Oh no, you have to do an internal audit on hundreds of Ruby projects for system command executions. You decide to write a CodeQL to ease auditing.

Find ALL the system command executions marked with BAD and submit the query on the submission site to get the flag.

Note: The BAD comments will be stripped on the query verification page.

Note: The submission site expects the select clause to look like this: select [THE_COMMAND_EXECUTION_ELEMENT], "OPTIONAL_MESSAGE"