Ruby: Fix identification IO.open args

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/core/IO.qll

@@ -122,7 +122,7 @@ module IO {
     override predicate isShellInterpreted(DataFlow::Node arg) { this.argument(arg, true) }
 
     /**
-     * A helper predicate that holds if `arg` is an argument to this call. `shell` is true if the argument is passed to a subshell.
+     * Holds if `arg` is an argument to this call. `shell` is true if the argument is passed to a subshell.
      */
     private predicate argument(DataFlow::Node arg, boolean shell) {
       exists(ExprCfgNode n | n = arg.asExpr() |
@@ -136,13 +136,15 @@ module IO {
           // This increases the sensitivity of the CommandInjection query at the risk of some FPs.
           if n.getConstantValue().getString() = "-" then shell = false else shell = true
           or
-          // IO.popen({var: "a"}, [{var: "b"}, "cmd", "arg1", "arg2", {some: :opt}])
+          // IO.popen([{var: "b"}, "cmd", "arg1", "arg2", {some: :opt}])
+          // IO.popen({var: "a"}, ["cmd", "arg1", "arg2", {some: :opt}])
           shell = false and
           exists(ExprNodes::ArrayLiteralCfgNode arr | this.getArgument([0, 1]).asExpr() = arr |
             n = arr.getAnArgument()
             or
-            // IO.popen({var: "a"}, [{var: "b"}, ["cmd", "argv0"], "arg1", "arg2", {some: :opt}])
-            n = arr.getArgument(0).(ExprNodes::ArrayLiteralCfgNode).getArgument(0)
+            // IO.popen([{var: "b"}, ["cmd", "argv0"], "arg1", "arg2", {some: :opt}])
+            // IO.popen([["cmd", "argv0"], "arg1", "arg2", {some: :opt}])
+            n = arr.getArgument([0, 1]).(ExprNodes::ArrayLiteralCfgNode).getArgument(0)
           )
         )
       )

