Update tests

ruby/ql/test/query-tests/experimental/manually-check-http-verb/ExampleController.rb

@@ -1,48 +0,0 @@
-class ExampleController < ActionController::Base
-  # This function should have 6 vulnerable lines
-  def example_action
-    if request.get?
-      Example.find(params[:example_id])
-    end
-  end
-end
-
-class OtherController < ActionController::Base
-  def other_action
-    if env['REQUEST_METHOD'] == "GET"
-      Other.find(params[:id])
-    end
-  end
-end
-
-class ResourceController < ActionController::Base
-    # This method should have 1 vulnerable line, but is currently failing because it's not a comparison node
-    def resource_action
-      case env['REQUEST_METHOD']
-      when "GET"
-        Resource.find(params[:id])
-      when "POST"
-        Resource.new(params[:id], params[:details])
-      end
-    end
-end
-
-class SafeController < ActionController::Base
-  # this method should have no hits because controllers rely on conventional Rails routes
-  def index
-    Safe.find(params[:id])
-  end
-
-  def create
-    Safe.new(params[:id], params[:details])
-  end
-
-  def update
-    Safe.update(params[:id], params[:details])
-  end
-
-  def delete
-    s = Safe.find(params[:id])
-    s.delete
-  end
-end

ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.rb

@@ -0,0 +1,96 @@
+class ExampleController < ActionController::Base
+  # Should find
+  def example_action
+    if request.get?
+      Resource.find(id: params[:example_id])
+    end
+  end
+
+  # Should find
+  def other_action
+    if request.env['REQUEST_METHOD'] == "GET"
+      Resource.find(id: params[:id])
+    end
+  end
+
+  # Should find
+  def foo
+    if request.request_method == "GET"
+      Resource.find(id: params[:id])
+    end
+  end
+
+  # Should find
+  def bar
+    if request.method == "GET"
+      Resource.find(id: params[:id])
+    end
+  end
+
+  # Should find
+  def baz
+    if request.raw_request_method == "GET"
+      Resource.find(id: params[:id])
+    end
+  end
+
+    # Should find
+    def foobarbaz
+      if request.request_method_symbol == :GET
+        Resource.find(id: params[:id])
+      end
+    end
+
+  # Should find
+  def resource_action
+    case request.env['REQUEST_METHOD']
+    when "GET"
+      Resource.find(id: params[:id])
+    when "POST"
+      Resource.new(id: params[:id], details: params[:details])
+    end
+  end
+
+
+end
+
+class SafeController < ActionController::Base
+  # this class should have no hits because controllers rely on conventional Rails routes
+  def index
+    Resource.find(id: params[:id])
+  end
+
+  def create
+    Resource.new(id: params[:id], details: params[:details])
+  end
+
+  def update
+    Resource.update(id: params[:id], details: params[:details])
+  end
+
+  def delete
+    s = Resource.find(id: params[:id])
+    s.delete
+  end
+end
+
+# There should be no hits from this class because it does not inherit from ActionController
+class NotAController
+  def example_action
+    if request.get?
+      Resource.find(params[:example_id])
+    end
+  end
+
+  def resource_action
+    case env['REQUEST_METHOD']
+    when "GET"
+      Resource.find(params[:id])
+    when "POST"
+      Resource.new(params[:id], params[:details])
+    end
+  end
+end
+
+class Resource < ActiveRecord::Base
+end

ruby/ql/test/query-tests/experimental/manually-check-http-verb/NotController.rb

@@ -1,17 +0,0 @@
-# There should be no hits from this class because it does not inherit from ActionController
-class NotAController
-  def example_action
-    if request.get?
-      Example.find(params[:example_id])
-    end
-  end
-
-  def resource_action
-    case env['REQUEST_METHOD']
-    when "GET"
-      Resource.find(params[:id])
-    when "POST"
-      Resource.new(params[:id], params[:details])
-    end
-  end
-end