fix casing of Api

thiggy1342 · web-flow · commit 3c62271dbaa4 · 2022-06-06T21:18:08.000Z
diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
@@ -17,10 +17,10 @@ import codeql.ruby.dataflow.BarrierGuards
 import codeql.ruby.TaintTracking
 import DataFlow::PathGraph
 
-class DecompressionAPIUse extends DataFlow::Node {
+class DecompressionApiUse extends DataFlow::Node {
 
     // this should find the first argument of Zlib::Inflate.inflate or Zip::File.extract
-    DecompressionAPIUse() {
+    DecompressionApiUse() {
         this = API::getTopLevelMember("Zlib").getMember("Inflate").getAMethodCall("inflate").getArgument(0) or
         this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open").getArgument(0) or
         this = API::getTopLevelMember("Zip").getMember("Entry").getAMethodCall("extract").getArgument(0)
@@ -29,7 +29,7 @@ class DecompressionAPIUse extends DataFlow::Node {
 }
 
 class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "DecompressionAPIUse" }
+    Configuration() { this = "DecompressionApiUse" }
   
     // this predicate will be used to contstrain our query to find instances where only remote user-controlled data flows to the sink
     override predicate isSource(DataFlow::Node source) {
@@ -38,7 +38,7 @@ class Configuration extends TaintTracking::Configuration {
 
     // our Decompression APIs defined above will the the sinks we use for this query
     override predicate isSink(DataFlow::Node sink) {
-        sink instanceof DecompressionAPIUse
+        sink instanceof DecompressionApiUse
     }
 
     // I think it would also be helpful to reduce false positives by adding a simple sanitizer config in the event
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.qlref b/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.qlref
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
@@ -11,6 +11,6 @@ nodes
 | decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
-| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:3:9:3:45 | call to inflate |
-| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:13:9:13:58 | call to inflate |
-| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | decompression_api.rb:17:9:21:11 | call to open |
+| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
+| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
+| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | call to open |
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.qlref
@@ -0,0 +1 @@
+experimental/decompression-api/DecompressionApi.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/decompression-api/DecompressionApi.ql`