Ruby: Model methods in Rails::Generators::Actions

These methods are sinks for command injection.

Author: hmac

ruby/ql/lib/codeql/ruby/Frameworks.qll

@@ -12,6 +12,7 @@ private import codeql.ruby.frameworks.ActiveSupport
 private import codeql.ruby.frameworks.Archive
 private import codeql.ruby.frameworks.GraphQL
 private import codeql.ruby.frameworks.Rails
+private import codeql.ruby.frameworks.Railties
 private import codeql.ruby.frameworks.Stdlib
 private import codeql.ruby.frameworks.Files
 private import codeql.ruby.frameworks.HttpClients

ruby/ql/lib/codeql/ruby/frameworks/Railties.qll

@@ -0,0 +1,62 @@
+/**
+ * Modeling for `railties`, which is a gem containing various internals and utilities for the Rails framework.
+ * https://rubygems.org/gems/railties
+ */
+
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.DataFlow
+private import codeql.ruby.ast.internal.Module
+
+/**
+ * Modeling for `railties`.
+ */
+module Railties {
+  /**
+   * A class which `include`s `Rails::Generators::Actions`.
+   */
+  private class GeneratorsActionsContext extends ClassDeclaration {
+    GeneratorsActionsContext() {
+      exists(IncludeOrPrependCall i |
+        i.getEnclosingModule() = this and
+        i.getArgument(0) =
+          API::getTopLevelMember("Rails")
+              .getMember("Generators")
+              .getMember("Actions")
+              .getAUse()
+              .asExpr()
+              .getExpr()
+      )
+    }
+  }
+
+  /**
+   * A call to `Rails::Generators::Actions#execute_command`.
+   * This method concatenates its first and second arguments and executes the result as a shell command.
+   */
+  private class ExecuteCommandCall extends SystemCommandExecution::Range, DataFlow::CallNode {
+    ExecuteCommandCall() {
+      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
+      this.getMethodName() = "execute_command"
+    }
+
+    override DataFlow::Node getAnArgument() { result = this.getArgument([0, 1]) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+  }
+
+  /**
+   * A call to a method in `Rails::Generators::Actions` which delegates to `execute_command`.
+   */
+  private class ExecuteCommandWrapperCall extends SystemCommandExecution::Range, DataFlow::CallNode {
+    ExecuteCommandWrapperCall() {
+      this.asExpr().getExpr().getEnclosingModule() instanceof GeneratorsActionsContext and
+      this.getMethodName() = ["rake", "rails_command", "git"]
+    }
+
+    override DataFlow::Node getAnArgument() { result = this.getArgument(0) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { any() }
+  }
+}

ruby/ql/test/library-tests/frameworks/railties/Railties.expected

@@ -0,0 +1,5 @@
+| Railties.rb:5:5:5:34 | call to execute_command |
+| Railties.rb:6:5:6:37 | call to execute_command |
+| Railties.rb:8:5:8:16 | call to rake |
+| Railties.rb:10:5:10:27 | call to rails_command |
+| Railties.rb:12:5:12:17 | call to git |

ruby/ql/test/library-tests/frameworks/railties/Railties.ql

@@ -0,0 +1,5 @@
+private import ruby
+private import codeql.ruby.Concepts
+private import codeql.ruby.frameworks.Railties
+
+query predicate systemCommandExecutions(SystemCommandExecution e) { any() }

ruby/ql/test/library-tests/frameworks/railties/Railties.rb

@@ -0,0 +1,14 @@
+class Foo
+  include Rails::Generators::Actions
+
+  def foo
+    execute_command(:rake, "test")
+    execute_command(:rails, "server")
+
+    rake("test")
+
+    rails_command("server")
+
+    git("status")
+  end
+end