github
diff --git a/‎ruby/ql/lib/codeql/ruby/Concepts.qll
Lines changed: 14 additions & 0 deletions b/‎ruby/ql/lib/codeql/ruby/Concepts.qll
Lines changed: 14 additions & 0 deletions
diff --git a/‎ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
Lines changed: 12 additions & 0 deletions b/‎ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
Lines changed: 12 additions & 0 deletions
diff --git a/‎ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
Lines changed: 9 additions & 1 deletion b/‎ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
Lines changed: 9 additions & 1 deletion
diff --git a/‎ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
Lines changed: 12 additions & 1 deletion b/‎ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
Lines changed: 12 additions & 1 deletion
diff --git a/‎ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionCustomizations.qll
Lines changed: 183 additions & 0 deletions b/‎ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionCustomizations.qll
Lines changed: 183 additions & 0 deletions
diff --git a/‎ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionQuery.qll
Lines changed: 25 additions & 0 deletions b/‎ruby/ql/lib/codeql/ruby/security/SecondOrderCommandInjectionQuery.qll
Lines changed: 25 additions & 0 deletions
@@ -713,6 +713,14 @@ class SystemCommandExecution extends DataFlow::Node instanceof SystemCommandExec
   /** Holds if a shell interprets `arg`. */
   predicate isShellInterpreted(DataFlow::Node arg) { super.isShellInterpreted(arg) }
 
+  /**
+   * Gets an argument to this command execution that specifies the argument list
+   * to the command.
+   * TODO: Can also invlide the command.
+   * TODO: Look through all the `SystemCommandExecution` models. 
+   */
+  DataFlow::Node getArgumentList() { result = super.getArgumentList() }
+
   /** Gets an argument to this execution that specifies the command or an argument to it. */
   DataFlow::Node getAnArgument() { result = super.getAnArgument() }
 }
@@ -733,6 +741,12 @@ module SystemCommandExecution {
     /** Holds if a shell interprets `arg`. */
     predicate isShellInterpreted(DataFlow::Node arg) { none() }
 
+    /**
+     * Gets an argument to this command execution that specifies the argument list
+     * to the command.
+     */
+    DataFlow::Node getArgumentList() { none() }
+
     /** Gets an argument to this execution that specifies the command. */
     DataFlow::Node getACommandArgument() { none() }
   }
 
@@ -497,6 +497,7 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
     } or
     THashSplatArgumentPosition() or
+    TSplatAllArgumentPosition() or
     TAnyArgumentPosition() or
     TAnyKeywordArgumentPosition()
 
@@ -518,6 +519,7 @@ private module Cached {
       FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
     } or
     THashSplatParameterPosition() or
+    TSplatAllParameterPosition() or
     TAnyParameterPosition() or
     TAnyKeywordParameterPosition()
 }
@@ -1149,6 +1151,8 @@ class ParameterPosition extends TParameterPosition {
   /** Holds if this position represents a hash-splat parameter. */
   predicate isHashSplat() { this = THashSplatParameterPosition() }
 
+  predicate isSplatAll() { this = TSplatAllParameterPosition() }
+
   /**
    * Holds if this position represents any parameter, except `self` parameters. This
    * includes both positional, named, and block parameters.
@@ -1172,6 +1176,8 @@ class ParameterPosition extends TParameterPosition {
     or
     this.isHashSplat() and result = "**"
     or
+    this.isSplatAll() and result = "*"
+    or
     this.isAny() and result = "any"
     or
     this.isAnyNamed() and result = "any-named"
@@ -1207,6 +1213,8 @@ class ArgumentPosition extends TArgumentPosition {
    */
   predicate isHashSplat() { this = THashSplatArgumentPosition() }
 
+  predicate isSplatAll() { this = TSplatAllArgumentPosition() }
+
   /** Gets a textual representation of this position. */
   string toString() {
     this.isSelf() and result = "self"
@@ -1222,6 +1230,8 @@ class ArgumentPosition extends TArgumentPosition {
     this.isAnyNamed() and result = "any-named"
     or
     this.isHashSplat() and result = "**"
+    or
+    this.isSplatAll() and result = "*"
   }
 }
 
@@ -1248,6 +1258,8 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   ppos.isHashSplat() and apos.isHashSplat()
   or
+  ppos.isSplatAll() and apos.isSplatAll()
+  or
   ppos.isAny() and argumentPositionIsNotSelf(apos)
   or
   apos.isAny() and parameterPositionIsNotSelf(ppos)
 
