Add ZipSlip/TarSlip query for ruby

ruby/ql/test/query-tests/security/cwe-022-ZipSlip/ZipSlip.expected

@@ -0,0 +1,30 @@
+edges
+| zip_slip.rb:8:15:8:54 | call to new :  | zip_slip.rb:9:5:9:11 | tarfile :  |
+| zip_slip.rb:9:5:9:11 | tarfile :  | zip_slip.rb:9:22:9:26 | entry :  |
+| zip_slip.rb:9:22:9:26 | entry :  | zip_slip.rb:10:19:10:33 | call to full_name |
+| zip_slip.rb:33:5:33:24 | call to open :  | zip_slip.rb:33:35:33:39 | entry :  |
+| zip_slip.rb:33:35:33:39 | entry :  | zip_slip.rb:34:17:34:26 | call to name |
+| zip_slip.rb:53:12:53:54 | call to open :  | zip_slip.rb:54:11:54:14 | gzip :  |
+| zip_slip.rb:54:11:54:14 | gzip :  | zip_slip.rb:60:42:60:56 | compressed_file :  |
+| zip_slip.rb:60:42:60:56 | compressed_file :  | zip_slip.rb:61:7:61:21 | compressed_file :  |
+| zip_slip.rb:61:7:61:21 | compressed_file :  | zip_slip.rb:61:32:61:36 | entry :  |
+| zip_slip.rb:61:32:61:36 | entry :  | zip_slip.rb:63:21:63:30 | entry_path |
+nodes
+| zip_slip.rb:8:15:8:54 | call to new :  | semmle.label | call to new :  |
+| zip_slip.rb:9:5:9:11 | tarfile :  | semmle.label | tarfile :  |
+| zip_slip.rb:9:22:9:26 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:10:19:10:33 | call to full_name | semmle.label | call to full_name |
+| zip_slip.rb:33:5:33:24 | call to open :  | semmle.label | call to open :  |
+| zip_slip.rb:33:35:33:39 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:34:17:34:26 | call to name | semmle.label | call to name |
+| zip_slip.rb:53:12:53:54 | call to open :  | semmle.label | call to open :  |
+| zip_slip.rb:54:11:54:14 | gzip :  | semmle.label | gzip :  |
+| zip_slip.rb:60:42:60:56 | compressed_file :  | semmle.label | compressed_file :  |
+| zip_slip.rb:61:7:61:21 | compressed_file :  | semmle.label | compressed_file :  |
+| zip_slip.rb:61:32:61:36 | entry :  | semmle.label | entry :  |
+| zip_slip.rb:63:21:63:30 | entry_path | semmle.label | entry_path |
+subpaths
+#select
+| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new :  | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source |
+| zip_slip.rb:34:17:34:26 | call to name | zip_slip.rb:33:5:33:24 | call to open :  | zip_slip.rb:34:17:34:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:33:5:33:24 | call to open | potentially untrusted source |
+| zip_slip.rb:63:21:63:30 | entry_path | zip_slip.rb:53:12:53:54 | call to open :  | zip_slip.rb:63:21:63:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:53:12:53:54 | call to open | potentially untrusted source |

ruby/ql/test/query-tests/security/cwe-022-ZipSlip/ZipSlip.qlref

@@ -0,0 +1 @@
+queries/security/cwe-022/ZipSlip.ql

ruby/ql/test/query-tests/security/cwe-022-ZipSlip/zip_slip.rb

@@ -0,0 +1,99 @@
+require 'zip'
+
+class TestController < ActionController::Base
+  # BAD
+  def tarReaderUnsafe
+    path = params[:path]
+    file_stream = IO.new(IO.sysopen(path))
+    tarfile = Gem::Package::TarReader.new(file_stream)
+    tarfile.each do |entry|
+      ::File.open(entry.full_name, "wb") do |os|
+        entry.read
+      end
+    end
+  end
+  
+  # GOOD
+  def tarReadeSanitizedExpandPath
+    path = params[:path]
+    file_stream = IO.new(IO.sysopen(path))
+    tarfile = Gem::Package::TarReader.new(file_stream)
+    tarfile.each do |entry|
+      entry_path = entry.full_name
+      next if !File.expand_path(entry_path).start_with?("/safepath/")
+      ::File.open(entry_path, "wb") do |os|
+        entry.read
+      end
+    end
+  end
+  
+  # BAD
+  def zipFileUnsafe
+    path = params[:path]
+    Zip::File.open(path).each do |entry|
+      File.open(entry.name, "wb") do |os|
+        entry.read
+      end
+    end
+  end
+  
+  # GOOD
+  def zipFileSanitizedConstCompare
+    path = params[:path]
+    Zip::File.open(path).each do |entry|
+      entry_path = entry.name
+      raise ExtractFailed if entry_path != "/safepath"
+      File.open(entry_path, "wb") do |os|
+        entry.read
+      end
+    end
+  end
+  
+  def get_compressed_file_stream(compressed_file_path)
+    gzip = Zlib::GzipReader.open(compressed_file_path)
+    yield(gzip)
+  end
+  
+  # BAD
+  def gzipReaderUnsafe
+    path = params[:path]
+    get_compressed_file_stream(path) do |compressed_file|
+      compressed_file.each do |entry|
+        entry_path = entry.full_name
+        ::File.open(entry_path, 'wb') do |os|
+          entry.read
+        end
+      end
+    end
+  end
+
+  # GOOD
+  def gzipReaderSafeConstPath
+    path = "/safe.zip"
+    zlib = Zlib::GzipReader.open(path)
+    zlib.each do |entry|
+      entry_path = entry.full_name
+      ::File.open(entry_path, 'wb') do |os|
+        entry.read
+      end
+    end
+  end
+
+  # BAD
+  def gzipReaderUnsafeNewInstance
+    path = params[:path]
+    File.open(path, 'rb') do |f|
+      gz = Zlib::GzipReader.new(f)
+      uncompressed_data = gz.read
+      puts uncompressed_data
+      gz.close
+    end
+    zlib.each do |entry|
+      entry_path = entry.full_name
+      ::File.open(entry_path, 'wb') do |os|
+        entry.read
+      end
+    end
+  end
+
+end