Ruby: fix another SystemCommandExecution::isShellInterpreted implementation

nickrolfe · nickrolfe · commit 6632dfaf88ea · 2022-07-11T16:53:30.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll b/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll
@@ -62,9 +62,9 @@ module PosixSpawn {
     // is shell interpreted unless there is another argument with a string
     // constant value.
     override predicate isShellInterpreted(DataFlow::Node arg) {
+      this.argument(arg) and
       not exists(DataFlow::Node otherArg |
         otherArg != arg and
-        this.argument(arg) and
         this.argument(otherArg) and
         otherArg.asExpr().getConstantValue().isString(_)
       )
diff --git a/ruby/ql/test/library-tests/frameworks/PosixSpawn.ql b/ruby/ql/test/library-tests/frameworks/PosixSpawn.ql
@@ -5,11 +5,13 @@ import codeql.ruby.DataFlow
 query predicate systemCalls(
   PosixSpawn::SystemCall call, DataFlow::Node arg, boolean shellInterpreted
 ) {
-  arg = call.getAnArgument() and
-  if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
+  call.isShellInterpreted(arg) and shellInterpreted = true
+  or
+  not call.isShellInterpreted(arg) and arg = call.getAnArgument() and shellInterpreted = false
 }
 
 query predicate childCalls(PosixSpawn::ChildCall call, DataFlow::Node arg, boolean shellInterpreted) {
-  arg = call.getAnArgument() and
-  if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
+  call.isShellInterpreted(arg) and shellInterpreted = true
+  or
+  not call.isShellInterpreted(arg) and arg = call.getAnArgument() and shellInterpreted = false
 }
