Add qhelp for CLI Injection query

Author: hmac

ql/src/queries/security/cwe-078/CommandInjection.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Code that passes user input directly to
+<code>Kernel#system</code>, <code>Kernel#exec</code>, or some other library
+routine that executes a command, allows the user to execute malicious
+code.</p>
+
+</overview>
+<recommendation>
+
+<p>If possible, use hard-coded string literals to specify the command to run
+or library to load. Instead of passing the user input directly to the
+process or library function, examine the user input and then choose
+among hard-coded string literals.</p>
+
+<p>If the applicable libraries or commands cannot be determined at
+compile time, then add code to verify that the user input string is
+safe before using it.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows code that takes a shell script that can be changed
+maliciously by a user, and passes it straight to <code>Kernel#system</code>
+without examining it first.</p>
+
+<sample src="examples/command_injection.rb" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

ql/src/queries/security/cwe-078/examples/command_injection.rb

@@ -0,0 +1,6 @@
+class UsersController < ActionController::Base
+  def create
+    command = params[:command]
+    system(command) # BAD
+  end
+end