Test that KernelMethodCall is specific enough

hmac · hmac · commit 739661eb10eb · 2021-09-17T17:02:17.000+01:00
Calls to `UnknownModule.system`, where `UnknownModule` is a module that
we know nothing about, should not be identified as instances of
`KernelMethodCall`.
diff --git a/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -48,8 +48,7 @@ module CommandInjection {
    */
   class ShellwordsEscapeAsSanitizer extends Sanitizer {
     ShellwordsEscapeAsSanitizer() {
-      this = API::getTopLevelMember("Shellwords").getAMethodCall("escape") or
-      this = API::getTopLevelMember("Shellwords").getAMethodCall("shellescape")
+      this = API::getTopLevelMember("Shellwords").getAMethodCall(["escape", "shellescape"])
     }
   }
 }
diff --git a/ql/test/library-tests/frameworks/CommandExecution.rb b/ql/test/library-tests/frameworks/CommandExecution.rb
@@ -86,3 +86,5 @@ def run
     MockSystem.system("ls")
   end
 end
+
+UnknownModule.system("ls")
diff --git a/ql/test/query-tests/security/cwe-078/CommandInjection.expected b/ql/test/query-tests/security/cwe-078/CommandInjection.expected
@@ -4,29 +4,30 @@ edges
 | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd |
 | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} |
 | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:26:19:26:24 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:24:30:36 | "echo #{...}" |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:31:39:31:51 | "grep #{...}" |
-| CommandInjection.rb:43:15:43:20 | call to params :  | CommandInjection.rb:47:24:47:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:19:29:24 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
+| CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
 nodes
 | CommandInjection.rb:6:15:6:20 | call to params :  | semmle.label | call to params :  |
 | CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
 | CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
 | CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
 | CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
 | CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:26:19:26:24 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:30:24:30:36 | "echo #{...}" | semmle.label | "echo #{...}" |
-| CommandInjection.rb:31:39:31:51 | "grep #{...}" | semmle.label | "grep #{...}" |
-| CommandInjection.rb:43:15:43:20 | call to params :  | semmle.label | call to params :  |
-| CommandInjection.rb:47:24:47:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+| CommandInjection.rb:29:19:29:24 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:33:24:33:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+| CommandInjection.rb:34:39:34:51 | "grep #{...}" | semmle.label | "grep #{...}" |
+| CommandInjection.rb:46:15:46:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:50:24:50:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+subpaths
 #select
 | CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
 | CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
 | CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
 | CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
 | CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:26:19:26:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:26:19:26:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:30:24:30:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:24:30:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:31:39:31:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:31:39:31:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:47:24:47:36 | "echo #{...}" | CommandInjection.rb:43:15:43:20 | call to params :  | CommandInjection.rb:47:24:47:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:43:15:43:20 | call to params | a user-provided value |
+| CommandInjection.rb:29:19:29:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:19:29:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:33:24:33:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:33:24:33:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:34:39:34:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:34:39:34:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:50:24:50:36 | "echo #{...}" | CommandInjection.rb:46:15:46:20 | call to params :  | CommandInjection.rb:50:24:50:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:46:15:46:20 | call to params | a user-provided value |
diff --git a/ql/test/query-tests/security/cwe-078/CommandInjection.rb b/ql/test/query-tests/security/cwe-078/CommandInjection.rb
@@ -13,8 +13,11 @@ def create
         #{cmd}
 EOF
 
-        safe_cmd = Shellwords.escape(cmd)
-        `echo #{safe_cmd}`
+        safe_cmd_1 = Shellwords.escape(cmd)
+        `echo #{safe_cmd_1}`
+
+        safe_cmd_2 = Shellwords.shellescape(cmd)
+        `echo #{safe_cmd_2}`
 
         if cmd == "some constant"
             `echo #{cmd}`

Original file line number	Diff line number	Diff line change
`@@ -48,8 +48,7 @@ module CommandInjection {`
`48`	`48`	`*/`
`49`	`49`	`class ShellwordsEscapeAsSanitizer extends Sanitizer {`
`50`	`50`	`ShellwordsEscapeAsSanitizer() {`
`51`		`- this = API::getTopLevelMember("Shellwords").getAMethodCall("escape") or`
`52`		`- this = API::getTopLevelMember("Shellwords").getAMethodCall("shellescape")`
	`51`	`+ this = API::getTopLevelMember("Shellwords").getAMethodCall(["escape", "shellescape"])`
`53`	`52`	`}`
`54`	`53`	`}`
`55`	`54`	`}`