Fix test syntax for sanitizer tests

thiggy1342 · web-flow · commit 6cb0717a072d · 2022-06-04T16:33:18.000Z
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected
@@ -1,20 +1,16 @@
 edges
-| decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:43 | ...[...] |
-| decompression_api.rb:12:35:12:40 | call to params :  | decompression_api.rb:12:35:12:47 | ...[...] |
-| decompression_api.rb:17:27:17:32 | call to params :  | decompression_api.rb:17:27:17:39 | ...[...] |
-| decompression_api.rb:26:31:26:36 | call to params :  | decompression_api.rb:26:31:26:43 | ...[...] |
+| decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] |
+| decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] |
+| decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] |
 nodes
 | decompression_api.rb:3:31:3:36 | call to params :  | semmle.label | call to params :  |
-| decompression_api.rb:3:31:3:43 | ...[...] | semmle.label | ...[...] |
-| decompression_api.rb:12:35:12:40 | call to params :  | semmle.label | call to params :  |
-| decompression_api.rb:12:35:12:47 | ...[...] | semmle.label | ...[...] |
-| decompression_api.rb:17:27:17:32 | call to params :  | semmle.label | call to params :  |
-| decompression_api.rb:17:27:17:39 | ...[...] | semmle.label | ...[...] |
-| decompression_api.rb:26:31:26:36 | call to params :  | semmle.label | call to params :  |
-| decompression_api.rb:26:31:26:43 | ...[...] | semmle.label | ...[...] |
+| decompression_api.rb:3:31:3:44 | ...[...] | semmle.label | ...[...] |
+| decompression_api.rb:13:44:13:49 | call to params :  | semmle.label | call to params :  |
+| decompression_api.rb:13:44:13:57 | ...[...] | semmle.label | ...[...] |
+| decompression_api.rb:17:24:17:29 | call to params :  | semmle.label | call to params :  |
+| decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
-| decompression_api.rb:3:31:3:43 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
-| decompression_api.rb:12:35:12:47 | ...[...] | decompression_api.rb:12:35:12:40 | call to params :  | decompression_api.rb:12:35:12:47 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
-| decompression_api.rb:17:27:17:39 | ...[...] | decompression_api.rb:17:27:17:32 | call to params :  | decompression_api.rb:17:27:17:39 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
-| decompression_api.rb:26:31:26:43 | ...[...] | decompression_api.rb:26:31:26:36 | call to params :  | decompression_api.rb:26:31:26:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
+| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
+| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
+| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
diff --git a/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb b/ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb
@@ -1,6 +1,6 @@
 class TestController < ActionController::Base
     def unsafe_zlib_unzip
-        Zlib::Inflate.inflate(params[:path])
+        Zlib::Inflate.inflate(params[:fname])
     end
 
     def safe_zlib_unzip
@@ -10,11 +10,11 @@ def safe_zlib_unzip
 
     DECOMPRESSION_LIB = Zlib
     def unsafe_zlib_unzip_const
-        DECOMPRESSION_LIB::Inflate.inflate(params[:path])
+        DECOMPRESSION_LIB::Inflate.inflate(params[:fname])
     end
 
     def unsafe_zlib_unzip
-        Zip::File.open(params[:file]) do |zip_file|
+        Zip::File.open(params[:fname]) do |zip_file|
             zip_file.each do |entry|
                 entry.extract(entry.name)
             end
@@ -26,14 +26,16 @@ def safe_zlib_unzip
     end
 
     def sanitized_zlib_unzip
-        if "safe_file.gz" == params[:path]
-            Zlib::Inflate.inflate(params[:path])
+        fname = params[:fname]
+        if fname == "safe_file.gz"
+            Zlib::Inflate.inflate(fname)
         end
     end
 
     def sanitized_array_zlib_unzip
-        if ["safe_file1.gz", "safe_file2.gz"].include? params[:path]
-            Zlib::Inflate.inflate(params[:path])
+        fname = params[:fname]
+        if ["safe_file1.gz", "safe_file2.gz"].include? fname
+            Zlib::Inflate.inflate(fname)
         end
     end
 
