Deny rubygems-update injection

`rubygems-update` `setup.rb` re-execs itself when `RUBYOPT` is detected,
which causes endless looping because injection adds it back immediately.

See: https://github.com/rubygems/rubygems/blob/90c90addee4bda3130cf44f1321eebf162367d1b/setup.rb#L13-L20

Coverage is twofold:

- Deny on `--disable-gems`: gems are required for ruby injector
- Deny on `setup.rb`: This may be wide-catching but we don't want to
  instrument any of them anyway.

lib-injection/requirements.json

@@ -47,6 +47,196 @@
       ],
       "envars": null
     },
+    {
+      "id": "ruby_disable_gems",
+      "description": "Rubygems is required for injection to function",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "--disable-gems"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "ruby_disable_gems",
+      "description": "Rubygems is required for injection to function",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "--disable-gems"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "ruby_disable_gems",
+      "description": "Rubygems is required for injection to function",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "--disable-gems"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "ruby_disable_gems",
+      "description": "Rubygems is required for injection to function",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "*",
+            "--disable-gems"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "ruby_disable_gems",
+      "description": "Rubygems is required for injection to function",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "*",
+            "*",
+            "--disable-gems"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "gem_update_system",
+      "description": "Ignore the rubygems update setup.rb",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "setup.rb"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "gem_update_system",
+      "description": "Ignore the rubygems update setup.rb",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "setup.rb"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "gem_update_system",
+      "description": "Ignore the rubygems update setup.rb",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "setup.rb"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "gem_update_system",
+      "description": "Ignore the rubygems update setup.rb",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "*",
+            "setup.rb"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
+    {
+      "id": "gem_update_system",
+      "description": "Ignore the rubygems update setup.rb",
+      "os": null,
+      "cmds": [
+        "**/ruby"
+      ],
+      "args": [
+        {
+          "args": [
+            "*",
+            "*",
+            "*",
+            "*",
+            "setup.rb"
+          ],
+          "position": 1
+        }
+      ],
+      "envars": null
+    },
     {
       "id": "bundle_install",
       "description": "Ignore bundle install",

lib-injection/requirements.rb

@@ -50,6 +50,35 @@ def requirements
     'envars' => nil,
   }
 
+  [[], ['*'], ['*', '*'], ['*', '*', '*'], ['*', '*', '*', '*']].each do |varargs|
+    reqs['deny'] << {
+      'id' => 'ruby_disable_gems',
+      'description' => 'Rubygems is required for injection to function',
+      'os' => nil,
+      'cmds' => [
+        '**/ruby'
+      ],
+      'args' => [{ 'args' => [*varargs, '--disable-gems'], 'position' => 1 }],
+      'envars' => nil,
+    }
+  end
+
+  # Prevent endless reexecution when RUBYOPTS is forcefully set
+  # Command: {"Path":"/usr/local/bin/ruby","Args":["/usr/local/bin/ruby","--disable-gems","setup.rb","--no-document","--previous-version","3.3.26"]}
+  # See: https://github.com/rubygems/rubygems/blob/90c90addee4bda3130cf44f1321eebf162367d1b/setup.rb#L13-L20
+  [[], ['*'], ['*', '*'], ['*', '*', '*'], ['*', '*', '*', '*']].each do |varargs|
+    reqs['deny'] << {
+      'id' => 'gem_update_system',
+      'description' => 'Ignore the rubygems update setup.rb',
+      'os' => nil,
+      'cmds' => [
+        '**/ruby'
+      ],
+      'args' => [{ 'args' => [*varargs, 'setup.rb'], 'position' => 1 }],
+      'envars' => nil,
+    }
+  end
+
   # `bundle exec` is the only command we want to inject into.
   # there is no `allow` overriding `deny` so we're left to exclude all of the
   # possible others.

lib-injection/test_block.json

@@ -13,6 +13,14 @@
   {"name": "❌ gem",          "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/gem"             ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
   {"name": "❌ gem install",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/gem", "install"  ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
 
+  {"name": "❌ ruby disable gems",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+  {"name": "❌ ruby disable gems",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+  {"name": "❌ ruby disable gems",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+  {"name": "❌ ruby disable gems",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+  {"name": "❌ ruby disable gems",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "-w", "-w", "-w", "-w", "--disable-gems"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+
+  {"name": "❌ ruby rubygems-update setup.rb",  "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "--disable-gems", "setup.rb", "--no-document", "--previous-version", "3.3.26"], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
+
   {"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle",  "install"   ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
   {"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle",  "_2.4.0_", "install"   ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},
   {"name": "❌ bundle" , "filepath": "/path/to/ruby", "args": ["/path/to/ruby", "/path/to/bundle",  "--verbose", "install"   ], "envars": [], "host": {"os": "linux", "arch": "x64", "libc": "glibc:2.40"}},