add Zip::File.new query to tests

thiggy1342 · web-flow · commit b078430faf91 · 2022-06-16T00:51:50.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb b/ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb
@@ -10,6 +10,11 @@ def unpload_zip
     unzip params[:file]
   end
 
+  # this is vulnerable
+  def create_new_zip
+    zip params[:filename], files
+  end
+
   # these are not vulnerable because of the string compare sanitizer
   def safe_upload_string_compare
     filename = params[:filename]
@@ -66,4 +71,12 @@ def unzip(file)
       end
     end
   end
+
+  def zip(filename, files = [])
+    Zip::File.new(filename) do |zf|
+      files.each do |f|
+        zf.add f
+      end
+    end
+  end
 end
diff --git a/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected b/ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
@@ -1,12 +1,15 @@
 edges
 | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  |
-| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  |
+| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  |
 | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  |
-| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:62:13:62:16 | file :  |
-| ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  | ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  |
-| ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  | ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file |
-| ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  | ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  |
-| ArchiveApiPathTraversal.rb:62:13:62:16 | file :  | ArchiveApiPathTraversal.rb:63:20:63:23 | file |
+| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | ArchiveApiPathTraversal.rb:67:13:67:16 | file :  |
+| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  |
+| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  |
+| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  |
+| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
+| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  |
+| ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
+| ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
 | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:4:12:4:24 | ...[...] :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | tainted_path.rb:5:26:5:29 | path |
 | tainted_path.rb:10:12:10:43 | call to absolute_path :  | tainted_path.rb:11:26:11:29 | path |
@@ -38,12 +41,16 @@ nodes
 | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] :  | semmle.label | ...[...] :  |
 | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | semmle.label | call to params :  |
 | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] :  | semmle.label | ...[...] :  |
-| ArchiveApiPathTraversal.rb:44:17:44:27 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:47:28:47:67 | call to join :  | semmle.label | call to join :  |
-| ArchiveApiPathTraversal.rb:47:38:47:48 | destination :  | semmle.label | destination :  |
-| ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | semmle.label | destination_file |
-| ArchiveApiPathTraversal.rb:62:13:62:16 | file :  | semmle.label | file :  |
-| ArchiveApiPathTraversal.rb:63:20:63:23 | file | semmle.label | file |
+| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | semmle.label | call to params :  |
+| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] :  | semmle.label | ...[...] :  |
+| ArchiveApiPathTraversal.rb:49:17:49:27 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join :  | semmle.label | call to join :  |
+| ArchiveApiPathTraversal.rb:52:38:52:48 | destination :  | semmle.label | destination :  |
+| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | semmle.label | destination_file |
+| ArchiveApiPathTraversal.rb:67:13:67:16 | file :  | semmle.label | file :  |
+| ArchiveApiPathTraversal.rb:68:20:68:23 | file | semmle.label | file |
+| ArchiveApiPathTraversal.rb:75:11:75:18 | filename :  | semmle.label | filename :  |
+| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | semmle.label | filename |
 | tainted_path.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | tainted_path.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
 | tainted_path.rb:5:26:5:29 | path | semmle.label | path |
@@ -81,8 +88,9 @@ nodes
 | tainted_path.rb:60:26:60:29 | path | semmle.label | path |
 subpaths
 #select
-| ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:54:21:54:36 | destination_file | This path depends on $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | a user-provided value |
-| ArchiveApiPathTraversal.rb:63:20:63:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:63:20:63:23 | file | This path depends on $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params :  | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params :  | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | a user-provided value |
+| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params :  | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | a user-provided value |
 | tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params :  | tainted_path.rb:5:26:5:29 | path | This path depends on $@. | tainted_path.rb:4:12:4:17 | call to params | a user-provided value |
 | tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params :  | tainted_path.rb:11:26:11:29 | path | This path depends on $@. | tainted_path.rb:10:31:10:36 | call to params | a user-provided value |
 | tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params :  | tainted_path.rb:17:26:17:29 | path | This path depends on $@. | tainted_path.rb:16:28:16:33 | call to params | a user-provided value |