ruby/ql/test/library-tests/frameworks/core/IO.expected

@@ -8,19 +8,20 @@ ioPOpenCalls
 | IO.rb:9:1:9:39 | call to popen |
 | IO.rb:10:1:10:62 | call to popen |
 | IO.rb:11:1:11:76 | call to popen |
-| IO.rb:13:1:13:13 | call to popen |
-| IO.rb:14:1:14:36 | call to popen |
-| IO.rb:15:1:15:50 | call to popen |
-| IO.rb:18:1:18:13 | call to popen |
-| IO.rb:19:1:19:36 | call to popen |
-| IO.rb:20:1:20:50 | call to popen |
-| IO.rb:23:1:23:13 | call to popen |
-| IO.rb:24:1:24:36 | call to popen |
-| IO.rb:25:1:25:50 | call to popen |
-| IO.rb:28:1:28:13 | call to popen |
-| IO.rb:29:1:29:36 | call to popen |
-| IO.rb:30:1:30:50 | call to popen |
-| IO.rb:33:3:33:15 | call to popen |
+| IO.rb:12:1:12:76 | call to popen |
+| IO.rb:14:1:14:13 | call to popen |
+| IO.rb:15:1:15:36 | call to popen |
+| IO.rb:16:1:16:50 | call to popen |
+| IO.rb:19:1:19:13 | call to popen |
+| IO.rb:20:1:20:36 | call to popen |
+| IO.rb:21:1:21:50 | call to popen |
+| IO.rb:24:1:24:13 | call to popen |
+| IO.rb:25:1:25:36 | call to popen |
+| IO.rb:26:1:26:50 | call to popen |
+| IO.rb:29:1:29:13 | call to popen |
+| IO.rb:30:1:30:36 | call to popen |
+| IO.rb:31:1:31:50 | call to popen |
+| IO.rb:34:3:34:15 | call to popen |
 ioPOpenCallArguments
 | IO.rb:1:1:1:30 | call to popen | true | IO.rb:1:10:1:29 | "cat foo.txt \| tail" |
 | IO.rb:2:1:2:53 | call to popen | true | IO.rb:2:33:2:52 | "cat foo.txt \| tail" |
@@ -33,18 +34,22 @@ ioPOpenCallArguments
 | IO.rb:7:1:7:65 | call to popen | false | IO.rb:7:41:7:49 | "foo.txt" |
 | IO.rb:9:1:9:39 | call to popen | false | IO.rb:9:12:9:16 | "cat" |
 | IO.rb:9:1:9:39 | call to popen | false | IO.rb:9:29:9:37 | "foo.txt" |
+| IO.rb:10:1:10:62 | call to popen | false | IO.rb:10:35:10:39 | "cat" |
 | IO.rb:10:1:10:62 | call to popen | false | IO.rb:10:52:10:60 | "foo.txt" |
+| IO.rb:11:1:11:76 | call to popen | false | IO.rb:11:35:11:39 | "cat" |
 | IO.rb:11:1:11:76 | call to popen | false | IO.rb:11:52:11:60 | "foo.txt" |
-| IO.rb:13:1:13:13 | call to popen | false | IO.rb:13:10:13:12 | "-" |
-| IO.rb:14:1:14:36 | call to popen | false | IO.rb:14:33:14:35 | "-" |
-| IO.rb:15:1:15:50 | call to popen | false | IO.rb:15:33:15:35 | "-" |
-| IO.rb:18:1:18:13 | call to popen | true | IO.rb:18:10:18:12 | cmd |
-| IO.rb:19:1:19:36 | call to popen | true | IO.rb:19:33:19:35 | cmd |
-| IO.rb:20:1:20:50 | call to popen | true | IO.rb:20:33:20:35 | cmd |
-| IO.rb:23:1:23:13 | call to popen | true | IO.rb:23:10:23:12 | cmd |
-| IO.rb:24:1:24:36 | call to popen | true | IO.rb:24:33:24:35 | cmd |
-| IO.rb:25:1:25:50 | call to popen | true | IO.rb:25:33:25:35 | cmd |
-| IO.rb:28:1:28:13 | call to popen | true | IO.rb:28:10:28:12 | cmd |
-| IO.rb:29:1:29:36 | call to popen | true | IO.rb:29:33:29:35 | cmd |
-| IO.rb:30:1:30:50 | call to popen | true | IO.rb:30:33:30:35 | cmd |
-| IO.rb:33:3:33:15 | call to popen | true | IO.rb:33:12:33:14 | cmd |
+| IO.rb:12:1:12:76 | call to popen | false | IO.rb:12:35:12:39 | "cat" |
+| IO.rb:12:1:12:76 | call to popen | false | IO.rb:12:52:12:60 | "foo.txt" |
+| IO.rb:14:1:14:13 | call to popen | false | IO.rb:14:10:14:12 | "-" |
+| IO.rb:15:1:15:36 | call to popen | false | IO.rb:15:33:15:35 | "-" |
+| IO.rb:16:1:16:50 | call to popen | false | IO.rb:16:33:16:35 | "-" |
+| IO.rb:19:1:19:13 | call to popen | true | IO.rb:19:10:19:12 | cmd |
+| IO.rb:20:1:20:36 | call to popen | true | IO.rb:20:33:20:35 | cmd |
+| IO.rb:21:1:21:50 | call to popen | true | IO.rb:21:33:21:35 | cmd |
+| IO.rb:24:1:24:13 | call to popen | true | IO.rb:24:10:24:12 | cmd |
+| IO.rb:25:1:25:36 | call to popen | true | IO.rb:25:33:25:35 | cmd |
+| IO.rb:26:1:26:50 | call to popen | true | IO.rb:26:33:26:35 | cmd |
+| IO.rb:29:1:29:13 | call to popen | true | IO.rb:29:10:29:12 | cmd |
+| IO.rb:30:1:30:36 | call to popen | true | IO.rb:30:33:30:35 | cmd |
+| IO.rb:31:1:31:50 | call to popen | true | IO.rb:31:33:31:35 | cmd |
+| IO.rb:34:3:34:15 | call to popen | true | IO.rb:34:12:34:14 | cmd |

ruby/ql/test/library-tests/frameworks/core/IO.rb

@@ -9,6 +9,7 @@
 IO.popen([["cat", "argv0"], "foo.txt"])
 IO.popen([{some_env_var: "123"}, ["cat", "argv0"], "foo.txt"])
 IO.popen([{some_env_var: "123"}, ["cat", "argv0"], "foo.txt"], {some: :opt})
+IO.popen({some_env_var: "123"}, [["cat", "argv0"], "foo.txt"], {some: :opt})
 
 IO.popen("-")
 IO.popen({some_env_var: "123"}, "-")