Simple tests passing

ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected

@@ -0,0 +1,12 @@
+edges
+| decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:43 | ...[...] |
+| decompression_api.rb:12:35:12:40 | call to params :  | decompression_api.rb:12:35:12:47 | ...[...] |
+nodes
+| decompression_api.rb:3:31:3:36 | call to params :  | semmle.label | call to params :  |
+| decompression_api.rb:3:31:3:43 | ...[...] | semmle.label | ...[...] |
+| decompression_api.rb:12:35:12:40 | call to params :  | semmle.label | call to params :  |
+| decompression_api.rb:12:35:12:47 | ...[...] | semmle.label | ...[...] |
+subpaths
+#select
+| decompression_api.rb:3:31:3:43 | ...[...] | decompression_api.rb:3:31:3:36 | call to params :  | decompression_api.rb:3:31:3:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
+| decompression_api.rb:12:35:12:47 | ...[...] | decompression_api.rb:12:35:12:40 | call to params :  | decompression_api.rb:12:35:12:47 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |

ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb

@@ -1,11 +1,16 @@
 class TestController < ActionController::Base
-    def unsafe_unzip
-        TestModel::unzip(params[:path])
+    def unsafe_zlib_unzip
+        Zlib::Inflate.inflate(params[:path])
     end
-end
 
-class TestModel
-    def unzip(filename)
-        Zlib::Inflate.inflate(filename)
+    def safe_zlib_unzip
+        Zlib::Inflate.inflate("testfile.gz")
     end
+
+    def sanitized_zlib_unzip
+        if params[:path].in ["safe_file1.gz", "safe_file2.gz"]
+            Zlib::Inflate.inflate(params[:path])
+        end
+    end
+
 end