add block test cases and update tests

gregxsunday · gregxsunday · commit 5a85fa12c7a9 · 2023-02-23T12:09:22.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-022-ZipSlip/ZipSlip.expected b/ruby/ql/test/query-tests/security/cwe-022-ZipSlip/ZipSlip.expected
@@ -2,29 +2,53 @@ edges
 | zip_slip.rb:8:15:8:54 | call to new :  | zip_slip.rb:9:5:9:11 | tarfile :  |
 | zip_slip.rb:9:5:9:11 | tarfile :  | zip_slip.rb:9:22:9:26 | entry :  |
 | zip_slip.rb:9:22:9:26 | entry :  | zip_slip.rb:10:19:10:33 | call to full_name |
-| zip_slip.rb:33:5:33:24 | call to open :  | zip_slip.rb:33:35:33:39 | entry :  |
-| zip_slip.rb:33:35:33:39 | entry :  | zip_slip.rb:34:17:34:26 | call to name |
-| zip_slip.rb:53:12:53:54 | call to open :  | zip_slip.rb:54:11:54:14 | gzip :  |
-| zip_slip.rb:54:11:54:14 | gzip :  | zip_slip.rb:60:42:60:56 | compressed_file :  |
-| zip_slip.rb:60:42:60:56 | compressed_file :  | zip_slip.rb:61:7:61:21 | compressed_file :  |
-| zip_slip.rb:61:7:61:21 | compressed_file :  | zip_slip.rb:61:32:61:36 | entry :  |
-| zip_slip.rb:61:32:61:36 | entry :  | zip_slip.rb:63:21:63:30 | entry_path |
+| zip_slip.rb:20:50:20:56 | tarfile :  | zip_slip.rb:21:7:21:13 | tarfile :  |
+| zip_slip.rb:21:7:21:13 | tarfile :  | zip_slip.rb:21:30:21:34 | entry :  |
+| zip_slip.rb:21:30:21:34 | entry :  | zip_slip.rb:22:21:22:35 | call to full_name |
+| zip_slip.rb:46:5:46:24 | call to open :  | zip_slip.rb:46:35:46:39 | entry :  |
+| zip_slip.rb:46:35:46:39 | entry :  | zip_slip.rb:47:17:47:26 | call to name |
+| zip_slip.rb:56:30:56:37 | zip_file :  | zip_slip.rb:57:7:57:14 | zip_file :  |
+| zip_slip.rb:57:7:57:14 | zip_file :  | zip_slip.rb:57:25:57:29 | entry :  |
+| zip_slip.rb:57:25:57:29 | entry :  | zip_slip.rb:58:19:58:28 | call to name |
+| zip_slip.rb:90:12:90:54 | call to open :  | zip_slip.rb:91:11:91:14 | gzip :  |
+| zip_slip.rb:91:11:91:14 | gzip :  | zip_slip.rb:97:42:97:56 | compressed_file :  |
+| zip_slip.rb:97:42:97:56 | compressed_file :  | zip_slip.rb:98:7:98:21 | compressed_file :  |
+| zip_slip.rb:98:7:98:21 | compressed_file :  | zip_slip.rb:98:32:98:36 | entry :  |
+| zip_slip.rb:98:32:98:36 | entry :  | zip_slip.rb:100:21:100:30 | entry_path |
+| zip_slip.rb:123:12:123:34 | call to new :  | zip_slip.rb:124:7:124:8 | gz :  |
+| zip_slip.rb:124:7:124:8 | gz :  | zip_slip.rb:124:19:124:23 | entry :  |
+| zip_slip.rb:124:19:124:23 | entry :  | zip_slip.rb:126:21:126:30 | entry_path |
 nodes
 | zip_slip.rb:8:15:8:54 | call to new :  | semmle.label | call to new :  |
 | zip_slip.rb:9:5:9:11 | tarfile :  | semmle.label | tarfile :  |
 | zip_slip.rb:9:22:9:26 | entry :  | semmle.label | entry :  |
 | zip_slip.rb:10:19:10:33 | call to full_name | semmle.label | call to full_name |
-| zip_slip.rb:33:5:33:24 | call to open :  | semmle.label | call to open :  |
-| zip_slip.rb:33:35:33:39 | entry :  | semmle.label | entry :  |
-| zip_slip.rb:34:17:34:26 | call to name | semmle.label | call to name |
-| zip_slip.rb:53:12:53:54 | call to open :  | semmle.label | call to open :  |
-| zip_slip.rb:54:11:54:14 | gzip :  | semmle.label | gzip :  |
-| zip_slip.rb:60:42:60:56 | compressed_file :  | semmle.label | compressed_file :  |
-| zip_slip.rb:61:7:61:21 | compressed_file :  | semmle.label | compressed_file :  |
-| zip_slip.rb:61:32:61:36 | entry :  | semmle.label | entry :  |
-| zip_slip.rb:63:21:63:30 | entry_path | semmle.label | entry_path |
+| zip_slip.rb:20:50:20:56 | tarfile :  | semmle.label | tarfile :  |
+| zip_slip.rb:21:7:21:13 | tarfile :  | semmle.label | tarfile :  |
+| zip_slip.rb:21:30:21:34 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:22:21:22:35 | call to full_name | semmle.label | call to full_name |
+| zip_slip.rb:46:5:46:24 | call to open :  | semmle.label | call to open :  |
+| zip_slip.rb:46:35:46:39 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:47:17:47:26 | call to name | semmle.label | call to name |
+| zip_slip.rb:56:30:56:37 | zip_file :  | semmle.label | zip_file :  |
+| zip_slip.rb:57:7:57:14 | zip_file :  | semmle.label | zip_file :  |
+| zip_slip.rb:57:25:57:29 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:58:19:58:28 | call to name | semmle.label | call to name |
+| zip_slip.rb:90:12:90:54 | call to open :  | semmle.label | call to open :  |
+| zip_slip.rb:91:11:91:14 | gzip :  | semmle.label | gzip :  |
+| zip_slip.rb:97:42:97:56 | compressed_file :  | semmle.label | compressed_file :  |
+| zip_slip.rb:98:7:98:21 | compressed_file :  | semmle.label | compressed_file :  |
+| zip_slip.rb:98:32:98:36 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:100:21:100:30 | entry_path | semmle.label | entry_path |
+| zip_slip.rb:123:12:123:34 | call to new :  | semmle.label | call to new :  |
+| zip_slip.rb:124:7:124:8 | gz :  | semmle.label | gz :  |
+| zip_slip.rb:124:19:124:23 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:126:21:126:30 | entry_path | semmle.label | entry_path |
 subpaths
 #select
 | zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new :  | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source |
-| zip_slip.rb:34:17:34:26 | call to name | zip_slip.rb:33:5:33:24 | call to open :  | zip_slip.rb:34:17:34:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:33:5:33:24 | call to open | potentially untrusted source |
-| zip_slip.rb:63:21:63:30 | entry_path | zip_slip.rb:53:12:53:54 | call to open :  | zip_slip.rb:63:21:63:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:53:12:53:54 | call to open | potentially untrusted source |
+| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile :  | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source |
+| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open :  | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source |
+| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file :  | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source |
+| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open :  | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source |
+| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new :  | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source |
diff --git a/ruby/ql/test/query-tests/security/cwe-022-ZipSlip/zip_slip.rb b/ruby/ql/test/query-tests/security/cwe-022-ZipSlip/zip_slip.rb
@@ -12,6 +12,19 @@ def tarReaderUnsafe
       end
     end
   end
+
+  # BAD
+  def tarReaderBlockUnsafe
+    path = params[:path]
+    file_stream = IO.new(IO.sysopen(path))
+    Gem::Package::TarReader.new(file_stream) do |tarfile|
+      tarfile.each_entry do |entry|
+        ::File.open(entry.full_name, "wb") do |os|
+          entry.read
+        end
+      end
+    end
+  end
   
