Merge branch 'main' into amammad-ruby-bombs

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.expected

@@ -1,10 +1,10 @@
 edges
-| ImproperLdapAuth.rb:5:5:5:8 | pass | ImproperLdapAuth.rb:15:23:15:26 | pass |
-| ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:5:12:5:24 | ...[...] |
-| ImproperLdapAuth.rb:5:12:5:24 | ...[...] | ImproperLdapAuth.rb:5:5:5:8 | pass |
-| ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass |
-| ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] |
-| ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass |
+| ImproperLdapAuth.rb:5:5:5:8 | pass | ImproperLdapAuth.rb:15:23:15:26 | pass | provenance |  |
+| ImproperLdapAuth.rb:5:12:5:17 | call to params | ImproperLdapAuth.rb:5:12:5:24 | ...[...] | provenance |  |
+| ImproperLdapAuth.rb:5:12:5:24 | ...[...] | ImproperLdapAuth.rb:5:5:5:8 | pass | provenance |  |
+| ImproperLdapAuth.rb:24:5:24:8 | pass | ImproperLdapAuth.rb:31:24:31:27 | pass | provenance |  |
+| ImproperLdapAuth.rb:24:12:24:17 | call to params | ImproperLdapAuth.rb:24:12:24:24 | ...[...] | provenance |  |
+| ImproperLdapAuth.rb:24:12:24:24 | ...[...] | ImproperLdapAuth.rb:24:5:24:8 | pass | provenance |  |
 nodes
 | ImproperLdapAuth.rb:5:5:5:8 | pass | semmle.label | pass |
 | ImproperLdapAuth.rb:5:12:5:17 | call to params | semmle.label | call to params |

ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.expected

@@ -0,0 +1,6 @@
+edges
+nodes
+| InsecureRandomness.rb:6:42:6:57 | call to rand | semmle.label | call to rand |
+subpaths
+#select
+| InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | InsecureRandomness.rb:6:42:6:57 | call to rand | This uses a cryptographically insecure random number generated at $@ in a security context. | InsecureRandomness.rb:6:42:6:57 | call to rand | call to rand |

ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref

@@ -0,0 +1 @@
+experimental/insecure-randomness/InsecureRandomness.ql

ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb

@@ -0,0 +1,19 @@
+require 'securerandom'
+
+def generate_password_1(length)
+  chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
+  # BAD: rand is not cryptographically secure
+  password = (1..length).collect { chars[rand(chars.size)] }.join
+end
+
+def generate_password_2(length)
+  chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
+
+  # GOOD: SecureRandom is cryptographically secure
+  password = SecureRandom.random_bytes(length).each_byte.map do |byte|
+    chars[byte % chars.length]
+  end.join
+end
+
+password = generate_password_1(10)
+password = generate_password_2(10)

ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.expected

@@ -1,16 +1,18 @@
 edges
-| LdapInjection.rb:5:5:5:6 | dc | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" |
-| LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:5:10:5:20 | ...[...] |
-| LdapInjection.rb:5:10:5:20 | ...[...] | LdapInjection.rb:5:5:5:6 | dc |
-| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:29:62:29:73 | "cn=#{...}" |
-| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:33:88:33:91 | name |
-| LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:9:12:9:29 | ...[...] |
-| LdapInjection.rb:9:12:9:29 | ...[...] | LdapInjection.rb:9:5:9:8 | name |
-| LdapInjection.rb:33:88:33:91 | name | LdapInjection.rb:33:87:33:92 | call to [] |
-| LdapInjection.rb:33:88:33:91 | name | LdapInjection.rb:37:41:37:44 | name |
-| LdapInjection.rb:37:5:37:10 | filter | LdapInjection.rb:38:62:38:67 | filter |
-| LdapInjection.rb:37:14:37:45 | call to eq | LdapInjection.rb:37:5:37:10 | filter |
-| LdapInjection.rb:37:41:37:44 | name | LdapInjection.rb:37:14:37:45 | call to eq |
+| LdapInjection.rb:5:5:5:6 | dc | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | provenance | AdditionalTaintStep |
+| LdapInjection.rb:5:10:5:15 | call to params | LdapInjection.rb:5:10:5:20 | ...[...] | provenance |  |
+| LdapInjection.rb:5:10:5:20 | ...[...] | LdapInjection.rb:5:5:5:6 | dc | provenance |  |
+| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | provenance | AdditionalTaintStep |
+| LdapInjection.rb:9:5:9:8 | name | LdapInjection.rb:33:88:33:91 | name | provenance |  |
+| LdapInjection.rb:9:12:9:17 | call to params | LdapInjection.rb:9:12:9:29 | ...[...] | provenance |  |
+| LdapInjection.rb:9:12:9:29 | ...[...] | LdapInjection.rb:9:5:9:8 | name | provenance |  |
+| LdapInjection.rb:33:87:33:92 | call to [] [element 0] | LdapInjection.rb:33:87:33:92 | call to [] | provenance |  |
+| LdapInjection.rb:33:88:33:91 | name | LdapInjection.rb:33:87:33:92 | call to [] | provenance |  |
+| LdapInjection.rb:33:88:33:91 | name | LdapInjection.rb:33:87:33:92 | call to [] [element 0] | provenance |  |
+| LdapInjection.rb:33:88:33:91 | name | LdapInjection.rb:37:41:37:44 | name | provenance |  |
+| LdapInjection.rb:37:5:37:10 | filter | LdapInjection.rb:38:62:38:67 | filter | provenance |  |
+| LdapInjection.rb:37:14:37:45 | call to eq | LdapInjection.rb:37:5:37:10 | filter | provenance |  |
+| LdapInjection.rb:37:41:37:44 | name | LdapInjection.rb:37:14:37:45 | call to eq | provenance |  |
 nodes
 | LdapInjection.rb:5:5:5:6 | dc | semmle.label | dc |
 | LdapInjection.rb:5:10:5:15 | call to params | semmle.label | call to params |
@@ -21,6 +23,7 @@ nodes
 | LdapInjection.rb:25:23:25:49 | "ou=people,dc=#{...},dc=com" | semmle.label | "ou=people,dc=#{...},dc=com" |
 | LdapInjection.rb:29:62:29:73 | "cn=#{...}" | semmle.label | "cn=#{...}" |
 | LdapInjection.rb:33:87:33:92 | call to [] | semmle.label | call to [] |
+| LdapInjection.rb:33:87:33:92 | call to [] [element 0] | semmle.label | call to [] [element 0] |
 | LdapInjection.rb:33:88:33:91 | name | semmle.label | name |
 | LdapInjection.rb:37:5:37:10 | filter | semmle.label | filter |
 | LdapInjection.rb:37:14:37:45 | call to eq | semmle.label | call to eq |

ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected

@@ -1,21 +1,21 @@
 edges
-| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:8:5:8:12 | bad_text |
-| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:11:11:11:14 | name |
-| ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:5:12:5:24 | ...[...] |
-| ErbInjection.rb:5:12:5:24 | ...[...] | ErbInjection.rb:5:5:5:8 | name |
-| ErbInjection.rb:8:5:8:12 | bad_text | ErbInjection.rb:15:24:15:31 | bad_text |
-| ErbInjection.rb:8:5:8:12 | bad_text | ErbInjection.rb:19:20:19:27 | bad_text |
-| ErbInjection.rb:8:16:11:14 | ... % ... | ErbInjection.rb:8:5:8:12 | bad_text |
-| ErbInjection.rb:11:11:11:14 | name | ErbInjection.rb:8:16:11:14 | ... % ... |
-| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:11:11:11:14 | name |
-| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] |
-| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:23:23:23:35 | { ... } [captured bad2_text] |
-| SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:5:12:5:24 | ...[...] |
-| SlimInjection.rb:5:12:5:24 | ...[...] | SlimInjection.rb:5:5:5:8 | name |
-| SlimInjection.rb:8:16:11:14 | ... % ... | SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] |
-| SlimInjection.rb:11:11:11:14 | name | SlimInjection.rb:8:16:11:14 | ... % ... |
-| SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] | SlimInjection.rb:14:25:14:32 | bad_text |
-| SlimInjection.rb:23:23:23:35 | { ... } [captured bad2_text] | SlimInjection.rb:23:25:23:33 | bad2_text |
+| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:8:5:8:12 | bad_text | provenance |  |
+| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:11:11:11:14 | name | provenance |  |
+| ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:5:12:5:24 | ...[...] | provenance |  |
+| ErbInjection.rb:5:12:5:24 | ...[...] | ErbInjection.rb:5:5:5:8 | name | provenance |  |
+| ErbInjection.rb:8:5:8:12 | bad_text | ErbInjection.rb:15:24:15:31 | bad_text | provenance |  |
+| ErbInjection.rb:8:5:8:12 | bad_text | ErbInjection.rb:19:20:19:27 | bad_text | provenance |  |
+| ErbInjection.rb:8:16:11:14 | ... % ... | ErbInjection.rb:8:5:8:12 | bad_text | provenance |  |
+| ErbInjection.rb:11:11:11:14 | name | ErbInjection.rb:8:16:11:14 | ... % ... | provenance |  |
+| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:11:11:11:14 | name | provenance |  |
+| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] | provenance |  |
+| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:23:23:23:35 | { ... } [captured bad2_text] | provenance | AdditionalTaintStep |
+| SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:5:12:5:24 | ...[...] | provenance |  |
+| SlimInjection.rb:5:12:5:24 | ...[...] | SlimInjection.rb:5:5:5:8 | name | provenance |  |
+| SlimInjection.rb:8:16:11:14 | ... % ... | SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] | provenance |  |
+| SlimInjection.rb:11:11:11:14 | name | SlimInjection.rb:8:16:11:14 | ... % ... | provenance |  |
+| SlimInjection.rb:14:23:14:34 | { ... } [captured bad_text] | SlimInjection.rb:14:25:14:32 | bad_text | provenance | heuristic-callback |
+| SlimInjection.rb:23:23:23:35 | { ... } [captured bad2_text] | SlimInjection.rb:23:25:23:33 | bad2_text | provenance | heuristic-callback |
 nodes
 | ErbInjection.rb:5:5:5:8 | name | semmle.label | name |
 | ErbInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |

