Add barrier guards for CLI injection

Author: hmac

ql/lib/codeql/ruby/security/CommandInjectionQuery.qll

@@ -11,6 +11,7 @@ import ruby
 import codeql.ruby.TaintTracking
 import CommandInjectionCustomizations::CommandInjection
 import codeql.ruby.DataFlow
+import codeql.ruby.dataflow.BarrierGuards
 
 /**
  * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
@@ -23,4 +24,9 @@ class Configuration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StringConstCompare or
+    guard instanceof StringConstArrayInclusionCall
+  }
 }

ql/test/library-tests/frameworks/CommandExecution.rb

@@ -62,4 +62,4 @@
 Open3.pipeline_r("echo foo")
 Open3.pipeline_w("echo foo")
 Open3.pipeline_start("echo foo")
-Open3.pipeline("echo foo")
+Open3.pipeline("echo foo")

ql/test/query-tests/security/cwe-078/CommandInjection.qlref

@@ -1 +1 @@
-queries/security/cwe-078/CommandInjection.ql
+queries/security/cwe-078/CommandInjection.ql

ql/test/query-tests/security/cwe-078/CommandInjection.rb

@@ -7,8 +7,17 @@ def create
         system(cmd)
         exec(cmd)
         %x(echo #{cmd})
+
         safe_cmd = Shellwords.escape(cmd)
         `echo #{safe_cmd}`
+
+        if cmd == "some constant"
+            `echo #{cmd}`
+        end
+
+        if %w(foo bar).include? cmd
+            `echo #{cmd}`
+        end
     end
 
     def show
@@ -17,4 +26,4 @@ def show
         exec("ls")
         %x(ls)
     end
-end
+end