Ruby: Simplify posix-spawn modeling

hmac · hmac · commit c80a06a6d8cb · 2022-05-26T14:29:04.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll b/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll
@@ -41,14 +41,12 @@ module PosixSpawn {
    */
   class SystemCall extends SystemCommandExecution::Range, DataFlow::CallNode {
     SystemCall() {
-      exists(API::Node spawn | spawn = API::getTopLevelMember("POSIX").getMember("Spawn") |
-        this =
-          posixSpawnModule()
-              .getAMethodCall(["spawn", "fspawn", "popen4", "pspawn", "system", "_pspawn", "`"])
-      )
+      this =
+        posixSpawnModule()
+            .getAMethodCall(["spawn", "fspawn", "popen4", "pspawn", "system", "_pspawn", "`"])
     }
 
-    override DataFlow::Node getAnArgument() { this.argument(result, _) }
+    override DataFlow::Node getAnArgument() { this.argument(result) }
 
     // From the docs:
     // When only command is given and includes a space character, the command
@@ -64,15 +62,16 @@ module PosixSpawn {
     // is shell interpreted unless there is another argument with a string
     // constant value.
     override predicate isShellInterpreted(DataFlow::Node arg) {
-      exists(int n, int m, DataFlow::Node otherArg |
-        this.argument(arg, n) and
-        this.argument(otherArg, m) and
+      not exists(DataFlow::Node otherArg |
+        otherArg != arg and
+        this.argument(arg) and
+        this.argument(otherArg) and
         otherArg.asExpr().getConstantValue().isString(_)
       )
     }
 
