move archive api path traversal tests to cwe-022

Author: thiggy1342

ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb

@@ -0,0 +1,69 @@
+class TestContoller < ActionController::Base
+  
+  # this is vulnerable
+  def upload
+    untar params[:file], params[:filename]
+  end
+
+  # this is vulnerable
+  def unpload_zip
+    unzip params[:file]
+  end
+
+  # these are not vulnerable because of the string compare sanitizer
+  def safe_upload_string_compare
+    filename = params[:filename]
+    if filename == "safefile.tar"
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_compare
+    filename = params[:filename]
+    if filename == "safefile.zip"
+      unzip filename
+    end
+  end
+
+  # these are not vulnerable beacuse of the string array compare sanitizer
+  def safe_upload_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.tar", "safefile2.tar"].include? filename
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.zip", "safefile2.zip"].include? filename
+      unzip filename
+    end
+  end
+
+  # these are our two sinks
+  def untar(io, destination)
+    Gem::Package::TarReader.new io do |tar|
+      tar.each do |tarfile|
+        destination_file = File.join destination, tarfile.full_name
+        
+        if tarfile.directory?
+          FileUtils.mkdir_p destination_file
+        else
+          destination_directory = File.dirname(destination_file)
+          FileUtils.mkdir_p destination_directory unless File.directory?(destination_directory)
+          File.open destination_file, "wb" do |f|
+            f.print tarfile.read
+          end
+        end
+      end
+    end
+  end
+
+  def unzip(file)
+    Zip::File.open(file) do |zip_file|
+      zip_file.each do |entry|
+        entry.extract
+      end
+    end
+  end
+end

ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected

@@ -1,4 +1,12 @@
 edges
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:62:13:62:16 | file :  |
+| ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  | ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  |
+| ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  | ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file |
+| ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  | ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  |
+| ArchiveApiPathTraversal.rb:62:13:62:16 | file :  | ArchiveApiPathTraversal.rb:63:20:63:23 | file |
 | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:4:12:4:24 | ...[...] :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | tainted_path.rb:5:26:5:29 | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | tainted_path.rb:11:26:11:29 | path |
@@ -26,6 +34,16 @@ edges
 | tainted_path.rb:59:40:59:45 | call to params :  | tainted_path.rb:59:40:59:52 | ...[...] :  |
 | tainted_path.rb:59:40:59:52 | ...[...] :  | tainted_path.rb:59:12:59:53 | call to new :  |
 nodes
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  | semmle.label | call to join :  |
+| ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | semmle.label | destination_file |
+| ArchiveApiPathTraversal.rb:62:13:62:16 | file :  | semmle.label | file :  |
+| ArchiveApiPathTraversal.rb:63:20:63:23 | file | semmle.label | file |
 | tainted_path.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:5:26:5:29 | path | semmle.label | path |
@@ -63,6 +81,8 @@ nodes
 | tainted_path.rb:60:26:60:29 | path | semmle.label | path |
 subpaths
 #select
+| ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | This path depends on $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:63:20:63:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:63:20:63:23 | file | This path depends on $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | a user-provided value |
 | tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path | This path depends on $@. | tainted_path.rb:4:12:4:17 | call to params | a user-provided value |
 | tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params :  | tainted_path.rb:11:26:11:29 | path | This path depends on $@. | tainted_path.rb:10:31:10:36 | call to params | a user-provided value |
 | tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params :  | tainted_path.rb:17:26:17:29 | path | This path depends on $@. | tainted_path.rb:16:28:16:33 | call to params | a user-provided value |