Merge pull request #16174 from erik-krogh/no-arr-ruby-shell

RB: don't mention arrays in the qhelp for rb/shell-command-constructed-from-input
github · Apr 10, 2024 · d33e8ad · d33e8ad
2 parents 1c0ef90 + 4ae25c2
commit d33e8ad
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp b/ruby/ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.qhelp
@@ -20,10 +20,15 @@
 <recommendation>
 
 	<p>
-		If possible, provide the dynamic arguments to the shell as an array 
+		If possible, avoid concatenating shell strings
 		to APIs such as <code>system(..)</code> to avoid interpretation by the shell.
 	</p>
 
+    <p>
+        Instead, provide the arguments to the shell command as separate arguments to the
+        API, such as <code>system("echo", arg1, arg2)</code>.
+    </p>
+
 	<p>
 		Alternatively, if the shell command must be constructed
 		dynamically, then add code to ensure that special characters 

diff --git a/ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction_fixed.rb b/ruby/ql/src/queries/security/cwe-078/examples/unsafe-shell-command-construction_fixed.rb
@@ -1,6 +1,6 @@
 module Utils 
     def download(path)
-        # using an array to call `system` is safe
+        # using an API that doesn't interpret the path as a shell command
         system("wget", path) # OK
     end
 end