add tests

ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected

@@ -0,0 +1,20 @@
+edges
+| WeakParams.rb:5:28:5:53 | call to request_parameters :  | WeakParams.rb:5:28:5:59 | ...[...] |
+| WeakParams.rb:10:28:10:51 | call to query_parameters :  | WeakParams.rb:10:28:10:57 | ...[...] |
+| WeakParams.rb:15:28:15:39 | call to POST :  | WeakParams.rb:15:28:15:45 | ...[...] |
+| WeakParams.rb:20:28:20:38 | call to GET :  | WeakParams.rb:20:28:20:44 | ...[...] |
+nodes
+| WeakParams.rb:5:28:5:53 | call to request_parameters :  | semmle.label | call to request_parameters :  |
+| WeakParams.rb:5:28:5:59 | ...[...] | semmle.label | ...[...] |
+| WeakParams.rb:10:28:10:51 | call to query_parameters :  | semmle.label | call to query_parameters :  |
+| WeakParams.rb:10:28:10:57 | ...[...] | semmle.label | ...[...] |
+| WeakParams.rb:15:28:15:39 | call to POST :  | semmle.label | call to POST :  |
+| WeakParams.rb:15:28:15:45 | ...[...] | semmle.label | ...[...] |
+| WeakParams.rb:20:28:20:38 | call to GET :  | semmle.label | call to GET :  |
+| WeakParams.rb:20:28:20:44 | ...[...] | semmle.label | ...[...] |
+subpaths
+#select
+| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters :  | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
+| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters :  | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
+| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST :  | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
+| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET :  | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |

ruby/ql/test/query-tests/experimental/weak-params/WeakParams.rb

@@ -1,18 +1,40 @@
 class TestController < ActionController::Base
+  
+  # Should catch
   def create
-    TestObject.new(request.request_parameters)
+    TestObject.create(foo: request.request_parameters[:foo])
   end
 
+  # Should catch
   def create_query
-    TestObject.new(request.query_parameters)
+    TestObject.create(foo: request.query_parameters[:foo])
   end
 
+  # Should catch
+  def update_unsafe
+    TestObject.update(foo: request.POST[:foo])
+  end
+
+  # Should catch
+  def update_unsafe_get
+    TestObject.update(foo: request.GET[:foo])
+  end
+
+  # Should not catch
   def update
     TestObject.update(object_params)
   end
 
-  # 
+  # strong params method
   def object_params
     params.require(:uuid).permit(:notes)
   end
+
+  # Should not catch
+  def test_non_sink
+    puts request.request_parameters
+  end
+end
+
+class TestObject < ActiveRecord::Base
 end