Merge pull request #15524 from hmac/hmac-process-spawn

Ruby: Add some more command injection sinks

ruby/ql/test/library-tests/frameworks/stdlib/CommandExecution.expected

@@ -0,0 +1,32 @@
+| Open3.rb:1:1:1:24 | call to popen3 | Open3.rb:1:14:1:23 | "echo foo" | true |
+| Open3.rb:2:1:2:24 | call to popen2 | Open3.rb:2:14:2:23 | "echo foo" | true |
+| Open3.rb:3:1:3:25 | call to popen2e | Open3.rb:3:15:3:24 | "echo foo" | true |
+| Open3.rb:4:1:4:26 | call to capture3 | Open3.rb:4:16:4:25 | "echo foo" | true |
+| Open3.rb:5:1:5:26 | call to capture2 | Open3.rb:5:16:5:25 | "echo foo" | true |
+| Open3.rb:6:1:6:27 | call to capture2e | Open3.rb:6:17:6:26 | "echo foo" | true |
+| Open3.rb:7:1:7:41 | call to pipeline_rw | Open3.rb:7:19:7:28 | "echo foo" | true |
+| Open3.rb:7:1:7:41 | call to pipeline_rw | Open3.rb:7:31:7:40 | "grep bar" | true |
+| Open3.rb:8:1:8:40 | call to pipeline_r | Open3.rb:8:18:8:27 | "echo foo" | true |
+| Open3.rb:8:1:8:40 | call to pipeline_r | Open3.rb:8:30:8:39 | "grep bar" | true |
+| Open3.rb:9:1:9:40 | call to pipeline_w | Open3.rb:9:18:9:27 | "echo foo" | true |
+| Open3.rb:9:1:9:40 | call to pipeline_w | Open3.rb:9:30:9:39 | "grep bar" | true |
+| Open3.rb:10:1:10:44 | call to pipeline_start | Open3.rb:10:22:10:31 | "echo foo" | true |
+| Open3.rb:10:1:10:44 | call to pipeline_start | Open3.rb:10:34:10:43 | "grep bar" | true |
+| Open3.rb:11:1:11:38 | call to pipeline | Open3.rb:11:16:11:25 | "echo foo" | true |
+| Open3.rb:11:1:11:38 | call to pipeline | Open3.rb:11:28:11:37 | "grep bar" | true |
+| Open3.rb:13:1:13:24 | call to open4 | Open3.rb:13:14:13:23 | "echo foo" | true |
+| Open3.rb:14:1:14:25 | call to popen4 | Open3.rb:14:15:14:24 | "echo foo" | true |
+| Open3.rb:15:1:15:23 | call to spawn | Open3.rb:15:13:15:22 | "echo bar" | true |
+| Open3.rb:16:1:16:27 | call to popen4ext | Open3.rb:16:17:16:26 | "echo foo" | true |
+| Open3.rb:17:1:17:30 | call to popen4ext | Open3.rb:17:17:17:22 | "echo" | false |
+| Open3.rb:17:1:17:30 | call to popen4ext | Open3.rb:17:25:17:29 | "foo" | false |
+| Open3.rb:18:1:18:33 | call to popen4ext | Open3.rb:18:17:18:20 | true | false |
+| Open3.rb:18:1:18:33 | call to popen4ext | Open3.rb:18:23:18:32 | "echo foo" | true |
+| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:17:19:20 | true | false |
+| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:23:19:28 | "echo" | false |
+| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:31:19:35 | "foo" | false |
+| process.rb:1:1:1:25 | call to spawn | process.rb:1:15:1:24 | "echo foo" | true |
+| process.rb:2:1:2:30 | call to spawn | process.rb:2:15:2:29 | call to [] | true |
+| process.rb:3:1:3:24 | call to exec | process.rb:3:14:3:23 | "echo foo" | true |
+| process.rb:4:1:4:29 | call to exec | process.rb:4:14:4:28 | call to [] | true |
+| process.rb:5:1:5:21 | call to spawn | process.rb:5:11:5:20 | "echo foo" | true |

ruby/ql/test/library-tests/frameworks/stdlib/CommandExecution.ql

@@ -0,0 +1,12 @@
+import codeql.ruby.Frameworks
+import codeql.ruby.Concepts
+import codeql.ruby.DataFlow
+
+query predicate commandExecutions(
+  SystemCommandExecution execution, DataFlow::Node arg, boolean isShellInterpreted
+) {
+  arg = execution.getAnArgument() and
+  if execution.isShellInterpreted(arg)
+  then isShellInterpreted = true
+  else isShellInterpreted = false
+}

ruby/ql/test/library-tests/frameworks/stdlib/Open3.expected

@@ -11,3 +11,11 @@ open3PipelineCallExecutions
 | Open3.rb:9:1:9:40 | call to pipeline_w |
 | Open3.rb:10:1:10:44 | call to pipeline_start |
 | Open3.rb:11:1:11:38 | call to pipeline |
+open4CallExecutions
+| Open3.rb:13:1:13:24 | call to open4 |
+| Open3.rb:14:1:14:25 | call to popen4 |
+| Open3.rb:15:1:15:23 | call to spawn |
+| Open3.rb:16:1:16:27 | call to popen4ext |
+| Open3.rb:17:1:17:30 | call to popen4ext |
+| Open3.rb:18:1:18:33 | call to popen4ext |
+| Open3.rb:19:1:19:36 | call to popen4ext |

ruby/ql/test/library-tests/frameworks/stdlib/Open3.ql

@@ -4,3 +4,5 @@ import codeql.ruby.DataFlow
 query predicate open3CallExecutions(Open3Call c) { any() }
 
 query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }
+
+query predicate open4CallExecutions(Open4Call c) { any() }

ruby/ql/test/library-tests/frameworks/stdlib/Open3.rb

@@ -8,4 +8,12 @@ Open3.pipeline_rw("echo foo", "grep bar")
 Open3.pipeline_r("echo foo", "grep bar")
 Open3.pipeline_w("echo foo", "grep bar")
 Open3.pipeline_start("echo foo", "grep bar")
-Open3.pipeline("echo foo", "grep bar")
+Open3.pipeline("echo foo", "grep bar")
+
+Open4::open4("echo foo")
+Open4::popen4("echo foo")
+Open4.spawn("echo bar")
+Open4.popen4ext("echo foo")
+Open4.popen4ext("echo", "foo")
+Open4.popen4ext(true, "echo foo")
+Open4.popen4ext(true, "echo", "foo")

ruby/ql/test/library-tests/frameworks/stdlib/process.rb

@@ -0,0 +1,5 @@
+Process.spawn("echo foo")
+Process.spawn(["echo", "foo"])
+Process.exec("echo foo")
+Process.exec(["echo", "foo"])
+PTY.spawn("echo foo")