add qlhelp file and example

ruby/ql/src/experimental/decompression-api/DecompressionApi.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Decompression of user-controlled data without taking proper precaution can
+      result in uncontrolled and massive decompression on the server, resulting 
+      in a denial of service.
+    </p>
+  </overview>
+  <recommendation>
+    <p>
+      When decompressing files supplied by the user, make sure that you're checking
+      the size of the incoming data chunks before writing to an output.
+    </p>
+  </recommendation>
+  <example>
+    <p>
+      In this example, the size of the input buffer chunks and total size are checked before each chunk is written to the output.
+    </p>
+    <sample src="examples/decompress.rb" />
+  </example>
+  
+  <references>
+  <a href="https://cwe.mitre.org/data/definitions/409.html">https://cwe.mitre.org/data/definitions/409.html</a>
+  </references>
+</qhelp>

ruby/ql/src/experimental/decompression-api/examples/decompress.rb

@@ -0,0 +1,17 @@
+class UsersController < ActionController::Base
+  def example_zlib_inflate
+    MAX_ALLOWED_CHUNK_SIZE = 256
+    MAX_ALLOWED_TOTAL_SIZE = 1024
+
+    user_data = params[:data]
+    output = []
+    outsize = 0
+
+    Zlib::Inflate.inflate(user_data) { |chunk|
+      outsize += chunk.size
+      if chunk.size < MAX_ALLOWED_CHUNK_SIZE && outsize < MAX_ALLOWED_TOTAL_SIZE
+        output << chunk
+      end
+    }
+  end
+end