Add Shellwords.escape as CLI injection sanitizer

ql/test/query-tests/security/cwe-078/CommandInjection.expected

@@ -1,16 +1,16 @@
 edges
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd |
-| CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:6:10:6:15 | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:7:16:7:18 | cmd |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:8:14:8:16 | cmd |
+| CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:9:17:9:22 | #{...} |
 nodes
-| CommandInjection.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
-| CommandInjection.rb:4:10:4:15 | #{...} | semmle.label | #{...} |
-| CommandInjection.rb:5:16:5:18 | cmd | semmle.label | cmd |
-| CommandInjection.rb:6:14:6:16 | cmd | semmle.label | cmd |
-| CommandInjection.rb:7:12:7:17 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:5:15:5:20 | call to params :  | semmle.label | call to params :  |
+| CommandInjection.rb:6:10:6:15 | #{...} | semmle.label | #{...} |
+| CommandInjection.rb:7:16:7:18 | cmd | semmle.label | cmd |
+| CommandInjection.rb:8:14:8:16 | cmd | semmle.label | cmd |
+| CommandInjection.rb:9:17:9:22 | #{...} | semmle.label | #{...} |
 #select
-| CommandInjection.rb:4:10:4:15 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:4:10:4:15 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:5:16:5:18 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:5:16:5:18 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:6:14:6:16 | cmd | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:6:14:6:16 | cmd | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
-| CommandInjection.rb:7:12:7:17 | #{...} | CommandInjection.rb:3:15:3:20 | call to params :  | CommandInjection.rb:7:12:7:17 | #{...} | This command depends on $@. | CommandInjection.rb:3:15:3:20 | call to params | a user-provided value |
+| CommandInjection.rb:6:10:6:15 | #{...} | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:6:10:6:15 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:7:16:7:18 | cmd | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:7:16:7:18 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:8:14:8:16 | cmd | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:8:14:8:16 | cmd | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |
+| CommandInjection.rb:9:17:9:22 | #{...} | CommandInjection.rb:5:15:5:20 | call to params :  | CommandInjection.rb:9:17:9:22 | #{...} | This command depends on $@. | CommandInjection.rb:5:15:5:20 | call to params | a user-provided value |

ql/test/query-tests/security/cwe-078/CommandInjection.rb

@@ -1,10 +1,14 @@
+require "shellwords"
+
 class UsersController < ActionController::Base
     def create
         cmd = params[:cmd]
         `#{cmd}`
         system(cmd)
         exec(cmd)
-        %x(#{cmd})
+        %x(echo #{cmd})
+        safe_cmd = Shellwords.escape(cmd)
+        `echo #{safe_cmd}`
     end
 
     def show