Ruby: fix defining every dataflow node as a command execution sink

nickrolfe · nickrolfe · commit 348ad95fc001 · 2022-07-11T15:06:27.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/Railties.qll b/ruby/ql/lib/codeql/ruby/frameworks/Railties.qll
@@ -43,7 +43,7 @@ module Railties {
 
     override DataFlow::Node getAnArgument() { result = this.getArgument([0, 1]) }
 
-    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() }
   }
 
   /**
@@ -57,6 +57,6 @@ module Railties {
 
     override DataFlow::Node getAnArgument() { result = this.getArgument(0) }
 
-    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+    override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() }
   }
 }
diff --git a/ruby/ql/test/library-tests/frameworks/railties/Railties.expected b/ruby/ql/test/library-tests/frameworks/railties/Railties.expected
@@ -1,5 +1,14 @@
+systemCommandExecutions
 | Railties.rb:5:5:5:34 | call to execute_command |
 | Railties.rb:6:5:6:37 | call to execute_command |
 | Railties.rb:8:5:8:16 | call to rake |
 | Railties.rb:10:5:10:27 | call to rails_command |
 | Railties.rb:12:5:12:17 | call to git |
+shellInterpretedArguments
+| Railties.rb:5:5:5:34 | call to execute_command | Railties.rb:5:21:5:25 | :rake |
+| Railties.rb:5:5:5:34 | call to execute_command | Railties.rb:5:28:5:33 | "test" |
+| Railties.rb:6:5:6:37 | call to execute_command | Railties.rb:6:21:6:26 | :rails |
+| Railties.rb:6:5:6:37 | call to execute_command | Railties.rb:6:29:6:36 | "server" |
+| Railties.rb:8:5:8:16 | call to rake | Railties.rb:8:10:8:15 | "test" |
+| Railties.rb:10:5:10:27 | call to rails_command | Railties.rb:10:19:10:26 | "server" |
+| Railties.rb:12:5:12:17 | call to git | Railties.rb:12:9:12:16 | "status" |
diff --git a/ruby/ql/test/library-tests/frameworks/railties/Railties.ql b/ruby/ql/test/library-tests/frameworks/railties/Railties.ql
@@ -1,5 +1,10 @@
 private import ruby
 private import codeql.ruby.Concepts
 private import codeql.ruby.frameworks.Railties
+private import codeql.ruby.DataFlow
 
 query predicate systemCommandExecutions(SystemCommandExecution e) { any() }
+
+query predicate shellInterpretedArguments(SystemCommandExecution e, DataFlow::Node arg) {
+  e.isShellInterpreted(arg)
+}

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ module Railties {`
`43`	`43`
`44`	`44`	`override DataFlow::Node getAnArgument() { result = this.getArgument([0, 1]) }`
`45`	`45`
`46`		`- override predicate isShellInterpreted(DataFlow::Node arg) { any() }`
	`46`	`+ override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() }`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`/**`
`@@ -57,6 +57,6 @@ module Railties {`
`57`	`57`
`58`	`58`	`override DataFlow::Node getAnArgument() { result = this.getArgument(0) }`
`59`	`59`
`60`		`- override predicate isShellInterpreted(DataFlow::Node arg) { any() }`
	`60`	`+ override predicate isShellInterpreted(DataFlow::Node arg) { arg = this.getAnArgument() }`
`61`	`61`	`}`
`62`	`62`	`}`