Ruby: Update test

hmac · hmac · commit 8212f5de1bd7 · 2024-02-26T13:10:27.000Z
diff --git a/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected b/ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected
@@ -1,75 +1,56 @@
 edges
-| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:8:23:8:35 | unicode_input |
-| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:9:22:9:34 | unicode_input |
-| unicode_normalization.rb:7:21:7:26 | call to params | unicode_normalization.rb:7:21:7:42 | ...[...] |
-| unicode_normalization.rb:7:21:7:42 | ...[...] | unicode_normalization.rb:7:5:7:17 | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input |
-| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] |
-| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input |
-| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:17:23:17:41 | unicode_input_manip |
-| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:18:22:18:40 | unicode_input_manip |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub |
-| unicode_normalization.rb:16:27:16:59 | call to sub | unicode_normalization.rb:16:5:16:23 | unicode_input_manip |
-| unicode_normalization.rb:24:5:24:17 | unicode_input | unicode_normalization.rb:25:37:25:49 | unicode_input |
-| unicode_normalization.rb:24:21:24:26 | call to params | unicode_normalization.rb:24:21:24:42 | ...[...] |
-| unicode_normalization.rb:24:21:24:42 | ...[...] | unicode_normalization.rb:24:5:24:17 | unicode_input |
-| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:26:23:26:39 | unicode_html_safe |
-| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:27:22:27:38 | unicode_html_safe |
-| unicode_normalization.rb:25:25:25:50 | call to html_escape | unicode_normalization.rb:25:5:25:21 | unicode_html_safe |
-| unicode_normalization.rb:25:37:25:49 | unicode_input | unicode_normalization.rb:25:25:25:50 | call to html_escape |
-| unicode_normalization.rb:33:5:33:17 | unicode_input | unicode_normalization.rb:34:40:34:52 | unicode_input |
-| unicode_normalization.rb:33:21:33:26 | call to params | unicode_normalization.rb:33:21:33:42 | ...[...] |
-| unicode_normalization.rb:33:21:33:42 | ...[...] | unicode_normalization.rb:33:5:33:17 | unicode_input |
-| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:35:23:35:39 | unicode_html_safe |
-| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:36:22:36:38 | unicode_html_safe |
-| unicode_normalization.rb:34:25:34:53 | call to escapeHTML | unicode_normalization.rb:34:25:34:63 | call to html_safe |
-| unicode_normalization.rb:34:25:34:63 | call to html_safe | unicode_normalization.rb:34:5:34:21 | unicode_html_safe |
-| unicode_normalization.rb:34:40:34:52 | unicode_input | unicode_normalization.rb:34:25:34:53 | call to escapeHTML |
+| UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | provenance |  |
+| UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | provenance |  |
 nodes
-| unicode_normalization.rb:7:5:7:17 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:7:21:7:26 | call to params | semmle.label | call to params |
-| unicode_normalization.rb:7:21:7:42 | ...[...] | semmle.label | ...[...] |
-| unicode_normalization.rb:8:23:8:35 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:9:22:9:34 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:15:21:15:26 | call to params | semmle.label | call to params |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | semmle.label | ...[...] |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | semmle.label | ...[...] |
-| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | semmle.label | unicode_input_manip |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:16:27:16:59 | call to sub | semmle.label | call to sub |
-| unicode_normalization.rb:17:23:17:41 | unicode_input_manip | semmle.label | unicode_input_manip |
-| unicode_normalization.rb:18:22:18:40 | unicode_input_manip | semmle.label | unicode_input_manip |
-| unicode_normalization.rb:24:5:24:17 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:24:21:24:26 | call to params | semmle.label | call to params |
-| unicode_normalization.rb:24:21:24:42 | ...[...] | semmle.label | ...[...] |
-| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | semmle.label | unicode_html_safe |
-| unicode_normalization.rb:25:25:25:50 | call to html_escape | semmle.label | call to html_escape |
-| unicode_normalization.rb:25:37:25:49 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:26:23:26:39 | unicode_html_safe | semmle.label | unicode_html_safe |
-| unicode_normalization.rb:27:22:27:38 | unicode_html_safe | semmle.label | unicode_html_safe |
-| unicode_normalization.rb:33:5:33:17 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:33:21:33:26 | call to params | semmle.label | call to params |
-| unicode_normalization.rb:33:21:33:42 | ...[...] | semmle.label | ...[...] |
-| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | semmle.label | unicode_html_safe |
-| unicode_normalization.rb:34:25:34:53 | call to escapeHTML | semmle.label | call to escapeHTML |
-| unicode_normalization.rb:34:25:34:63 | call to html_safe | semmle.label | call to html_safe |
-| unicode_normalization.rb:34:40:34:52 | unicode_input | semmle.label | unicode_input |
-| unicode_normalization.rb:35:23:35:39 | unicode_html_safe | semmle.label | unicode_html_safe |
-| unicode_normalization.rb:36:22:36:38 | unicode_html_safe | semmle.label | unicode_html_safe |
+| UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | semmle.label | call to read |
+| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | semmle.label | call to gets |
+| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | semmle.label | call to read |
+| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | semmle.label | call to gets |
+| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | semmle.label | call to readlines |
 subpaths
 #select
-| unicode_normalization.rb:8:23:8:35 | unicode_input | unicode_normalization.rb:7:21:7:26 | call to params | unicode_normalization.rb:8:23:8:35 | unicode_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:8:23:8:35 | unicode_input | Unicode transformation (Unicode normalization) | unicode_normalization.rb:7:21:7:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:9:22:9:34 | unicode_input | unicode_normalization.rb:7:21:7:26 | call to params | unicode_normalization.rb:9:22:9:34 | unicode_input | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:9:22:9:34 | unicode_input | Unicode transformation (Unicode normalization) | unicode_normalization.rb:7:21:7:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:17:23:17:41 | unicode_input_manip | unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:17:23:17:41 | unicode_input_manip | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:17:23:17:41 | unicode_input_manip | Unicode transformation (Unicode normalization) | unicode_normalization.rb:15:21:15:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:18:22:18:40 | unicode_input_manip | unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:18:22:18:40 | unicode_input_manip | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:18:22:18:40 | unicode_input_manip | Unicode transformation (Unicode normalization) | unicode_normalization.rb:15:21:15:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:26:23:26:39 | unicode_html_safe | unicode_normalization.rb:24:21:24:26 | call to params | unicode_normalization.rb:26:23:26:39 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:26:23:26:39 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:24:21:24:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:27:22:27:38 | unicode_html_safe | unicode_normalization.rb:24:21:24:26 | call to params | unicode_normalization.rb:27:22:27:38 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:27:22:27:38 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:24:21:24:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:35:23:35:39 | unicode_html_safe | unicode_normalization.rb:33:21:33:26 | call to params | unicode_normalization.rb:35:23:35:39 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:35:23:35:39 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:33:21:33:26 | call to params | remote user-controlled data |
-| unicode_normalization.rb:36:22:36:38 | unicode_html_safe | unicode_normalization.rb:33:21:33:26 | call to params | unicode_normalization.rb:36:22:36:38 | unicode_html_safe | This $@ processes unsafely $@ and any logical validation in-between could be bypassed using special Unicode characters. | unicode_normalization.rb:36:22:36:38 | unicode_html_safe | Unicode transformation (Unicode normalization) | unicode_normalization.rb:33:21:33:26 | call to params | remote user-controlled data |
+| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin |
+| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin |
+| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin |
+| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin |
+| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin |
