Exclude non-shell interpreted args

Update the CommandInjection query to only consider sinks where the
argument is interpreted by a shell. If the argument is passed directly
to a subprocess then it's not vulnerable to shell injection.

Author: hmac

ql/lib/codeql/ruby/security/CommandInjectionCustomizations.qll

@@ -40,7 +40,7 @@ module CommandInjection {
    * A command argument to a function that initiates an operating system command.
    */
   class SystemCommandExecutionSink extends Sink {
-    SystemCommandExecutionSink() { this = any(SystemCommandExecution c).getAnArgument() }
+    SystemCommandExecutionSink() { exists(SystemCommandExecution c | c.isShellInterpreted(this)) }
   }
 
   /**

ql/test/query-tests/security/cwe-078/CommandInjection.expected

@@ -1,32 +1,32 @@
 edges
 | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} |
 | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:9:14:9:16 | cmd |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:17:10:22 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:12:9:12:14 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:25:19:25:24 | #{...} |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:24:29:36 | "echo #{...}" |
-| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:39:30:51 | "grep #{...}" |
-| CommandInjection.rb:41:15:41:20 | call to params :  | CommandInjection.rb:45:24:45:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:26:19:26:24 | #{...} |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:24:30:36 | "echo #{...}" |
+| CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:31:39:31:51 | "grep #{...}" |
+| CommandInjection.rb:42:15:42:20 | call to params :  | CommandInjection.rb:46:24:46:36 | "echo #{...}" |
 nodes
 | CommandInjection.rb:6:15:6:20 | call to params :  | semmle.label | call to params :  |
 | CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
 | CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
-| CommandInjection.rb:9:14:9:16 | cmd | semmle.label | cmd |
-| CommandInjection.rb:10:17:10:22 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:12:9:12:14 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:25:19:25:24 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:29:24:29:36 | "echo #{...}" | semmle.label | "echo #{...}" |
-| CommandInjection.rb:30:39:30:51 | "grep #{...}" | semmle.label | "grep #{...}" |
-| CommandInjection.rb:41:15:41:20 | call to params :  | semmle.label | call to params :  |
-| CommandInjection.rb:45:24:45:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
+| CommandInjection.rb:11:17:11:22 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:13:9:13:14 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:26:19:26:24 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:30:24:30:36 | "echo #{...}" | semmle.label | "echo #{...}" |
+| CommandInjection.rb:31:39:31:51 | "grep #{...}" | semmle.label | "grep #{...}" |
+| CommandInjection.rb:42:15:42:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:46:24:46:36 | "echo #{...}" | semmle.label | "echo #{...}" |
 #select
 | CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
 | CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:8:16:8:18 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:9:14:9:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:9:14:9:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:10:17:10:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:17:10:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:12:9:12:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:12:9:12:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:25:19:25:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:25:19:25:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:29:24:29:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:29:24:29:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:30:39:30:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:39:30:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
-| CommandInjection.rb:45:24:45:36 | "echo #{...}" | CommandInjection.rb:41:15:41:20 | call to params :  | CommandInjection.rb:45:24:45:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:41:15:41:20 | call to params | a user-provided value |
+| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:10:14:10:16 | cmd | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:26:19:26:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:26:19:26:24 | #{...} | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:30:24:30:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:30:24:30:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:31:39:31:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params :  | CommandInjection.rb:31:39:31:51 | "grep #{...}" | This command depends on $@. | CommandInjection.rb:6:15:6:20 | call to params | a user-provided value |
+| CommandInjection.rb:46:24:46:36 | "echo #{...}" | CommandInjection.rb:42:15:42:20 | call to params :  | CommandInjection.rb:46:24:46:36 | "echo #{...}" | This command depends on $@. | CommandInjection.rb:42:15:42:20 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-078/CommandInjection.rb

@@ -6,6 +6,7 @@ def create
         cmd = params[:cmd]
         `#{cmd}`
         system(cmd)
+        system("echo", cmd)
         exec(cmd)
         %x(echo #{cmd})
         result = <<`EOF`