ruby/ql/test/query-tests/experimental/XPathInjection/XPathInjection.expected

@@ -1,20 +1,20 @@
 edges
-| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:21:31:21:41 | "//#{...}" |
-| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:27:25:27:35 | "//#{...}" |
-| LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:5:12:5:29 | ...[...] |
-| LibxmlInjection.rb:5:12:5:29 | ...[...] | LibxmlInjection.rb:5:5:5:8 | name |
-| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:21:23:21:33 | "//#{...}" |
-| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:27:26:27:36 | "//#{...}" |
-| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:33:29:33:39 | "//#{...}" |
-| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:41:15:41:25 | "//#{...}" |
-| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:51:16:51:26 | "//#{...}" |
-| NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:5:12:5:29 | ...[...] |
-| NokogiriInjection.rb:5:12:5:29 | ...[...] | NokogiriInjection.rb:5:5:5:8 | name |
-| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:21:40:21:50 | "//#{...}" |
-| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:27:40:27:50 | "//#{...}" |
-| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:35:28:35:38 | "//#{...}" |
-| RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:5:12:5:29 | ...[...] |
-| RexmlInjection.rb:5:12:5:29 | ...[...] | RexmlInjection.rb:5:5:5:8 | name |
+| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:21:31:21:41 | "//#{...}" | provenance | AdditionalTaintStep |
+| LibxmlInjection.rb:5:5:5:8 | name | LibxmlInjection.rb:27:25:27:35 | "//#{...}" | provenance | AdditionalTaintStep |
+| LibxmlInjection.rb:5:12:5:17 | call to params | LibxmlInjection.rb:5:12:5:29 | ...[...] | provenance |  |
+| LibxmlInjection.rb:5:12:5:29 | ...[...] | LibxmlInjection.rb:5:5:5:8 | name | provenance |  |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:21:23:21:33 | "//#{...}" | provenance | AdditionalTaintStep |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:27:26:27:36 | "//#{...}" | provenance | AdditionalTaintStep |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:33:29:33:39 | "//#{...}" | provenance | AdditionalTaintStep |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:41:15:41:25 | "//#{...}" | provenance | AdditionalTaintStep |
+| NokogiriInjection.rb:5:5:5:8 | name | NokogiriInjection.rb:51:16:51:26 | "//#{...}" | provenance | AdditionalTaintStep |
+| NokogiriInjection.rb:5:12:5:17 | call to params | NokogiriInjection.rb:5:12:5:29 | ...[...] | provenance |  |
+| NokogiriInjection.rb:5:12:5:29 | ...[...] | NokogiriInjection.rb:5:5:5:8 | name | provenance |  |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:21:40:21:50 | "//#{...}" | provenance | AdditionalTaintStep |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:27:40:27:50 | "//#{...}" | provenance | AdditionalTaintStep |
+| RexmlInjection.rb:5:5:5:8 | name | RexmlInjection.rb:35:28:35:38 | "//#{...}" | provenance | AdditionalTaintStep |
+| RexmlInjection.rb:5:12:5:17 | call to params | RexmlInjection.rb:5:12:5:29 | ...[...] | provenance |  |
+| RexmlInjection.rb:5:12:5:29 | ...[...] | RexmlInjection.rb:5:5:5:8 | name | provenance |  |
 nodes
 | LibxmlInjection.rb:5:5:5:8 | name | semmle.label | name |
 | LibxmlInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |

ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected

@@ -1,36 +1,36 @@
 edges
-| zip_slip.rb:8:5:8:11 | tarfile | zip_slip.rb:9:5:9:11 | tarfile |
-| zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:8:5:8:11 | tarfile |
-| zip_slip.rb:9:5:9:11 | tarfile | zip_slip.rb:9:22:9:26 | entry |
-| zip_slip.rb:9:22:9:26 | entry | zip_slip.rb:10:19:10:23 | entry |
-| zip_slip.rb:10:19:10:23 | entry | zip_slip.rb:10:19:10:33 | call to full_name |
-| zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:21:7:21:13 | tarfile |
-| zip_slip.rb:21:7:21:13 | tarfile | zip_slip.rb:21:30:21:34 | entry |
-| zip_slip.rb:21:30:21:34 | entry | zip_slip.rb:22:21:22:25 | entry |
-| zip_slip.rb:22:21:22:25 | entry | zip_slip.rb:22:21:22:35 | call to full_name |
-| zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:46:35:46:39 | entry |
-| zip_slip.rb:46:35:46:39 | entry | zip_slip.rb:47:17:47:21 | entry |
-| zip_slip.rb:47:17:47:21 | entry | zip_slip.rb:47:17:47:26 | call to name |
-| zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:57:7:57:14 | zip_file |
-| zip_slip.rb:57:7:57:14 | zip_file | zip_slip.rb:57:25:57:29 | entry |
-| zip_slip.rb:57:25:57:29 | entry | zip_slip.rb:58:19:58:23 | entry |
-| zip_slip.rb:58:19:58:23 | entry | zip_slip.rb:58:19:58:28 | call to name |
-| zip_slip.rb:90:5:90:8 | gzip | zip_slip.rb:91:11:91:14 | gzip |
-| zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:90:5:90:8 | gzip |
-| zip_slip.rb:91:11:91:14 | gzip | zip_slip.rb:97:42:97:56 | compressed_file |
-| zip_slip.rb:97:42:97:56 | compressed_file | zip_slip.rb:98:7:98:21 | compressed_file |
-| zip_slip.rb:98:7:98:21 | compressed_file | zip_slip.rb:98:32:98:36 | entry |
-| zip_slip.rb:98:32:98:36 | entry | zip_slip.rb:99:22:99:26 | entry |
-| zip_slip.rb:99:9:99:18 | entry_path | zip_slip.rb:100:21:100:30 | entry_path |
-| zip_slip.rb:99:22:99:26 | entry | zip_slip.rb:99:22:99:36 | call to full_name |
-| zip_slip.rb:99:22:99:36 | call to full_name | zip_slip.rb:99:9:99:18 | entry_path |
-| zip_slip.rb:123:7:123:8 | gz | zip_slip.rb:124:7:124:8 | gz |
-| zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:123:7:123:8 | gz |
-| zip_slip.rb:124:7:124:8 | gz | zip_slip.rb:124:19:124:23 | entry |
-| zip_slip.rb:124:19:124:23 | entry | zip_slip.rb:125:22:125:26 | entry |
-| zip_slip.rb:125:9:125:18 | entry_path | zip_slip.rb:126:21:126:30 | entry_path |
-| zip_slip.rb:125:22:125:26 | entry | zip_slip.rb:125:22:125:36 | call to full_name |
-| zip_slip.rb:125:22:125:36 | call to full_name | zip_slip.rb:125:9:125:18 | entry_path |
+| zip_slip.rb:8:5:8:11 | tarfile | zip_slip.rb:9:5:9:11 | tarfile | provenance |  |
+| zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:8:5:8:11 | tarfile | provenance |  |
+| zip_slip.rb:9:5:9:11 | tarfile | zip_slip.rb:9:22:9:26 | entry | provenance |  |
+| zip_slip.rb:9:22:9:26 | entry | zip_slip.rb:10:19:10:23 | entry | provenance |  |
+| zip_slip.rb:10:19:10:23 | entry | zip_slip.rb:10:19:10:33 | call to full_name | provenance |  |
+| zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:21:7:21:13 | tarfile | provenance |  |
+| zip_slip.rb:21:7:21:13 | tarfile | zip_slip.rb:21:30:21:34 | entry | provenance |  |
+| zip_slip.rb:21:30:21:34 | entry | zip_slip.rb:22:21:22:25 | entry | provenance |  |
+| zip_slip.rb:22:21:22:25 | entry | zip_slip.rb:22:21:22:35 | call to full_name | provenance |  |
+| zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:46:35:46:39 | entry | provenance |  |
+| zip_slip.rb:46:35:46:39 | entry | zip_slip.rb:47:17:47:21 | entry | provenance |  |
+| zip_slip.rb:47:17:47:21 | entry | zip_slip.rb:47:17:47:26 | call to name | provenance |  |
+| zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:57:7:57:14 | zip_file | provenance |  |
+| zip_slip.rb:57:7:57:14 | zip_file | zip_slip.rb:57:25:57:29 | entry | provenance |  |
+| zip_slip.rb:57:25:57:29 | entry | zip_slip.rb:58:19:58:23 | entry | provenance |  |
+| zip_slip.rb:58:19:58:23 | entry | zip_slip.rb:58:19:58:28 | call to name | provenance |  |
+| zip_slip.rb:90:5:90:8 | gzip | zip_slip.rb:91:11:91:14 | gzip | provenance |  |
+| zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:90:5:90:8 | gzip | provenance |  |
+| zip_slip.rb:91:11:91:14 | gzip | zip_slip.rb:97:42:97:56 | compressed_file | provenance |  |
+| zip_slip.rb:97:42:97:56 | compressed_file | zip_slip.rb:98:7:98:21 | compressed_file | provenance |  |
+| zip_slip.rb:98:7:98:21 | compressed_file | zip_slip.rb:98:32:98:36 | entry | provenance |  |
+| zip_slip.rb:98:32:98:36 | entry | zip_slip.rb:99:22:99:26 | entry | provenance |  |
+| zip_slip.rb:99:9:99:18 | entry_path | zip_slip.rb:100:21:100:30 | entry_path | provenance |  |
+| zip_slip.rb:99:22:99:26 | entry | zip_slip.rb:99:22:99:36 | call to full_name | provenance |  |
+| zip_slip.rb:99:22:99:36 | call to full_name | zip_slip.rb:99:9:99:18 | entry_path | provenance |  |
+| zip_slip.rb:123:7:123:8 | gz | zip_slip.rb:124:7:124:8 | gz | provenance |  |
+| zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:123:7:123:8 | gz | provenance |  |
+| zip_slip.rb:124:7:124:8 | gz | zip_slip.rb:124:19:124:23 | entry | provenance |  |
+| zip_slip.rb:124:19:124:23 | entry | zip_slip.rb:125:22:125:26 | entry | provenance |  |
+| zip_slip.rb:125:9:125:18 | entry_path | zip_slip.rb:126:21:126:30 | entry_path | provenance |  |
+| zip_slip.rb:125:22:125:26 | entry | zip_slip.rb:125:22:125:36 | call to full_name | provenance |  |
+| zip_slip.rb:125:22:125:36 | call to full_name | zip_slip.rb:125:9:125:18 | entry_path | provenance |  |
 nodes
 | zip_slip.rb:8:5:8:11 | tarfile | semmle.label | tarfile |
 | zip_slip.rb:8:15:8:54 | call to new | semmle.label | call to new |

