fix a comment

2026-02-17 15:33:45 +01:00 · 2023-10-11 12:50:00 +02:00
parent 8768eb64e6
commit 2e4e5ef480
1 changed files with 6 additions and 4 deletions
--- a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qll
+++ b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qll
@@ -81,16 +81,18 @@ module ZipInputStream {
  /**
   * Gets a node of `Zip::InputStream` member
   *
-   * Note that if you use the lower level Zip::InputStream interface, rubyzip does not check the entry sizes.
+   * Note that if you use the lower level Zip::InputStream interface, rubyZip does not check the entry sizes.
   */
  private API::Node zipInputStream() {
    result = API::getTopLevelMember("Zip").getMember("InputStream")
  }

  /**
-   * The return values of following methods
-   * `ZipIO.read`
-   * `ZipEntry.extract`
+   * The methods
+   * `Zip::InputStream.read`
+   * `Zip::InputStream.extract`
+   *
+   * as source of decompression bombs, they need an additional taint step for a dataflow or taint tracking query
   */
  class DecompressionBombSink extends DecompressionBomb::Range {
    DecompressionBombSink() { this = zipInputStream().getMethod(["open", "new"]) }