Update the CommandInjection query to only consider sinks where the
argument is interpreted by a shell. If the argument is passed directly
to a subprocess then it's not vulnerable to shell injection.
Test that calls to`system` on modules other than `Kernel` are excluded,
such as in this example:
module Foo
def self.system(*args); end
end
# This is not a call to Kernel.system
Foo.system("bar")
This means we treat != comparisons against strings as taint tracking guards:
if foo != "A"
foo # still tainted
else
foo # not tainted, because we know foo == "A"
end
We don't (yet) properly sanitize taint in cases like this
foo = "A" unless foo == "B"
So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
Following examples from the other libraries, this change introduces a
member predicate `checks(CfgNode expr, boolean branch)` to
`BarrierGuard`, which holds if the guard validates `expr` for a
particular value of `branch`, which represents the value of the
condition in the guard.
For example, in the following guard...
if foo == "foo"
do_something foo
else
do_something_else foo
end
...the variable `foo` is validated when the condition `foo == "foo"` is
true.
We also introduce the concept that a guard "controls" a code block based
on the value of `branch`. In the example above, the "then" branch of the
if statement is controlled when `branch` is true. The else branch is
not controlled because `foo` can take (almost) any value in that branch.
Based on these concepts, we define a guarded node to be a read of a
validated variable in a controlled block.
In the above example, the `foo` in `do_something foo` is guarded, but
the `foo` in `do_something_else foo` is not.
This query finds instances of CWE-601: Redirection to Untrusted Site.
The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
