From fc1dd990ef28212b0ae6993d10babbe01a34de1e Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Wed, 9 May 2018 10:57:15 -0700
Subject: [PATCH] Check exec-type calls if they are targets

fixes #1199
---
 lib/brakeman/checks/check_execute.rb |  2 +-
 test/apps/rails5.2/lib/shell.rb      |  4 ++++
 test/tests/rails52.rb                | 17 +++++++++++++++--
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/lib/brakeman/checks/check_execute.rb b/lib/brakeman/checks/check_execute.rb
index 9b43941d56..88eb4f8752 100644
--- a/lib/brakeman/checks/check_execute.rb
+++ b/lib/brakeman/checks/check_execute.rb
@@ -33,7 +33,7 @@ def run_check
     calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
       :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
         :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
-        :popen3, :spawn, :syscall, :system]
+        :popen3, :spawn, :syscall, :system], :nested => true
 
     Brakeman.debug "Processing system calls"
     calls.each do |result|
diff --git a/test/apps/rails5.2/lib/shell.rb b/test/apps/rails5.2/lib/shell.rb
index 918ba64440..23a3796eaf 100644
--- a/test/apps/rails5.2/lib/shell.rb
+++ b/test/apps/rails5.2/lib/shell.rb
@@ -27,4 +27,8 @@ def system_array_join
     command = ["ruby", method_that_returns_user_input, "--some-flag"].join(" ")
     system(command)
   end
+
+  def system_as_target
+    !system("echo #{foo}")
+  end
 end
diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb
index 0f763df2aa..16865049b6 100644
--- a/test/tests/rails52.rb
+++ b/test/tests/rails52.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 0,
-      :generic => 6
+      :generic => 7
     }
   end
 
@@ -105,7 +105,7 @@ def test_command_injection_nested_shellwords
       :user_input => s(:call, nil, :file_prefix)
   end
 
-  def test_command_injection_as_target
+  def test_command_injection_backticks_as_target
     assert_warning :type => :warning,
       :warning_code => 14,
       :fingerprint => "9af991a12b23b815013ce0c69727b7a14cfb08e62f4e66a8851513af7cc6a757",
@@ -131,6 +131,19 @@ def test_command_injection_array_join
       :user_input => s(:call, nil, :method_that_returns_user_input)
   end
 
+  def test_command_injection_as_target
+    assert_warning :type => :warning,
+      :warning_code => 14,
+      :fingerprint => "18e51f5a40dc0e63a90908e88ec5f2ed585fa3a645622f997026ada323cf7552",
+      :warning_type => "Command Injection",
+      :line => 32,
+      :message => /^Possible\ command\ injection/,
+      :confidence => 1,
+      :relative_path => "lib/shell.rb",
+      :code => s(:call, nil, :system, s(:dstr, "echo ", s(:evstr, s(:call, nil, :foo)))),
+      :user_input => s(:call, nil, :foo)
+  end
+
   def test_cross_site_scripting_loofah_CVE_2018_8048
     assert_warning :type => :warning,
       :warning_code => 106,