lib/brakeman/checks/check_execute.rb in brakeman-lib-4.1.1 vs lib/brakeman/checks/check_execute.rb in brakeman-lib-4.2.0

@@ -15,10 +15,14 @@
 
   SAFE_VALUES = [s(:const, :RAILS_ROOT),
                   s(:call, s(:const, :Rails), :root),
                   s(:call, s(:const, :Rails), :env)]
 
+  SHELL_ESCAPES = [:escape, :shellescape, :join]
+
+  SHELLWORDS = s(:const, :Shellwords)
+
   #Check models, controllers, and views for command injection.
   def run_check
     Brakeman.debug "Finding system calls using ``"
     check_for_backticks tracker
 
@@ -125,19 +129,21 @@
       :code => exp,
       :user_input => input,
       :confidence => confidence
   end
 
+  # This method expects a :dstr or :evstr node
   def dangerous? exp
     exp.each_sexp do |e|
-      next if node_type? e, :lit, :str
-      next if SAFE_VALUES.include? e
-
       if call? e and e.method == :to_s
         e = e.target
       end
 
+      next if node_type? e, :lit, :str
+      next if SAFE_VALUES.include? e
+      next if shell_escape? e
+
       if node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
         end
       else
@@ -158,7 +164,19 @@
         return Match.new(:interp, res)
       end
     end
 
     false
+  end
+
+  def shell_escape? exp
+    return false unless call? exp
+
+    if exp.target == SHELLWORDS and SHELL_ESCAPES.include? exp.method
+      true
+    elsif exp.method == :shelljoin
+      true
+    else
+      false
+    end
   end
 end