11, 2026
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Mar 11, 2026
edited
Loading

DryRun Security

This pull request introduces a vulnerability in FastCov's StaticMap: it resolves constants via Object.const_get on names parsed from untrusted Ruby files, which can trigger autoload and execute attacker-controlled code, enabling RCE in CI/test-impact scenarios. The risky code is in lib/fast_cov/static_map.rb (lines ~151–154) and should avoid loading constants from untrusted input.

Unsafe Reflection via Constant Loading in lib/fast_cov/static_map.rb (drs_7d6ba0b2)
Vulnerability Unsafe Reflection via Constant Loading
Description The StaticMap utility in FastCov resolves constants by calling Object.const_get on names extracted from Ruby source files using the Prism parser. This call triggers Ruby's autoload mechanism, which executes the file associated with the constant. When used to analyze untrusted code in a CI environment (e.g., for test impact analysis on Pull Requests), an attacker can achieve Arbitrary Code Execution (RCE) by providing a malicious file that is registered for autoloading and then referencing its constant in a parsed file.

fast_cov/lib/fast_cov/static_map.rb

Lines 151 to 154 in 5c83a0c

Object.const_get(const_name)
end
def constant_loaded?(const_name)

All finding details can be found in the DryRun Security Dashboard.

@ngan @codex
Add StaticMap for static dependency mapping
5c83a0c 
Co-authored-by: Codex <codex@openai.com>
@ngan ngan force-pushed the np-nesting-aware-constant-resolution branch from 590dc40 to 5c83a0c Compare March 12, 2026 06:08
@ngan ngan changed the title Remove constant_references and add StaticMap Add StaticMap for static dependency mapping Mar 12, 2026
@ngan ngan closed this Apr 4, 2026
@ngan ngan deleted the np-nesting-aware-constant-resolution branch April 4, 2026 04:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ngan