expand test coverage for sanitizers

2026-04-28 02:05:14 +02:00 · 2022-06-10 21:30:41 +00:00
parent 074583eab8
commit c7e67eb2e2
2 changed files with 52 additions and 20 deletions
--- a/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.expected
+++ b/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.expected
@@ -1,24 +1,24 @@
 edges
-| ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  |
-| ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  | ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  |
-| ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  |
-| ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  | ArchiveApiPathTraversal.rb:29:13:29:16 | file :  |
-| ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  | ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  |
-| ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  | ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file |
-| ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  | ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  |
-| ArchiveApiPathTraversal.rb:29:13:29:16 | file :  | ArchiveApiPathTraversal.rb:30:20:30:23 | file |
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:43:17:43:27 | destination :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:61:13:61:16 | file :  |
+| ArchiveApiPathTraversal.rb:43:17:43:27 | destination :  | ArchiveApiPathTraversal.rb:46:38:46:48 | destination :  |
+| ArchiveApiPathTraversal.rb:46:28:46:67 | call to join :  | ArchiveApiPathTraversal.rb:53:21:53:36 | destination_file |
+| ArchiveApiPathTraversal.rb:46:38:46:48 | destination :  | ArchiveApiPathTraversal.rb:46:28:46:67 | call to join :  |
+| ArchiveApiPathTraversal.rb:61:13:61:16 | file :  | ArchiveApiPathTraversal.rb:62:20:62:23 | file |
 nodes
-| ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | semmle.label | call to params :  |
-| ArchiveApiPathTraversal.rb:4:26:4:42 | ...[...] :  | semmle.label | ...[...] :  |
-| ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | semmle.label | call to params :  |
-| ArchiveApiPathTraversal.rb:8:11:8:23 | ...[...] :  | semmle.label | ...[...] :  |
-| ArchiveApiPathTraversal.rb:11:17:11:27 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:14:28:14:67 | call to join :  | semmle.label | call to join :  |
-| ArchiveApiPathTraversal.rb:14:38:14:48 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | semmle.label | destination_file |
-| ArchiveApiPathTraversal.rb:29:13:29:16 | file :  | semmle.label | file :  |
-| ArchiveApiPathTraversal.rb:30:20:30:23 | file | semmle.label | file |
+| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:43:17:43:27 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:46:28:46:67 | call to join :  | semmle.label | call to join :  |
+| ArchiveApiPathTraversal.rb:46:38:46:48 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:53:21:53:36 | destination_file | semmle.label | destination_file |
+| ArchiveApiPathTraversal.rb:61:13:61:16 | file :  | semmle.label | file :  |
+| ArchiveApiPathTraversal.rb:62:20:62:23 | file | semmle.label | file |
 subpaths
 #select
-| ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | ArchiveApiPathTraversal.rb:4:26:4:31 | call to params :  | ArchiveApiPathTraversal.rb:21:21:21:36 | destination_file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
-| ArchiveApiPathTraversal.rb:30:20:30:23 | file | ArchiveApiPathTraversal.rb:8:11:8:16 | call to params :  | ArchiveApiPathTraversal.rb:30:20:30:23 | file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
+| ArchiveApiPathTraversal.rb:53:21:53:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:53:21:53:36 | destination_file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
+| ArchiveApiPathTraversal.rb:62:20:62:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:62:20:62:23 | file | This call to $@ appears to extract an archive using user-controlled data $@ to set the filename. If the filename is not properly handled, they could end up writing to unintended places in the filesystem. | call to open | call to open | call to params :  | call to params :  |
--- a/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.rb
+++ b/ruby/ql/test/query-tests/security/archive-api-path-traversal/ArchiveApiPathTraversal.rb
@@ -1,13 +1,45 @@
 class TestContoller < ActionController::Base
  
+  # this is vulnerable
  def upload
    untar params[:file], params[:filename]
  end

+  # this is vulnerable
  def unpload_zip
    unzip params[:file]
  end

+  # these are not vulnerable because of the string compare sanitizer
+  def safe_upload_string_compare
+    filename = params[:filename]
+    if filename == "safefile.tar"
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_compare
+    filename = params[:filename]
+    if filename == "safefile.zip"
+      unzip filename
+    end
+  end
+
+  # these are not vulnerable beacuse of the string array compare sanitizer
+  def safe_upload_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.tar", "safefile2.tar"].include? filename
+      untar params[:file], filename
+    end
+  end
+
+  def safe_upload_zip_string_array_compare
+    filename = params[:filename]
+    if ["safefile1.zip", "safefile2.zip"].include? filename
+      unzip filename
+    end
+  end
+
  def untar(io, destination)
    Gem::Package::TarReader.new io do |tar|
      tar.each do |tarfile|