add .shellescape as a sanitizer for rb/command-injection

Author: erik-krogh

ruby/ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -49,6 +49,9 @@ module CommandInjection {
   class ShellwordsEscapeAsSanitizer extends Sanitizer {
     ShellwordsEscapeAsSanitizer() {
       this = API::getTopLevelMember("Shellwords").getAMethodCall(["escape", "shellescape"])
+      or
+      // The method is also added as `String#shellescape`.
+      this.(DataFlow::CallNode).getMethodName() = "shellescape"
     }
   }
 }

ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected

@@ -15,6 +15,8 @@ edges
 | CommandInjection.rb:81:20:81:25 | **args :  | CommandInjection.rb:82:22:82:25 | args :  |
 | CommandInjection.rb:82:22:82:25 | args :  | CommandInjection.rb:82:22:82:37 | ...[...] :  |
 | CommandInjection.rb:82:22:82:37 | ...[...] :  | CommandInjection.rb:82:14:82:39 | "echo #{...}" |
+| CommandInjection.rb:94:16:94:21 | call to params :  | CommandInjection.rb:94:16:94:28 | ...[...] :  |
+| CommandInjection.rb:94:16:94:28 | ...[...] :  | CommandInjection.rb:95:16:95:28 | "cat #{...}" |
 nodes
 | CommandInjection.rb:6:15:6:20 | call to params :  | semmle.label | call to params :  |
 | CommandInjection.rb:6:15:6:26 | ...[...] :  | semmle.label | ...[...] :  |
@@ -37,6 +39,9 @@ nodes
 | CommandInjection.rb:82:14:82:39 | "echo #{...}" | semmle.label | "echo #{...}" |
 | CommandInjection.rb:82:22:82:25 | args :  | semmle.label | args :  |
 | CommandInjection.rb:82:22:82:37 | ...[...] :  | semmle.label | ...[...] :  |
+| CommandInjection.rb:94:16:94:21 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:94:16:94:28 | ...[...] :  | semmle.label | ...[...] :  |
+| CommandInjection.rb:95:16:95:28 | "cat #{...}" | semmle.label | "cat #{...}" |
 subpaths
 #select
 | CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
@@ -51,3 +56,4 @@ subpaths
 | CommandInjection.rb:65:14:65:29 | "echo #{...}" | CommandInjection.rb:64:18:64:23 | number :  | CommandInjection.rb:65:14:65:29 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:64:18:64:23 | number | user-provided value |
 | CommandInjection.rb:73:14:73:34 | "echo #{...}" | CommandInjection.rb:72:23:72:33 | blah_number :  | CommandInjection.rb:73:14:73:34 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:72:23:72:33 | blah_number | user-provided value |
 | CommandInjection.rb:82:14:82:39 | "echo #{...}" | CommandInjection.rb:81:20:81:25 | **args :  | CommandInjection.rb:82:14:82:39 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:81:20:81:25 | **args | user-provided value |
+| CommandInjection.rb:95:16:95:28 | "cat #{...}" | CommandInjection.rb:94:16:94:21 | call to params :  | CommandInjection.rb:95:16:95:28 | "cat #{...}" | This command depends on a $@. | CommandInjection.rb:94:16:94:21 | call to params | user-provided value |

ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.rb

@@ -88,3 +88,13 @@ def foo(arg)
     end
   end
 end
+
+class Foo < ActionController::Base
+    def create
+        file = params[:file]
+        system("cat #{file}")
+        # .shellescape
+        system("cat #{file.shellescape}") # OK, because file is shell escaped
+        
+    end
+end