Ruby: Model Open4 library

Also remove duplicate modeling of Process.spawn.
2026-03-05 23:26:51 +01:00 · 2024-02-26 10:35:08 +00:00
parent a03c06802e
commit beef9965cc
5 changed files with 26 additions and 8 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -130,7 +130,6 @@ module Kernel {
   * `Kernel.spawn` takes the same argument forms as `Kernel.system`.
   * See `KernelSystemCall` for details.
   * Ruby documentation: https://docs.ruby-lang.org/en/3.0.0/Kernel.html#method-i-spawn
-   * Methods with the same effect exist in the `Process` and `PTY` classes, so they are also modeled here.
   * TODO: document and handle the env and option arguments.
   * ```
   * spawn([env,] command... [,options]) -> pid
@@ -140,8 +139,6 @@ module Kernel {
    KernelSpawnCall() {
      this.getMethodName() = "spawn" and
      this instanceof KernelMethodCall
-      or
-      this = DataFlow::getConstant(["Process", "PTY"]).getAMethodCall("spawn")
    }

    override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
--- a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
@@ -18,10 +18,8 @@ module Open3 {
  class Open3Call extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
    Open3Call() {
      this =
-        API::getTopLevelMember(["Open3", "Open4"])
-            .getAMethodCall([
-                "popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e", "popen4"
-              ])
+        API::getTopLevelMember("Open3")
+            .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"])
    }

    override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
@@ -33,6 +31,19 @@ module Open3 {
    }
  }

+  class Open4Call extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
+    Open4Call() {
+      this = API::getTopLevelMember("Open4").getAMethodCall(["open4", "popen4", "spawn"])
+    }
+
+    override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) {
+      super.getNumberOfArguments() = 1 and
+      arg = this.getAnArgument()
+    }
+  }
+
  /**
   * A pipeline of system commands constructed via one of the `Open3` methods.
   * These methods accept a variable argument list of commands.