@@ -241,6 +241,10 @@ private class Argument extends CfgNodes::ExprCfgNode {
     this = call.getAnArgument() and
     this.getExpr() instanceof HashSplatExpr and
     arg.isHashSplat()
+    or
+    this = call.getArgument(0) and
+    this.getExpr() instanceof SplatExpr and
+    arg.isSplatAll()
   }
 
   /** Holds if this expression is the `i`th argument of `c`. */
@@ -276,7 +280,8 @@ private module Cached {
       p instanceof SimpleParameter or
       p instanceof OptionalParameter or
       p instanceof KeywordParameter or
-      p instanceof HashSplatParameter
+      p instanceof HashSplatParameter or
+      p instanceof SplatParameter
     } or
     TSelfParameterNode(MethodBase m) or
     TBlockParameterNode(MethodBase m) or
@@ -616,6 +621,9 @@ private module ParameterNodes {
         or
         parameter = callable.getAParameter().(HashSplatParameter) and
         pos.isHashSplat()
+        or
+        parameter = callable.getParameter(0).(SplatParameter) and
+        pos.isSplatAll()
       )
     }
 
 
@@ -20,7 +20,9 @@ module Open3 {
     Open3Call() {
       this =
         API::getTopLevelMember("Open3")
-            .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"])
+            .getAMethodCall(["popen3", "popen2", "popen2e", "capture3", "capture2", "capture2e"]) and
+      super.getMethodName() = "capture3" and // TODO: Debugging.
+      this.getLocation().getStartLine() = 236 // TODO: Debugging.
     }
 
     override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
@@ -34,6 +36,15 @@ module Open3 {
     override DataFlow::Node getACommandArgument() {
       result = Kernel::getACommandArgumentFromShellCall(this)
     }
+
+    override DataFlow::Node getArgumentList() {
+      // TODO: This is incomplete
+      exists(Cfg::CfgNodes::ExprNodes::UnaryOperationCfgNode un|
+        un = super.getArgument(_).asExpr() and // TODO: Specific arg?
+        un.getOperator()= "*" and
+        result.asExpr() = un.getOperand()
+      )
+    }
   }
 
