remove two more claseses of FPs in rb/non-constant-kernel-open

Author: erik-krogh

ruby/ql/src/queries/security/cwe-078/NonConstantKernelOpen.ql

@@ -16,15 +16,25 @@
  */
 
 import codeql.ruby.security.KernelOpenQuery
-import codeql.ruby.ast.Literal
+import codeql.ruby.AST
+import codeql.ruby.ApiGraphs
 
 from AmbiguousPathCall call
 where
-  // there is not a constant string argument
-  not exists(call.getPathArgument().getConstantValue()) and
-  // if it's a format string, then the first argument is not a constant string
-  not call.getPathArgument().getALocalSource().asExpr().getExpr().(StringLiteral).getComponent(0)
-    instanceof StringTextComponent
+  not hasConstantPrefix(call.getPathArgument().getALocalSource().asExpr().getExpr()) and
+  not call.getPathArgument().getALocalSource() =
+    API::getTopLevelMember("File").getAMethodCall("join")
 select call,
   "Call to " + call.getName() + " with a non-constant value. Consider replacing it with " +
     call.getReplacement() + "."
+
+predicate hasConstantPrefix(Expr e) {
+  // if it's a format string, then the first argument is not a constant string
+  e.(StringlikeLiteral).getComponent(0) instanceof StringTextComponent
+  or
+  // it is not a constant string argument
+  exists(e.getConstantValue())
+  or
+  // not a concatenation that starts with a constant string
+  hasConstantPrefix(e.(AddExpr).getLeftOperand())
+}

ruby/ql/test/query-tests/security/cwe-078/NonConstantKernelOpen/NonConstantKernelOpen.rb

@@ -25,5 +25,9 @@ def create
     Kernel.open("#{this_is} bad") # BAD
 
     open("| #{this_is_an_explicit_command} foo bar") # GOOD
+
+    IO.foreach("|" + EnvUtil.rubybin + " -e 'puts :foo; puts :bar; puts :baz'") {|x| a << x } # GOOD
+
+    IO.write(File.join("foo", "bar.txt"), "bar") # GOOD
   end
 end