-    private predicate argument(DataFlow::Node arg, int n) {
-      arg = this.getArgument(n) and
+    private predicate argument(DataFlow::Node arg) {
+      arg = this.getArgument(_) and
       not arg.asExpr() instanceof ExprNodes::HashLiteralCfgNode and
       not arg.asExpr() instanceof ExprNodes::ArrayLiteralCfgNode and
       not arg.asExpr() instanceof ExprNodes::PairCfgNode
diff --git a/ruby/ql/test/library-tests/frameworks/PosixSpawn.expected b/ruby/ql/test/library-tests/frameworks/PosixSpawn.expected
@@ -1,26 +1,29 @@
 systemCalls
-| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:22:1:25 | "ls" |
-| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:28:1:31 | "-l" |
-| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:21:2:24 | "ls" |
-| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:27:2:30 | "-l" |
-| PosixSpawn.rb:7:1:7:40 | call to spawn | PosixSpawn.rb:7:20:7:39 | * ... |
-| PosixSpawn.rb:8:1:8:30 | call to spawn | PosixSpawn.rb:8:21:8:29 | "sleep 5" |
-| PosixSpawn.rb:13:1:13:60 | call to system | PosixSpawn.rb:13:21:13:25 | "foo" |
-| PosixSpawn.rb:13:1:13:60 | call to system | PosixSpawn.rb:13:28:13:32 | "bar" |
-| PosixSpawn.rb:13:1:13:60 | call to system | PosixSpawn.rb:13:35:13:44 | "--a-flag" |
-| PosixSpawn.rb:13:1:13:60 | call to system | PosixSpawn.rb:13:47:13:52 | call to before |
-| PosixSpawn.rb:13:1:13:60 | call to system | PosixSpawn.rb:13:55:13:59 | call to after |
-| PosixSpawn.rb:15:1:15:28 | call to fspawn | PosixSpawn.rb:15:21:15:27 | call to command |
-| PosixSpawn.rb:16:1:16:28 | call to pspawn | PosixSpawn.rb:16:21:16:27 | call to command |
-| PosixSpawn.rb:17:1:17:28 | call to popen4 | PosixSpawn.rb:17:21:17:27 | call to command |
-| PosixSpawn.rb:19:1:19:28 | call to ` | PosixSpawn.rb:19:16:19:20 | "foo" |
-| PosixSpawn.rb:19:1:19:28 | call to ` | PosixSpawn.rb:19:23:19:27 | "bar" |
+| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:22:1:25 | "ls" | false |
+| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:28:1:31 | "-l" | false |
+| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:21:2:24 | "ls" | false |
+| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:27:2:30 | "-l" | false |
+| PosixSpawn.rb:7:1:7:40 | call to spawn | PosixSpawn.rb:7:20:7:39 | * ... | true |
+| PosixSpawn.rb:8:1:8:30 | call to spawn | PosixSpawn.rb:8:21:8:29 | "sleep 5" | true |
+| PosixSpawn.rb:9:1:9:23 | call to spawn | PosixSpawn.rb:9:20:9:22 | call to cmd | true |
+| PosixSpawn.rb:10:1:10:29 | call to spawn | PosixSpawn.rb:10:20:10:22 | call to env | false |
+| PosixSpawn.rb:10:1:10:29 | call to spawn | PosixSpawn.rb:10:25:10:28 | "ls" | true |
+| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:21:15:25 | "foo" | false |
+| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:28:15:32 | "bar" | false |
+| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:35:15:44 | "--a-flag" | false |
+| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:47:15:52 | call to before | false |
+| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:55:15:59 | call to after | false |
+| PosixSpawn.rb:17:1:17:28 | call to fspawn | PosixSpawn.rb:17:21:17:27 | call to command | true |
+| PosixSpawn.rb:18:1:18:28 | call to pspawn | PosixSpawn.rb:18:21:18:27 | call to command | true |
+| PosixSpawn.rb:19:1:19:28 | call to popen4 | PosixSpawn.rb:19:21:19:27 | call to command | true |
+| PosixSpawn.rb:21:1:21:28 | call to ` | PosixSpawn.rb:21:16:21:20 | "foo" | false |
+| PosixSpawn.rb:21:1:21:28 | call to ` | PosixSpawn.rb:21:23:21:27 | "bar" | false |
 childCalls
-| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:25:4:39 | call to [] |
-| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:42:4:51 | ... + ... |
-| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:54:4:58 | * ... |
-| PosixSpawn.rb:5:1:5:80 | call to new | PosixSpawn.rb:5:25:5:32 | * ... |
-| PosixSpawn.rb:10:1:10:35 | call to new | PosixSpawn.rb:10:25:10:28 | "ls" |
-| PosixSpawn.rb:10:1:10:35 | call to new | PosixSpawn.rb:10:31:10:34 | "-l" |
-| PosixSpawn.rb:11:1:11:38 | call to build | PosixSpawn.rb:11:27:11:32 | "echo" |
-| PosixSpawn.rb:11:1:11:38 | call to build | PosixSpawn.rb:11:35:11:37 | call to msg |
+| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:25:4:39 | call to [] | false |
+| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:42:4:51 | ... + ... | false |
+| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:54:4:58 | * ... | false |
+| PosixSpawn.rb:5:1:5:80 | call to new | PosixSpawn.rb:5:25:5:32 | * ... | false |
+| PosixSpawn.rb:12:1:12:35 | call to new | PosixSpawn.rb:12:25:12:28 | "ls" | false |
+| PosixSpawn.rb:12:1:12:35 | call to new | PosixSpawn.rb:12:31:12:34 | "-l" | false |
+| PosixSpawn.rb:13:1:13:38 | call to build | PosixSpawn.rb:13:27:13:32 | "echo" | false |
+| PosixSpawn.rb:13:1:13:38 | call to build | PosixSpawn.rb:13:35:13:37 | call to msg | false |
diff --git a/ruby/ql/test/library-tests/frameworks/PosixSpawn.ql b/ruby/ql/test/library-tests/frameworks/PosixSpawn.ql
@@ -2,10 +2,14 @@ import ruby
 import codeql.ruby.frameworks.PosixSpawn
 import codeql.ruby.DataFlow
 
-query predicate systemCalls(PosixSpawn::SystemCall call, DataFlow::Node arg) {
-  arg = call.getAnArgument()
+query predicate systemCalls(
+  PosixSpawn::SystemCall call, DataFlow::Node arg, boolean shellInterpreted
+) {
+  arg = call.getAnArgument() and
+  if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
 }
 
-query predicate childCalls(PosixSpawn::ChildCall call, DataFlow::Node arg) {
-  arg = call.getAnArgument()
+query predicate childCalls(PosixSpawn::ChildCall call, DataFlow::Node arg, boolean shellInterpreted) {
+  arg = call.getAnArgument() and
+  if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
 }
diff --git a/ruby/ql/test/library-tests/frameworks/PosixSpawn.rb b/ruby/ql/test/library-tests/frameworks/PosixSpawn.rb
@@ -6,6 +6,8 @@
 
 POSIX::Spawn.spawn(*(argv+[{:in => f}]))
 POSIX::Spawn::spawn('sleep 5')
+POSIX::Spawn.spawn(cmd)
+POSIX::Spawn.spawn(env, "ls")
 
 POSIX::Spawn::Child.new("ls", "-l")
 POSIX::Spawn::Child.build("echo", msg)