   /**
 
@@ -0,0 +1,183 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * second order command injection, as well as
+ * extension points for adding your own.
+ */
+
+private import ruby
+private import codeql.ruby.frameworks.core.Gem::Gem as Gem
+private import codeql.ruby.dataflow.RemoteFlowSources
+private import codeql.ruby.Concepts as Concepts
+
+/** Classes and predicates for reasoning about second order command injection. */
+module SecondOrderCommandInjection {
+  /** A shell command that allows for second order command injection. */
+  private class VulnerableCommand extends string {
+    VulnerableCommand() { this = ["git", "hg"] }
+
+    /**
+     * Gets a vulnerable subcommand of this command.
+     * E.g. `git` has `clone` and `pull` as vulnerable subcommands.
+     * And every command of `hg` is vulnerable due to `--config=alias.<alias>=<command>`.
+     */
+    bindingset[result]
+    string getAVulnerableSubCommand() {
+      this = "git" and result = ["clone", "ls-remote", "fetch", "pull"]
+      or
+      this = "hg" and exists(result)
+    }
+
+    /** Gets an example argument that can cause this command to execute arbitrary code. */
+    string getVulnerableArgumentExample() {
+      this = "git" and result = "--upload-pack"
+      or
+      this = "hg" and result = "--config=alias.<alias>=<command>"
+    }
+  }
+
+  /** A source for second order command injection vulnerabilities. */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the source. For use in the alert message. */
+    abstract string describe();
+  }
+
+  /** A parameter of an exported function, seen as a source for second order command injection. */
+  class ExternalInputSource extends Source {
+    ExternalInputSource() { this = Gem::getALibraryInput() }
+
+    override string describe() { result = "library input" }
+  }
+
+  /** A source of remote flow, seen as a source for second order command injection. */
+  class RemoteFlowAsSource extends Source instanceof RemoteFlowSource {
+    override string describe() { result = "a user-provided value" }
+  }
+
+  /** A sink for second order command injection vulnerabilities. */
+  abstract class Sink extends DataFlow::Node {
+    /** Gets the command getting invoked. I.e. `git` or `hg`. */
+    abstract string getCommand();
+
+    /**
+     * Gets an example argument for the comand that allows for second order command injection.
+     * E.g. `--upload-pack` for `git`.
+     */
+    abstract string getVulnerableArgumentExample();
+  }
+
+  /**
+   * A sink that invokes a command described by the `VulnerableCommand` class.
+   */
+  abstract class VulnerableCommandSink extends Sink {
+    VulnerableCommand cmd;
+
+    override string getCommand() { result = cmd }
+
+    override string getVulnerableArgumentExample() { result = cmd.getVulnerableArgumentExample() }
+  }
+
+  private import codeql.ruby.typetracking.TypeTracker
+
+  /** A sanitizer for second order command injection vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  import codeql.ruby.typetracking.TypeTracker
+
+  private DataFlow::LocalSourceNode usedAsArgList(
+    TypeBackTracker t, Concepts::SystemCommandExecution exec
+  ) {
+    t.start() and
+    result = exec.getArgumentList().getALocalSource()
+    or
+    exists(TypeBackTracker t2 |
+      result = usedAsArgList(t2, exec).backtrack(t2, t)
+      or
+      // step through splat expressions
+      t2 = t.continue() and
+      result.asExpr().getExpr() =
+        // TODO: flows-to.
+        usedAsArgList(t2, exec).asExpr().getExpr().(Ast::SplatExpr).getOperand()
+    )
+  }
+
+  /** Gets a dataflow node that ends up being used as an argument list to an invocation of `git` or `hg`. */
+  private DataFlow::LocalSourceNode usedAsVersionControlArgs(
+    TypeBackTracker t, DataFlow::Node argList, VulnerableCommand cmd
+  ) {
+    t.start() and
+    // TODO: untested.
+    exists(Concepts::SystemCommandExecution exec |
+      exec.getACommandArgument().getConstantValue().getStringlikeValue() = cmd
+    |
+      exec.getArgumentList() = argList and
+      result = argList.getALocalSource()
+    )
+    or
+    t.start() and
+    exists(
+      Concepts::SystemCommandExecution exec, Cfg::CfgNodes::ExprNodes::ArrayLiteralCfgNode arr
+    |
+      argList = usedAsArgList(TypeBackTracker::end(), exec) and
+      arr = argList.asExpr() and
+      arr.getArgument(0).getConstantValue().getStringlikeValue() = cmd
+    |
+      result = argList.getALocalSource()
+      or
+      result
+          .flowsTo(any(DataFlow::Node n |
+              n.asExpr().getExpr() = arr.getArgument(_).getExpr().(Ast::SplatExpr).getOperand()
+            ))
+    )
+    or
+    exists(TypeBackTracker t2 |
+      result = usedAsVersionControlArgs(t2, argList, cmd).backtrack(t2, t)
+      or
+      // step through splat expressions
+      t2 = t.continue() and
+      result
+          .flowsTo(any(DataFlow::Node n |
+              n.asExpr().getExpr() =
+                usedAsVersionControlArgs(t2, argList, cmd)
+                    .asExpr()
+                    .getExpr()
+                    .(Ast::SplatExpr)
+                    .getOperand()
+            ))
+    )
+  }
+
+  private import codeql.ruby.dataflow.internal.DataFlowDispatch as Dispatch
+
+  private class IndirectVcsCall extends DataFlow::CallNode {
+    VulnerableCommand cmd;
+
+    IndirectVcsCall() {
+      exists(Dispatch::DataFlowCallable calleeDis, Ast::Callable callee, DataFlow::Node list |
+        calleeDis =
+          Dispatch::viableCallable(any(Dispatch::DataFlowCall c | c.asCall() = this.asExpr())) and
+        calleeDis.asCallable() = callee and
+        list.asExpr().getExpr() = callee.getParameter(0).(Ast::SplatParameter).getDefiningAccess() and
+        // TODO: multiple nodes in the same position, i need to figure that out if this makes production.
+        usedAsVersionControlArgs(TypeBackTracker::end(), _, cmd).getLocation() = list.getLocation()
+      )
+    }
+
+    VulnerableCommand getCommand() { result = cmd }
+  }
+
+  class IndirectCallSink extends Sink {
+    VulnerableCommand cmd;
+
+    IndirectCallSink() {
+      exists(IndirectVcsCall call, int i |
+        call.getCommand() = cmd and
+        call.getArgument(i).getConstantValue().getStringlikeValue() = cmd.getAVulnerableSubCommand() and
+        this = call.getArgument(any(int j | j > i))
+      )
+    }
+
+    override string getCommand() { result = cmd }
+
+    override string getVulnerableArgumentExample() { result = cmd.getVulnerableArgumentExample() }
+  }
+}
@@ -0,0 +1,25 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * second order command-injection vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `SecondOrderCommandInjection::Configuration` is needed, otherwise
+ * `SecondOrderCommandInjectionCustomizations` should be imported instead.
+ */
+
+import ruby
+import SecondOrderCommandInjectionCustomizations::SecondOrderCommandInjection
+import codeql.ruby.TaintTracking
+
+/**
+ * A taint-tracking configuration for reasoning about second order command-injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "SecondOrderCommandInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}