Separate open3 pipeline methods

These have a slightly different structure than the other open3 methods.

Author: hmac

ql/lib/codeql/ruby/frameworks/StandardLibrary.qll

@@ -165,17 +165,19 @@ class KernelSpawnCall extends SystemCommandExecution::Range {
   }
 }
 
+/**
+ * A system command executed via one of the `Open3` methods.
+ * These methods take the same argument forms as `Kernel.system`.
+ * See `KernelSystemCall` for details.
+ */
 class Open3Call extends SystemCommandExecution::Range {
   MethodCall methodCall;
 
   Open3Call() {
     this.asExpr().getExpr() = methodCall and
     this =
       API::getTopLevelMember("Open3")
-          .getAMethodCall([
-              "popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e", "pipeline_rw",
-              "pipeline_r", "pipeline_w", "pipeline_start", "pipeline"
-            ])
+          .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"])
   }
 
   override DataFlow::Node getAnArgument() { result.asExpr().getExpr() = methodCall.getAnArgument() }
@@ -185,3 +187,32 @@ class Open3Call extends SystemCommandExecution::Range {
     methodCall.getNumberOfArguments() = 1 and arg.asExpr().getExpr() = methodCall.getAnArgument()
   }
 }
+
+/**
+ * A pipeline of system commands constructed via one of the `Open3` methods.
+ * These methods accept a variable argument list of commands.
+ * Commands can be in any form supported by `Kernel.system`. See `KernelSystemCall` for details.
+ * ```ruby
+ * Open3.pipeline("cat foo.txt", "tail")
+ * Open3.pipeline(["cat", "foo.txt"], "tail")
+ * Open3.pipeline([{}, "cat", "foo.txt"], "tail")
+ * Open3.pipeline([["cat", "cat"], "foo.txt"], "tail")
+ */
+class Open3PipelineCall extends SystemCommandExecution::Range {
+  MethodCall methodCall;
+
+  Open3PipelineCall() {
+    this.asExpr().getExpr() = methodCall and
+    this =
+      API::getTopLevelMember("Open3")
+          .getAMethodCall(["pipeline_rw", "pipeline_r", "pipeline_w", "pipeline_start", "pipeline"])
+  }
+
+  override DataFlow::Node getAnArgument() { result.asExpr().getExpr() = methodCall.getAnArgument() }
+
+  override predicate isShellInterpreted(DataFlow::Node arg) {
+    // A command in the pipeline is executed in a subshell if it is given as a single string argument.
+    arg.asExpr().getExpr() instanceof StringlikeLiteral and
+    arg.asExpr().getExpr() = methodCall.getAnArgument()
+  }
+}

ql/test/library-tests/frameworks/CommandExecution.rb

@@ -58,11 +58,11 @@
 Open3.capture3("echo foo")
 Open3.capture2("echo foo")
 Open3.capture2e("echo foo")
-Open3.pipeline_rw("echo foo")
-Open3.pipeline_r("echo foo")
-Open3.pipeline_w("echo foo")
-Open3.pipeline_start("echo foo")
-Open3.pipeline("echo foo")
+Open3.pipeline_rw("echo foo", "grep bar")
+Open3.pipeline_r("echo foo", "grep bar")
+Open3.pipeline_w("echo foo", "grep bar")
+Open3.pipeline_start("echo foo", "grep bar")
+Open3.pipeline("echo foo", "grep bar")
 
 <<`EOF`
 echo foo

ql/test/library-tests/frameworks/StandardLibrary.expected

@@ -52,8 +52,9 @@ open3CallExecutions
 | CommandExecution.rb:58:1:58:26 | call to capture3 |
 | CommandExecution.rb:59:1:59:26 | call to capture2 |
 | CommandExecution.rb:60:1:60:27 | call to capture2e |
-| CommandExecution.rb:61:1:61:29 | call to pipeline_rw |
-| CommandExecution.rb:62:1:62:28 | call to pipeline_r |
-| CommandExecution.rb:63:1:63:28 | call to pipeline_w |
-| CommandExecution.rb:64:1:64:32 | call to pipeline_start |
-| CommandExecution.rb:65:1:65:26 | call to pipeline |
+open3PipelineCallExecutions
+| CommandExecution.rb:61:1:61:41 | call to pipeline_rw |
+| CommandExecution.rb:62:1:62:40 | call to pipeline_r |
+| CommandExecution.rb:63:1:63:40 | call to pipeline_w |
+| CommandExecution.rb:64:1:64:44 | call to pipeline_start |
+| CommandExecution.rb:65:1:65:38 | call to pipeline |

ql/test/library-tests/frameworks/StandardLibrary.ql

@@ -11,3 +11,5 @@ query predicate kernelExecCallExecutions(KernelExecCall c) { any() }
 query predicate kernelSpawnCallExecutions(KernelSpawnCall c) { any() }
 
 query predicate open3CallExecutions(Open3Call c) { any() }
+
+query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }