Ruby: model Open4.popen4ext

Author: hmac

ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll

@@ -38,14 +38,26 @@ module Open3 {
    */
   class Open4Call extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
     Open4Call() {
-      this = API::getTopLevelMember("Open4").getAMethodCall(["open4", "popen4", "spawn"])
+      this =
+        API::getTopLevelMember("Open4").getAMethodCall(["open4", "popen4", "spawn", "popen4ext"])
     }
 
-    override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
+    override DataFlow::Node getAnArgument() {
+      // `popen4ext` takes an optional boolean as its first argument, but it is unlikely that we will be
+      // tracking flow into a boolean value so it doesn't seem worth modeling that special case here.
+      result = super.getArgument(_)
+    }
 
     override predicate isShellInterpreted(DataFlow::Node arg) {
       super.getNumberOfArguments() = 1 and
       arg = this.getAnArgument()
+      or
+      // ```rb
+      // Open4.popen4ext(true, "some cmd")
+      // ```
+      super.getNumberOfArguments() = 2 and
+      super.getArgument(0).getConstantValue().isBoolean(_) and
+      arg = super.getArgument(1)
     }
   }
 

ruby/ql/test/library-tests/frameworks/stdlib/Open3.expected

@@ -15,3 +15,7 @@ open4CallExecutions
 | Open3.rb:13:1:13:24 | call to open4 |
 | Open3.rb:14:1:14:25 | call to popen4 |
 | Open3.rb:15:1:15:23 | call to spawn |
+| Open3.rb:16:1:16:27 | call to popen4ext |
+| Open3.rb:17:1:17:30 | call to popen4ext |
+| Open3.rb:18:1:18:33 | call to popen4ext |
+| Open3.rb:19:1:19:36 | call to popen4ext |

ruby/ql/test/library-tests/frameworks/stdlib/Open3.rb

@@ -13,3 +13,7 @@
 Open4::open4("echo foo")
 Open4::popen4("echo foo")
 Open4.spawn("echo bar")
+Open4.popen4ext("echo foo")
+Open4.popen4ext("echo", "foo")
+Open4.popen4ext(true, "echo foo")
+Open4.popen4ext(true, "echo", "foo")