use select placeholder correctly

thiggy1342 · web-flow · commit c5db11ee2eb0 · 2022-06-06T14:01:02.000Z
diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionAPI.ql b/ruby/ql/src/experimental/decompression-api/DecompressionAPI.ql
@@ -54,4 +54,4 @@ class Configuration extends TaintTracking::Configuration {
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where
   config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source."
+select sink.getNode(), source, sink, "This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source.", sink.getNode().asExpr().getExpr().getParent().toString(), sink.getNode().asExpr().getExpr().getParent().toString()
diff --git a/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected b/ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected
@@ -11,6 +11,6 @@ nodes
 | decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
-| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
-| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
-| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
+| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:3:9:3:45 | call to inflate |
+| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params :  | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to inflate | decompression_api.rb:13:9:13:58 | call to inflate |
+| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params :  | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | call to open | decompression_api.rb:17:9:21:11 | call to open |
