Skip to content

Commit 09f0820

Browse files
thiggy1342thiggy1342
authored
Simple tests passing
1 parent 39baadb commit 09f0820

File tree

2 files changed

+23
-6
lines changed

2 files changed

+23
-6
lines changed

ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
edges
2+
| decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:43 | ...[...] |
3+
| decompression_api.rb:12:35:12:40 | call to params : | decompression_api.rb:12:35:12:47 | ...[...] |
4+
nodes
5+
| decompression_api.rb:3:31:3:36 | call to params : | semmle.label | call to params : |
6+
| decompression_api.rb:3:31:3:43 | ...[...] | semmle.label | ...[...] |
7+
| decompression_api.rb:12:35:12:40 | call to params : | semmle.label | call to params : |
8+
| decompression_api.rb:12:35:12:47 | ...[...] | semmle.label | ...[...] |
9+
subpaths
10+
#select
11+
| decompression_api.rb:3:31:3:43 | ...[...] | decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
12+
| decompression_api.rb:12:35:12:47 | ...[...] | decompression_api.rb:12:35:12:40 | call to params : | decompression_api.rb:12:35:12:47 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |

ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,16 @@
11
class TestController < ActionController::Base
2-
def unsafe_unzip
3-
TestModel::unzip(params[:path])
2+
def unsafe_zlib_unzip
3+
Zlib::Inflate.inflate(params[:path])
44
end
5-
end
65

7-
class TestModel
8-
def unzip(filename)
9-
Zlib::Inflate.inflate(filename)
6+
def safe_zlib_unzip
7+
Zlib::Inflate.inflate("testfile.gz")
108
end
9+
10+
def sanitized_zlib_unzip
11+
if params[:path].in ["safe_file1.gz", "safe_file2.gz"]
12+
Zlib::Inflate.inflate(params[:path])
13+
end
14+
end
15+
1116
end

0 commit comments

Comments
 (0)