don't mention arrays in the qhelp for rb/shell-command-constructed-from-input, because there are no array

2026-04-26 17:25:19 +02:00 · 2024-04-10 14:26:00 +02:00
parent 0e67aa5baa
commit 4ae25c2d34
2 changed files with 7 additions and 2 deletions
--- a/ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp
+++ b/ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp
@@ -20,10 +20,15 @@
 <recommendation>

 	<p>
-		If possible, provide the dynamic arguments to the shell as an array 
+		If possible, avoid concatenating shell strings
 		to APIs such as <code>system(..)</code> to avoid interpretation by the shell.
 	</p>

+    <p>
+        Instead, provide the arguments to the shell command as separate arguments to the
+        API, such as <code>system("echo", arg1, arg2)</code>.
+    </p>
+
 	<p>
 		Alternatively, if the shell command must be constructed
 		dynamically, then add code to ensure that special characters 
--- a/ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction_fixed.rb
+++ b/ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction_fixed.rb
@@ -1,6 +1,6 @@
 module Utils 
    def download(path)
-        # using an array to call `system` is safe
+        # using an API that doesn't interpret the path as a shell command
        system("wget", path) # OK
    end
 end