Add Shellwords.escape as CLI injection sanitizer

hmac · hmac · commit 8f65d78cb520 · 2021-09-17T17:02:17.000+01:00
diff --git a/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll b/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll
@@ -8,6 +8,7 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import codeql.ruby.Concepts
 private import codeql.ruby.Frameworks
+private import codeql.ruby.ApiGraphs
 
 module CommandInjection {
   /**
@@ -38,7 +39,17 @@ module CommandInjection {
   /**
    * A command argument to a function that initiates an operating system command.
    */
-  class SystemCommandExecutionSink extends Sink, DataFlow::Node {
+  class SystemCommandExecutionSink extends Sink {
     SystemCommandExecutionSink() { this = any(SystemCommandExecution c).getAnArgument() }
   }
+
+  /**
+   * A call to `Shellwords.escape` or `Shellwords.shellescape` sanitizes its input.
+   */
+  class ShellwordsEscapeAsSanitizer extends Sanitizer {
+    ShellwordsEscapeAsSanitizer() {
+      this = API::getTopLevelMember("Shellwords").getAMethodCall("escape") or
+      this = API::getTopLevelMember("Shellwords").getAMethodCall("shellescape")
+    }
+  }
 }
diff --git a/ql/test/query-tests/security/cwe-078/CommandInjection.expected b/ql/test/query-tests/security/cwe-078/CommandInjection.expected
@@ -1,16 +1,16 @@
 edges
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:6:10:6:15 | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:7:16:7:18 | cmd |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:8:14:8:16 | cmd |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:9:17:9:22 | #{...} |
 nodes
-| CommandInjection.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
-| CommandInjection.rb:4:10:4:15 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:5:16:5:18 | cmd | semmle.label | cmd |
-| CommandInjection.rb:6:14:6:16 | cmd | semmle.label | cmd |
-| CommandInjection.rb:7:12:7:17 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:6:10:6:15 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:7:16:7:18 | cmd | semmle.label | cmd |
+| CommandInjection.rb:8:14:8:16 | cmd | semmle.label | cmd |
+| CommandInjection.rb:9:17:9:22 | #{...} | semmle.label | #{...} |
 #select
-| CommandInjection.rb:4:10:4:15 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:5:16:5:18 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:6:14:6:16 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:7:12:7:17 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
+| CommandInjection.rb:6:10:6:15 | #{...} | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:6:10:6:15 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:7:16:7:18 | cmd | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:7:16:7:18 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:8:14:8:16 | cmd | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:8:14:8:16 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:9:17:9:22 | #{...} | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:9:17:9:22 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
diff --git a/ql/test/query-tests/security/cwe-078/CommandInjection.rb b/ql/test/query-tests/security/cwe-078/CommandInjection.rb
@@ -1,10 +1,14 @@
+require "shellwords"
+
 class UsersController < ActionController::Base
     def create
         cmd = params[:cmd]
         `#{cmd}`
         system(cmd)
         exec(cmd)
-        %x(#{cmd})
+        %x(echo #{cmd})
+        safe_cmd = Shellwords.escape(cmd)
+        `echo #{safe_cmd}`
     end
 
     def show
