remove constraint for Zip::File.open

thiggy1342 · web-flow · commit 62291124ff71 · 2022-06-06T21:20:44.000Z
diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
@@ -22,7 +22,6 @@ class DecompressionApiUse extends DataFlow::Node {
     // this should find the first argument of Zlib::Inflate.inflate or Zip::File.extract
     DecompressionApiUse() {
         this = API::getTopLevelMember("Zlib").getMember("Inflate").getAMethodCall("inflate").getArgument(0) or
-        this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open").getArgument(0) or
         this = API::getTopLevelMember("Zip").getMember("Entry").getAMethodCall("extract").getArgument(0)
     }
 
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
@@ -1,16 +1,12 @@
 edges
 | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] |
 | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] |
-| decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] |
 nodes
 | decompression_api.rb:3:31:3:36 | call to params :  | semmle.label | call to params :  |
 | decompression_api.rb:3:31:3:44 | ...[...] | semmle.label | ...[...] |
 | decompression_api.rb:13:44:13:49 | call to params :  | semmle.label | call to params :  |
 | decompression_api.rb:13:44:13:57 | ...[...] | semmle.label | ...[...] |
-| decompression_api.rb:17:24:17:29 | call to params :  | semmle.label | call to params :  |
-| decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
 | decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
 | decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | call to inflate |
-| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | call to open |

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,6 @@ class DecompressionApiUse extends DataFlow::Node {`
`22`	`22`	`// this should find the first argument of Zlib::Inflate.inflate or Zip::File.extract`
`23`	`23`	`DecompressionApiUse() {`
`24`	`24`	`this = API::getTopLevelMember("Zlib").getMember("Inflate").getAMethodCall("inflate").getArgument(0) or`
`25`		`- this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open").getArgument(0) or`
`26`	`25`	`this = API::getTopLevelMember("Zip").getMember("Entry").getAMethodCall("extract").getArgument(0)`
`27`	`26`	`}`
`28`	`27`