hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix test syntax for sanitizer tests

Browse Source
This commit is contained in:
thiggy1342
2022-06-04 16:31:54 +00:00
committed by GitHub
parent 5ada3b76ed
commit 6cb0717a07
2 changed files with 20 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ruby/ql/test/query-tests/security/decompression-api/DecompressionAPI.expected
View File

@@ -1,20 +1,16 @@
edges
| decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:43 | ...[...] |
| decompression_api.rb:12:35:12:40 | call to params : | decompression_api.rb:12:35:12:47 | ...[...] |
| decompression_api.rb:17:27:17:32 | call to params : | decompression_api.rb:17:27:17:39 | ...[...] |
| decompression_api.rb:26:31:26:36 | call to params : | decompression_api.rb:26:31:26:43 | ...[...] |
| decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:44 | ...[...] |
| decompression_api.rb:13:44:13:49 | call to params : | decompression_api.rb:13:44:13:57 | ...[...] |
| decompression_api.rb:17:24:17:29 | call to params : | decompression_api.rb:17:24:17:37 | ...[...] |
nodes
| decompression_api.rb:3:31:3:36 | call to params : | semmle.label | call to params : |
| decompression_api.rb:3:31:3:43 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:12:35:12:40 | call to params : | semmle.label | call to params : |
| decompression_api.rb:12:35:12:47 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:17:27:17:32 | call to params : | semmle.label | call to params : |
| decompression_api.rb:17:27:17:39 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:26:31:26:36 | call to params : | semmle.label | call to params : |
| decompression_api.rb:26:31:26:43 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:3:31:3:44 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:13:44:13:49 | call to params : | semmle.label | call to params : |
| decompression_api.rb:13:44:13:57 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:17:24:17:29 | call to params : | semmle.label | call to params : |
| decompression_api.rb:17:24:17:37 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| decompression_api.rb:3:31:3:43 | ...[...] | decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:12:35:12:47 | ...[...] | decompression_api.rb:12:35:12:40 | call to params : | decompression_api.rb:12:35:12:47 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:17:27:17:39 | ...[...] | decompression_api.rb:17:27:17:32 | call to params : | decompression_api.rb:17:27:17:39 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:26:31:26:43 | ...[...] | decompression_api.rb:26:31:26:36 | call to params : | decompression_api.rb:26:31:26:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:3:31:3:44 | ...[...] | decompression_api.rb:3:31:3:36 | call to params : | decompression_api.rb:3:31:3:44 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:13:44:13:57 | ...[...] | decompression_api.rb:13:44:13:49 | call to params : | decompression_api.rb:13:44:13:57 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |
| decompression_api.rb:17:24:17:37 | ...[...] | decompression_api.rb:17:24:17:29 | call to params : | decompression_api.rb:17:24:17:37 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. |

16
ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb
View File

@@ -1,6 +1,6 @@
class TestController < ActionController::Base
def unsafe_zlib_unzip
Zlib::Inflate.inflate(params[:path])
Zlib::Inflate.inflate(params[:fname])
end
def safe_zlib_unzip
@@ -10,11 +10,11 @@ class TestController < ActionController::Base
DECOMPRESSION_LIB = Zlib
def unsafe_zlib_unzip_const
DECOMPRESSION_LIB::Inflate.inflate(params[:path])
DECOMPRESSION_LIB::Inflate.inflate(params[:fname])
end
def unsafe_zlib_unzip
Zip::File.open(params[:file]) do |zip_file|
Zip::File.open(params[:fname]) do |zip_file|
zip_file.each do |entry|
entry.extract(entry.name)
end
@@ -26,14 +26,16 @@ class TestController < ActionController::Base
end
def sanitized_zlib_unzip
if "safe_file.gz" == params[:path]
Zlib::Inflate.inflate(params[:path])
fname = params[:fname]
if fname == "safe_file.gz"
Zlib::Inflate.inflate(fname)
end
end
def sanitized_array_zlib_unzip
if ["safe_file1.gz", "safe_file2.gz"].include? params[:path]
Zlib::Inflate.inflate(params[:path])
fname = params[:fname]
if ["safe_file1.gz", "safe_file2.gz"].include? fname
Zlib::Inflate.inflate(fname)
end
end