Add top-level CLI injection query and tests

Author: hmac

ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -39,6 +39,6 @@ module CommandInjection {
    * A command argument to a function that initiates an operating system command.
    */
   class SystemCommandExecutionSink extends Sink, DataFlow::Node {
-    SystemCommandExecutionSink() { this instanceof SystemCommandExecution }
+    SystemCommandExecutionSink() { this = any(SystemCommandExecution c).getAnArgument() }
   }
 }

ql/lib/codeql/ruby/security/CommandInjectionQuery.qll

@@ -8,7 +8,6 @@
  */
 
 import ruby
-// import IndirectCommandArgument
 import codeql.ruby.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 import codeql.ruby.DataFlow

ql/src/queries/security/cwe-078/CommandInjection.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Uncontrolled command line
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id rb/command-line-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import ruby
+import codeql.ruby.security.CommandInjectionQuery
+import DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, Source sourceNode
+where
+  config.hasFlowPath(source, sink) and
+  sourceNode = source.getNode()
+select sink.getNode(), source, sink, "This command depends on $@.", sourceNode,
+  sourceNode.getSourceType()

ql/test/query-tests/security/cwe-078/CommandInjection.expected

@@ -0,0 +1,16 @@
+edges
+| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} |
+| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd |
+| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd |
+| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} |
+nodes
+| CommandInjection.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:4:10:4:15 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:5:16:5:18 | cmd | semmle.label | cmd |
+| CommandInjection.rb:6:14:6:16 | cmd | semmle.label | cmd |
+| CommandInjection.rb:7:12:7:17 | #{...} | semmle.label | #{...} |
+#select
+| CommandInjection.rb:4:10:4:15 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
+| CommandInjection.rb:5:16:5:18 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
+| CommandInjection.rb:6:14:6:16 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
+| CommandInjection.rb:7:12:7:17 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-078/CommandInjection.qlref

@@ -0,0 +1 @@
+queries/security/cwe-078/CommandInjection.ql

ql/test/query-tests/security/cwe-078/CommandInjection.rb

@@ -0,0 +1,16 @@
+class UsersController < ActionController::Base
+    def create
+        cmd = params[:cmd]
+        `#{cmd}`
+        system(cmd)
+        exec(cmd)
+        %x(#{cmd})
+    end
+
+    def show
+        `ls`
+        system("ls")
+        exec("ls")
+        %x(ls)
+    end
+end