Merge pull request #16174 from erik-krogh/no-arr-ruby-shell

RB: don't mention arrays in the qhelp for rb/shell-command-constructed-from-input

Author: erik-krogh

ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp

@@ -20,10 +20,15 @@
 <recommendation>
 
 	<p>
-		If possible, provide the dynamic arguments to the shell as an array 
+		If possible, avoid concatenating shell strings
 		to APIs such as <code>system(..)</code> to avoid interpretation by the shell.
 	</p>
 
+    <p>
+        Instead, provide the arguments to the shell command as separate arguments to the
+        API, such as <code>system("echo", arg1, arg2)</code>.
+    </p>
+
 	<p>
 		Alternatively, if the shell command must be constructed
 		dynamically, then add code to ensure that special characters 

ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction_fixed.rb

@@ -1,6 +1,6 @@
 module Utils 
     def download(path)
-        # using an array to call `system` is safe
+        # using an API that doesn't interpret the path as a shell command
         system("wget", path) # OK
     end
 end