   # GOOD
   def tarReadeSanitizedExpandPath
@@ -36,6 +49,30 @@ def zipFileUnsafe
       end
     end
   end
+
+  # BAD
+  def zipFileBlockUnsafe
+    path = params[:path]
+    Zip::File.open(path) do |zip_file|
+      zip_file.each do |entry|
+        File.open(entry.name, "wb") do |os|
+          entry.read
+        end
+      end
+    end
+  end
+
+  # GOOD
+  def zipFileBlockSafeHardcodedPath
+    path = '/safepath.zip'
+    Zip::File.open(path) do |zip_file|
+      zip_file.each do |entry|
+        File.open(entry.name, "wb") do |os|
+          entry.read
+        end
+      end
+    end
+  end
   
   # GOOD
   def zipFileSanitizedConstCompare
@@ -84,14 +121,11 @@ def gzipReaderUnsafeNewInstance
     path = params[:path]
     File.open(path, 'rb') do |f|
       gz = Zlib::GzipReader.new(f)
-      uncompressed_data = gz.read
-      puts uncompressed_data
-      gz.close
-    end
-    zlib.each do |entry|
-      entry_path = entry.full_name
-      ::File.open(entry_path, 'wb') do |os|
-        entry.read
+      gz.each do |entry|
+        entry_path = entry.full_name
+        ::File.open(entry_path, 'wb') do |os|
+          entry.read
+        end
       end
     end
   end
