Ruby missing references to indirect call sites due to function wrapping

Problem

When parsing ruby code, it's possible to wrap functions, in the case below, there's an indirect edge from valid? to validate (wrapped by strong_memoize)

The current callgraph does not capture this information so there's no way to determine that valid? will end up calling the validate method of this class. What this means is we would be unable to determine that the Open3.popen3 vulnerability is actually reachable.

This vulnerabilty comes from Gitlab 15.1.0-ee.

It should also be noted that when working with claude with it hooked up to kuzudb as an MCP tool, it identified some other issues with the model. I've shared the full chat history: https://claude.ai/share/b2a086ab-3efa-4e3c-b8c1-d4cb1691b965 which you all may find interesting.

module Gitlab
  module ImportExport
    class DecompressedArchiveSizeValidator
      include Gitlab::Utils::StrongMemoize

      DEFAULT_MAX_BYTES = 10.gigabytes.freeze
      TIMEOUT_LIMIT = 210.seconds

      def initialize(archive_path:, max_bytes: self.class.max_bytes)
        @archive_path = archive_path
        @max_bytes = max_bytes
      end

      def valid?
        strong_memoize(:valid) do
          validate
        end
      end

      def self.max_bytes
        DEFAULT_MAX_BYTES
      end

      private

      def validate
        pgrp = nil
        valid_archive = true

        Timeout.timeout(TIMEOUT_LIMIT) do
          stdin, stdout, stderr, wait_thr = Open3.popen3(command, pgroup: true)
          stdin.close