add basic support for arrays

Author: erik-krogh

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll

@@ -4,10 +4,9 @@
  * well as extension points for adding your own.
  */
 
-private import codeql.ruby.DataFlow
+private import ruby
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.frameworks.core.Gem::Gem as Gem
-private import codeql.ruby.AST as Ast
 private import codeql.ruby.Concepts as Concepts
 
 /**
@@ -58,6 +57,25 @@ module UnsafeCodeConstruction {
     )
   }
 
+  /**
+   * A string constructed using a `.join(...)` call, where the resulting string ends up being executed as code.
+   */
+  class ArrayJoin extends Sink {
+    Concepts::CodeExecution s;
+    DataFlow::CallNode call;
+
+    ArrayJoin() {
+      call.getMethodName() = "join" and
+      call.getNumberOfArguments() = 1 and // any string. E.g. ";" or "\n".
+      call = getANodeExecutedAsCode(s) and
+      this = call.getReceiver()
+    }
+
+    override DataFlow::Node getCodeSink() { result = s }
+
+    override string getSinkType() { result = "array" }
+  }
+
   /**
    * A string constructed from a string-literal (e.g. `"foo #{sink}"`),
    * where the resulting string ends up being executed as a code.

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected

@@ -2,15 +2,19 @@ edges
 | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} |
 | impl/unsafeCode.rb:7:12:7:12 | x :  | impl/unsafeCode.rb:8:30:8:30 | x |
 | impl/unsafeCode.rb:12:12:12:12 | x :  | impl/unsafeCode.rb:13:33:13:33 | x |
+| impl/unsafeCode.rb:28:17:28:22 | my_arr :  | impl/unsafeCode.rb:29:10:29:15 | my_arr |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
 | impl/unsafeCode.rb:7:12:7:12 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:8:30:8:30 | x | semmle.label | x |
 | impl/unsafeCode.rb:12:12:12:12 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:13:33:13:33 | x | semmle.label | x |
+| impl/unsafeCode.rb:28:17:28:22 | my_arr :  | semmle.label | my_arr :  |
+| impl/unsafeCode.rb:29:10:29:15 | my_arr | semmle.label | my_arr |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:8:30:8:30 | x | impl/unsafeCode.rb:7:12:7:12 | x :  | impl/unsafeCode.rb:8:30:8:30 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:7:12:7:12 | x | library input | impl/unsafeCode.rb:8:5:8:32 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:13:33:13:33 | x | impl/unsafeCode.rb:12:12:12:12 | x :  | impl/unsafeCode.rb:13:33:13:33 | x | This string format which depends on $@ is later $@. | impl/unsafeCode.rb:12:12:12:12 | x | library input | impl/unsafeCode.rb:13:5:13:35 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:29:10:29:15 | my_arr | impl/unsafeCode.rb:28:17:28:22 | my_arr :  | impl/unsafeCode.rb:29:10:29:15 | my_arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:28:17:28:22 | my_arr | library input | impl/unsafeCode.rb:29:5:29:27 | call to eval | interpreted as code |

ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb

@@ -24,4 +24,11 @@ def send_stuff(x)
   def named_code(code)
     foo.send("def \n #{code} \n end") # OK - parameter is named code
   end
+
+  def joinStuff(my_arr)
+    eval(my_arr.join("\n")) # NOT OK
+  end
+
+  # TODO: [x, y].join("\n") is not yet supported
+  # TODO: list << element. 
 end