ruby/ql/test/query-tests/experimental/cwe-176/UnicodeBypassValidation.expected

@@ -1,34 +1,34 @@
 edges
-| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:8:23:8:35 | unicode_input |
-| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:9:22:9:34 | unicode_input |
-| unicode_normalization.rb:7:21:7:26 | call to params | unicode_normalization.rb:7:21:7:42 | ...[...] |
-| unicode_normalization.rb:7:21:7:42 | ...[...] | unicode_normalization.rb:7:5:7:17 | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input |
-| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input |
-| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] |
-| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input |
-| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input |
-| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:17:23:17:41 | unicode_input_manip |
-| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:18:22:18:40 | unicode_input_manip |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub |
-| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub |
-| unicode_normalization.rb:16:27:16:59 | call to sub | unicode_normalization.rb:16:5:16:23 | unicode_input_manip |
-| unicode_normalization.rb:24:5:24:17 | unicode_input | unicode_normalization.rb:25:37:25:49 | unicode_input |
-| unicode_normalization.rb:24:21:24:26 | call to params | unicode_normalization.rb:24:21:24:42 | ...[...] |
-| unicode_normalization.rb:24:21:24:42 | ...[...] | unicode_normalization.rb:24:5:24:17 | unicode_input |
-| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:26:23:26:39 | unicode_html_safe |
-| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:27:22:27:38 | unicode_html_safe |
-| unicode_normalization.rb:25:25:25:50 | call to html_escape | unicode_normalization.rb:25:5:25:21 | unicode_html_safe |
-| unicode_normalization.rb:25:37:25:49 | unicode_input | unicode_normalization.rb:25:25:25:50 | call to html_escape |
-| unicode_normalization.rb:33:5:33:17 | unicode_input | unicode_normalization.rb:34:40:34:52 | unicode_input |
-| unicode_normalization.rb:33:21:33:26 | call to params | unicode_normalization.rb:33:21:33:42 | ...[...] |
-| unicode_normalization.rb:33:21:33:42 | ...[...] | unicode_normalization.rb:33:5:33:17 | unicode_input |
-| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:35:23:35:39 | unicode_html_safe |
-| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:36:22:36:38 | unicode_html_safe |
-| unicode_normalization.rb:34:25:34:53 | call to escapeHTML | unicode_normalization.rb:34:25:34:63 | call to html_safe |
-| unicode_normalization.rb:34:25:34:63 | call to html_safe | unicode_normalization.rb:34:5:34:21 | unicode_html_safe |
-| unicode_normalization.rb:34:40:34:52 | unicode_input | unicode_normalization.rb:34:25:34:53 | call to escapeHTML |
+| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:8:23:8:35 | unicode_input | provenance |  |
+| unicode_normalization.rb:7:5:7:17 | unicode_input | unicode_normalization.rb:9:22:9:34 | unicode_input | provenance |  |
+| unicode_normalization.rb:7:21:7:26 | call to params | unicode_normalization.rb:7:21:7:42 | ...[...] | provenance |  |
+| unicode_normalization.rb:7:21:7:42 | ...[...] | unicode_normalization.rb:7:5:7:17 | unicode_input | provenance |  |
+| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input | provenance |  |
+| unicode_normalization.rb:15:5:15:17 | unicode_input | unicode_normalization.rb:16:27:16:39 | unicode_input | provenance |  |
+| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] | provenance |  |
+| unicode_normalization.rb:15:21:15:26 | call to params | unicode_normalization.rb:15:21:15:42 | ...[...] | provenance |  |
+| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input | provenance |  |
+| unicode_normalization.rb:15:21:15:42 | ...[...] | unicode_normalization.rb:15:5:15:17 | unicode_input | provenance |  |
+| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:17:23:17:41 | unicode_input_manip | provenance |  |
+| unicode_normalization.rb:16:5:16:23 | unicode_input_manip | unicode_normalization.rb:18:22:18:40 | unicode_input_manip | provenance |  |
+| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub | provenance |  |
+| unicode_normalization.rb:16:27:16:39 | unicode_input | unicode_normalization.rb:16:27:16:59 | call to sub | provenance |  |
+| unicode_normalization.rb:16:27:16:59 | call to sub | unicode_normalization.rb:16:5:16:23 | unicode_input_manip | provenance |  |
+| unicode_normalization.rb:24:5:24:17 | unicode_input | unicode_normalization.rb:25:37:25:49 | unicode_input | provenance |  |
+| unicode_normalization.rb:24:21:24:26 | call to params | unicode_normalization.rb:24:21:24:42 | ...[...] | provenance |  |
+| unicode_normalization.rb:24:21:24:42 | ...[...] | unicode_normalization.rb:24:5:24:17 | unicode_input | provenance |  |
+| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:26:23:26:39 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:25:5:25:21 | unicode_html_safe | unicode_normalization.rb:27:22:27:38 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:25:25:25:50 | call to html_escape | unicode_normalization.rb:25:5:25:21 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:25:37:25:49 | unicode_input | unicode_normalization.rb:25:25:25:50 | call to html_escape | provenance |  |
+| unicode_normalization.rb:33:5:33:17 | unicode_input | unicode_normalization.rb:34:40:34:52 | unicode_input | provenance |  |
+| unicode_normalization.rb:33:21:33:26 | call to params | unicode_normalization.rb:33:21:33:42 | ...[...] | provenance |  |
+| unicode_normalization.rb:33:21:33:42 | ...[...] | unicode_normalization.rb:33:5:33:17 | unicode_input | provenance |  |
+| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:35:23:35:39 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:34:5:34:21 | unicode_html_safe | unicode_normalization.rb:36:22:36:38 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:34:25:34:53 | call to escapeHTML | unicode_normalization.rb:34:25:34:63 | call to html_safe | provenance |  |
+| unicode_normalization.rb:34:25:34:63 | call to html_safe | unicode_normalization.rb:34:5:34:21 | unicode_html_safe | provenance |  |
+| unicode_normalization.rb:34:40:34:52 | unicode_input | unicode_normalization.rb:34:25:34:53 | call to escapeHTML | provenance |  |
 nodes
 | unicode_normalization.rb:7:5:7:17 | unicode_input | semmle.label | unicode_input |
 | unicode_normalization.rb:7:21:7:26 | call to params | semmle.label | call to params |

ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.expected

@@ -0,0 +1,3 @@
+| EmptyJWTSecret.rb:9:21:9:34 | call to [] | This JWT encoding uses an empty key or none algorithm. |
+| EmptyJWTSecret.rb:12:21:12:34 | call to [] | This JWT encoding uses an empty key or none algorithm. |
+| MissingJWTVerification.rb:6:38:6:44 | payload | This JWT encoding uses an empty key or none algorithm. |

ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref

@@ -0,0 +1 @@
+experimental/cwe-347/EmptyJWTSecret.ql

ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb

@@ -0,0 +1,15 @@
+require 'jwt'
+
+payload = { foo: 'bar' }
+
+# BAD: the token is not signed
+token1 = JWT.encode({ foo: 'bar' }, "secret", 'none')
+
+# BAD: the secret used is empty
+token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256')
+
+# BAD: the secret used is empty
+token3 = JWT.encode({ foo: 'bar' }, "", 'HS256')
+
+# GOOD: the token is signed
+token4 = JWT.encode({ foo: 'bar' }, "secret", 'HS256')

ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.expected

@@ -0,0 +1,3 @@
+| MissingJWTVerification.rb:12:29:12:51 | token_without_signature | is not verified with a cryptographic secret or public key. |
+| MissingJWTVerification.rb:15:29:15:51 | token_without_signature | is not verified with a cryptographic secret or public key. |
+| MissingJWTVerification.rb:18:29:18:51 | token_without_signature | is not verified with a cryptographic secret or public key. |

ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref

@@ -0,0 +1 @@
+experimental/cwe-347/MissingJWTVerification.ql

ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb

@@ -0,0 +1,24 @@
+require 'jwt'
+
+payload = { foo: 'bar' }
+
+# Unsecure token
+token_without_signature = JWT.encode(payload, nil, 'none')
+
+# Secure token
+token = JWT.encode(payload, "secret", 'HS256')
+
+# BAD: it does not verify
+decoded_token1 = JWT.decode(token_without_signature, nil, false, algorithm: 'HS256')
+
+# BAD: it's using none
+decoded_token3 = JWT.decode(token_without_signature, secret, true, algorithm: 'none')
+
+# BAD: it's using none
+decoded_token4 = JWT.decode(token_without_signature, secret, true, { algorithm: 'none' })
+
+# GOOD: it does verify
+decoded_token5 = JWT.decode(token, secret, 'HS256')
+
+# GOOD: it does verify
+decoded_token2 = JWT.decode(token,secret)

ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.expected

@@ -0,0 +1,56 @@
+edges
+| UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | provenance |  |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | provenance | AdditionalTaintStep |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | provenance | AdditionalTaintStep |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | provenance | AdditionalTaintStep |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | provenance | AdditionalTaintStep |
+| UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | provenance |  |
+| UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | provenance |  |
+nodes
+| UnsafeYamlDeserialization.rb:10:5:10:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:10:17:10:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:17:5:17:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:17:17:17:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:32:5:32:13 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | semmle.label | call to params |
+| UnsafeYamlDeserialization.rb:32:17:32:28 | ...[...] | semmle.label | ...[...] |
+| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | semmle.label | yaml_data |
+| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | semmle.label | call to to_ruby |
+| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | semmle.label | call to read |
+| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | semmle.label | call to gets |
+| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | semmle.label | call to read |
+| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | semmle.label | call to gets |
+| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | semmle.label | call to readlines |
+subpaths
+#select
+| UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | UnsafeYamlDeserialization.rb:11:25:11:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:10:17:10:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | UnsafeYamlDeserialization.rb:18:25:18:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:17:17:17:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:33:32:33:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:34:37:34:45 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:35:32:35:40 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:37:14:37:33 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:38:14:38:43 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:39:14:39:48 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | UnsafeYamlDeserialization.rb:49:14:49:32 | call to to_ruby | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:32:17:32:22 | call to params | user-provided value |
+| UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:61:24:61:34 | call to read | value from stdin |
+| UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:64:24:64:33 | call to gets | value from stdin |
+| UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:67:24:67:32 | call to read | value from stdin |
+| UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:70:24:70:27 | call to gets | value from stdin |
+| UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeYamlDeserialization.rb:73:24:73:32 | call to readlines | value from stdin |

ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.qlref

@@ -0,0 +1 @@
+experimental/cwe-502/UnsafeYamlDeserialization.ql

ruby/ql/test/query-tests/experimental/cwe-502/UnsafeYamlDeserialization.rb

@@ -0,0 +1,75 @@
+require "active_job"
+require "base64"
+require "json"
+require "oj"
+require "yaml"
+
+class UsersController < ActionController::Base
+  # BAD before psych version 4.0.0 and 
+  def route1
+    yaml_data = params[:key]
+    object = Psych.load yaml_data
+    object = Psych.load_file yaml_data
+  end
+
+  # GOOD In psych version 4.0.0 and above
+  def route2
+    yaml_data = params[:key]
+    object = Psych.load yaml_data
+    object = Psych.load_file yaml_data
+  end
+
+  # GOOD
+  def route3
+    yaml_data = params[:key]
+    object = Psych.parse_stream(yaml_data) 
+    object = Psych.parse(yaml_data)
+    object = Psych.parse_file(yaml_data)
+  end
+
+  # BAD
+  def route4
+    yaml_data = params[:key]
+    object = Psych.unsafe_load(yaml_data)
+    object = Psych.unsafe_load_file(yaml_data)
+    object = Psych.load_stream(yaml_data)
+    parse_output = Psych.parse_stream(yaml_data)
+    object = parse_output.to_ruby
+    object = Psych.parse(yaml_data).to_ruby
+    object = Psych.parse_file(yaml_data).to_ruby
+    parsed_yaml = Psych.parse_stream(yaml_data)
+    parsed_yaml.children.each do |child|
+      object = child.to_ruby
+    end
+    Psych.parse_stream(yaml_data)  do |document|
+      object = document.to_ruby
+    end
+    object = parsed_yaml.children.first.to_ruby
+    content = parsed_yaml.children[0].children[0].children
+    object = parsed_yaml.to_ruby[0]
+    object = content.to_ruby[0]
+    object = Psych.parse(yaml_data).children[0].to_ruby
+  end
+
+  # GOOD
+  def route5
+    plist_data = params[:key]
+    result = Plist.parse_xml(plist_data, marshal: false)
+  end
+
+  def stdin
+    object = YAML.load $stdin.read
+
+    # STDIN
+    object = YAML.load STDIN.gets
+
+    # ARGF
+    object = YAML.load ARGF.read
+
+    # Kernel.gets
+    object = YAML.load gets
+
+    # Kernel.readlines
+    object = YAML.load readlines
+  end
+end

ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected

@@ -1,16 +1,16 @@
 edges
-| ManuallyCheckHttpVerb.rb:11:5:11:10 | method | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... |
-| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] |
-| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | ManuallyCheckHttpVerb.rb:11:5:11:10 | method |
-| ManuallyCheckHttpVerb.rb:19:5:19:10 | method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... |
-| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:19:5:19:10 | method |
-| ManuallyCheckHttpVerb.rb:27:5:27:10 | method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... |
-| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:27:5:27:10 | method |
-| ManuallyCheckHttpVerb.rb:35:5:35:10 | method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... |
-| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:35:5:35:10 | method |
-| ManuallyCheckHttpVerb.rb:51:7:51:12 | method | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... |
-| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:51:7:51:12 | method |
-| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] |
+| ManuallyCheckHttpVerb.rb:11:5:11:10 | method | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | provenance |  |
+| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | provenance |  |
+| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | ManuallyCheckHttpVerb.rb:11:5:11:10 | method | provenance |  |
+| ManuallyCheckHttpVerb.rb:19:5:19:10 | method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | provenance |  |
+| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:19:5:19:10 | method | provenance |  |
+| ManuallyCheckHttpVerb.rb:27:5:27:10 | method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | provenance |  |
+| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:27:5:27:10 | method | provenance |  |
+| ManuallyCheckHttpVerb.rb:35:5:35:10 | method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | provenance |  |
+| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:35:5:35:10 | method | provenance |  |
+| ManuallyCheckHttpVerb.rb:51:7:51:12 | method | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | provenance |  |
+| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:51:7:51:12 | method | provenance |  |
+| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | provenance |  |
 nodes
 | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | semmle.label | call to get? |
 | ManuallyCheckHttpVerb.rb:11:5:11:10 | method | semmle.label | method |

ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected

@@ -1,8 +1,8 @@
 edges
-| WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] |
-| WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] |
-| WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] |
-| WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] |
+| WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | provenance |  |
+| WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | provenance |  |
+| WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | provenance |  |
+| WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | provenance |  |
 nodes
 | WeakParams.rb:5:28:5:53 | call to request_parameters | semmle.label | call to request_parameters |
 | WeakParams.rb:5:28:5:59 | ...[...] | semmle.label | ...[...] |