add getACommandArgument predicate to the SystemCommandExecution concept

erik-krogh · erik-krogh · commit e971d720f672 · 2022-11-28T09:34:22.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -707,6 +707,9 @@ deprecated module HTTP = Http;
  * for instance by spawning a new process.
  */
 class SystemCommandExecution extends DataFlow::Node instanceof SystemCommandExecution::Range {
+  /** Gets an argument to this execution that specifies the command. */
+  DataFlow::Node getACommandArgument() { result = super.getACommandArgument() }
+
   /** Holds if a shell interprets `arg`. */
   predicate isShellInterpreted(DataFlow::Node arg) { super.isShellInterpreted(arg) }
 
@@ -729,6 +732,9 @@ module SystemCommandExecution {
 
     /** Holds if a shell interprets `arg`. */
     predicate isShellInterpreted(DataFlow::Node arg) { none() }
+
+    /** Gets an argument to this execution that specifies the command. */
+    DataFlow::Node getACommandArgument() { none() }
   }
 }
 
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll b/ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll
@@ -33,6 +33,8 @@ module PosixSpawn {
       result = super.getArgument(_) and not result.asExpr() instanceof ExprNodes::PairCfgNode
     }
 
+    override DataFlow::Node getACommandArgument() { result = super.getArgument(0) }
+
     override predicate isShellInterpreted(DataFlow::Node arg) { none() }
   }
 
@@ -48,6 +50,10 @@ module PosixSpawn {
 
     override DataFlow::Node getAnArgument() { this.argument(result) }
 
+    override DataFlow::Node getACommandArgument() {
+      result = super.getArgument(0) and this.argument(result)
+    }
+
     // From the docs:
     // When only command is given and includes a space character, the command
     // text is executed by the system shell interpreter.
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/IO.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/IO.qll
@@ -7,6 +7,7 @@ private import codeql.ruby.Concepts
 private import codeql.ruby.DataFlow
 private import codeql.ruby.controlflow.CfgNodes
 private import codeql.ruby.frameworks.Files as Files
+private import codeql.ruby.frameworks.core.Kernel
 private import internal.IOOrFile
 
 /** Provides modeling for the `IO` class. */
@@ -121,6 +122,10 @@ module IO {
 
     override predicate isShellInterpreted(DataFlow::Node arg) { this.argument(arg, true) }
 
+    override DataFlow::Node getACommandArgument() {
+      result = Kernel::getACommandArgumentFromShellCall(this)
+    }
+
     /**
      * Holds if `arg` is an argument to this call. `shell` is true if the argument is passed to a subshell.
      */
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll b/ruby/ql/lib/codeql/ruby/frameworks/core/Kernel.qll
@@ -31,6 +31,25 @@ module Kernel {
     }
   }
 
+  /**
+   * Gets an argument to `call` that specifies the command to execute,
+   * assuming that `call` has the same API as `Kernel.system`.
+   */
+  bindingset[call]
+  DataFlow::Node getACommandArgumentFromShellCall(DataFlow::CallNode call) {
+    (
+      // Kernel.system invokes a subprocess if you provide a command and one or more arguments
+      call.getNumberOfArguments() > 1 and
+      result = call.getArgument([0, 1])
+      or
+      // Kernel.system invokes a subprocess if you provide an array containing the command name and argv[0]
+      call.getNumberOfArguments() > 1 and
+      result.asExpr() =
+        call.getArgument([0, 1]).asExpr().(CfgNodes::ExprNodes::ArrayLiteralCfgNode).getArgument(0)
+    ) and
+    not result.asExpr() instanceof CfgNodes::ExprNodes::HashLiteralCfgNode // not the environment hash
+  }
+
   /**
    * Public methods in the `Kernel` module. These can be invoked on any object via the usual dot syntax.
    * ```ruby
@@ -101,6 +120,10 @@ module Kernel {
       // Kernel.system invokes a subshell if you provide a single string as argument
       this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
     }
+
+    override DataFlow::Node getACommandArgument() {
+      result = getACommandArgumentFromShellCall(this)
+    }
   }
 
   /**
@@ -117,6 +140,10 @@ module Kernel {
       // Kernel.exec invokes a subshell if you provide a single string as argument
       this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
     }
+
+    override DataFlow::Node getACommandArgument() {
+      result = getACommandArgumentFromShellCall(this)
+    }
   }
 
   /**
@@ -138,6 +165,10 @@ module Kernel {
       // Kernel.spawn invokes a subshell if you provide a single string as argument
       this.getNumberOfArguments() = 1 and arg = this.getAnArgument()
     }
+
+    override DataFlow::Node getACommandArgument() {
+      result = getACommandArgumentFromShellCall(this)
+    }
   }
 
   /**
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
@@ -5,6 +5,7 @@
 private import ruby
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.Concepts
+private import codeql.ruby.frameworks.core.Kernel
 
 /**
  * Provides modeling for the `Open3` library.
@@ -29,6 +30,10 @@ module Open3 {
       super.getNumberOfArguments() = 1 and
       arg = this.getAnArgument()
     }
+
+    override DataFlow::Node getACommandArgument() {
+      result = Kernel::getACommandArgumentFromShellCall(this)
+    }
   }
 
   /**
@@ -57,5 +62,9 @@ module Open3 {
       arg.asExpr().getExpr() instanceof Ast::StringlikeLiteral and
       arg = this.getAnArgument()
     }
+
+    override DataFlow::Node getACommandArgument() {
+      result = Kernel::getACommandArgumentFromShellCall(this)
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`private import ruby`
`6`	`6`	`private import codeql.ruby.ApiGraphs`
`7`	`7`	`private import codeql.ruby.Concepts`
	`8`	`+private import codeql.ruby.frameworks.core.Kernel`
`8`	`9`
`9`	`10`	`/**`
`10`	`11`	* Provides modeling for the `Open3` library.
`@@ -29,6 +30,10 @@ module Open3 {`
`29`	`30`	`super.getNumberOfArguments() = 1 and`
`30`	`31`	`arg = this.getAnArgument()`
`31`	`32`	`}`
	`33`	`+`
	`34`	`+ override DataFlow::Node getACommandArgument() {`
	`35`	`+ result = Kernel::getACommandArgumentFromShellCall(this)`
	`36`	`+ }`
`32`	`37`	`}`
`33`	`38`
`34`	`39`	`/**`
`@@ -57,5 +62,9 @@ module Open3 {`
`57`	`62`	`arg.asExpr().getExpr() instanceof Ast::StringlikeLiteral and`
`58`	`63`	`arg = this.getAnArgument()`
`59`	`64`	`}`
	`65`	`+`
	`66`	`+ override DataFlow::Node getACommandArgument() {`
	`67`	`+ result = Kernel::getACommandArgumentFromShellCall(this)`
	`68`	`+ }`
`60`	`69`	`}`
`61`	`70`	`}`