Whitelist ruby shell methods in the codebase
Problem to solve
This issue is created in the context of https://gitlab.com/gitlab-org/gitlab/issues/17848#note_227447811.
In our codebase, there are several places in which we call ruby shell methods to perform operations in the local system. This calls can be through backticks, spawn, Open3.popen, Gitlab::Popen.popen, system, and others.
After https://gitlab.com/gitlab-org/gitlab/issues/17848#note_227447811 I realized that some of these methods haven't been reviewed in a while and that we don't have a way to track and audit them. We should as much as possible avoid them but sometimes we can't. Anyway, they should be audited by the security team a new one is added or an existing one changed, in order to avoid creating a vulnerability.
Intended users
Further details
The feature I'm proposing could be as well a SAST analyzer or a regular job in the pipeline like danger. It would basically create a whitelist of the current places in which we call ruby shell methods. Then, every time a new one of these methods is added to the code or one of the existing ones is changed, the SAST analyzer or the whitelist job could create a vulnerability report.
If any of the whitelisted methods is removed, the job should remove it from the whitelist.
This is not an easy task since we're talking about tracking a codebase that changes constantly, but maybe we can start the conversation to build something achievable.