Convert Ruby qlref tests to inline expectations

Author: Copilot

ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref

@@ -1 +1,2 @@
-experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
+query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/gzipBombs.rb

@@ -1,27 +1,27 @@
 require 'zlib'
 
 class TestController < ActionController::Base
-  gzip_path = params[:path]
+  gzip_path = params[:path] # $ Source
 
-  Zlib::GzipReader.open(gzip_path).read
+  Zlib::GzipReader.open(gzip_path).read # $ Alert
   Zlib::GzipReader.open(gzip_path) do |uncompressedfile|
     puts uncompressedfile.read
-  end
+  end # $ Alert
   Zlib::GzipReader.open(gzip_path) do |uncompressedfile|
     uncompressedfile.each do |entry|
       puts entry
     end
-  end
-  uncompressedfile = Zlib::GzipReader.open(gzip_path)
+  end # $ Alert
+  uncompressedfile = Zlib::GzipReader.open(gzip_path) # $ Alert
   uncompressedfile.each do |entry|
     puts entry
   end
 
-  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read
-  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry|
+  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read # $ Alert
+  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry| # $ Alert
     puts entry
   end
 
-  Zlib::GzipReader.zcat(open(gzip_path))
+  Zlib::GzipReader.zcat(open(gzip_path)) # $ Alert
 end
 

ruby/ql/test/query-tests/experimental/CWE-522-DecompressionBombs/zipBombs.rb

@@ -1,21 +1,21 @@
 require 'zip'
 
 class TestController < ActionController::Base
-  zipfile_path = params[:path]
+  zipfile_path = params[:path] # $ Source
 
   Zip::InputStream.open(zipfile_path) do |input|
     while (entry = input.get_next_entry)
       puts :file_name, entry.name
       input
     end
-  end
+  end # $ Alert
   Zip::InputStream.open(zipfile_path) do |input|
     input.read
-  end
-  input = Zip::InputStream.open(zipfile_path)
+  end # $ Alert
+  input = Zip::InputStream.open(zipfile_path) # $ Alert
 
-  Zip::File.open(zipfile_path).read "10GB"
-  Zip::File.open(zipfile_path).extract "10GB", "./"
+  Zip::File.open(zipfile_path).read "10GB" # $ Alert
+  Zip::File.open(zipfile_path).extract "10GB", "./" # $ Alert
 
   Zip::File.open(zipfile_path) do |zip_file|
     # Handle entries one by one
@@ -25,33 +25,33 @@ class TestController < ActionController::Base
       # Extract to file or directory based on name in the archive
       entry.extract
       # Read into memory
-      entry.get_input_stream.read
+      entry.get_input_stream.read # $ Alert
     end
   end
 
   zip_file = Zip::File.open(zipfile_path)
   zip_file.each do |entry|
-    entry.extract
-    entry.get_input_stream.read
+    entry.extract # $ Alert
+    entry.get_input_stream.read # $ Alert
   end
 
   # Find specific entry
   Zip::File.open(zipfile_path) do |zip_file|
     zip_file.glob('*.xml').each do |entry|
-      zip_file.read(entry.name)
-      entry.extract
+      zip_file.read(entry.name) # $ Alert
+      entry.extract # $ Alert
     end
     entry = zip_file.glob('*.csv').first
     raise 'File too large when extracted' if entry.size > MAX_SIZE
-    puts entry.get_input_stream.read
+    puts entry.get_input_stream.read # $ Alert
   end
 
   zip_file = Zip::File.open(zipfile_path)
   entry = zip_file.glob('*.csv')
-  puts entry.get_input_stream.read
+  puts entry.get_input_stream.read # $ Alert
 
   zip_file = Zip::File.open(zipfile_path)
   zip_file.glob('*') do |entry|
-    entry.get_input_stream.read
+    entry.get_input_stream.read # $ Alert
   end
 end

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.qlref

@@ -1 +1,2 @@
-experimental/ldap-improper-auth/ImproperLdapAuth.ql
+query: experimental/ldap-improper-auth/ImproperLdapAuth.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

ruby/ql/test/query-tests/experimental/ImproperLdapAuth/ImproperLdapAuth.rb

@@ -2,7 +2,7 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is used directly as password
     # (i.e a remote flow source)
-    pass = params[:pass]
+    pass = params[:pass] # $ Source
 
     # BAD: user input is not sanitized
     ldap = Net::LDAP.new(
@@ -12,7 +12,7 @@ def some_request_handler
         auth: {
             method: :simple,
             username: 'uid=admin,dc=example,dc=com',
-            password: pass
+            password: pass # $ Alert
         }
     )
     ldap.bind
@@ -21,14 +21,14 @@ def some_request_handler
   def some_request_handler
     # A string tainted by user input is used directly as password
     # (i.e a remote flow source)
-    pass = params[:pass]
+    pass = params[:pass] # $ Source
 
     # BAD: user input is not sanitized
     ldap = Net::LDAP.new
     ldap.host = your_server_ip_address
     ldap.encryption(:method => :simple_tls)
     ldap.port = 639
-    ldap.auth "admin", pass
+    ldap.auth "admin", pass # $ Alert
     ldap.bind
   end
 end
@@ -56,4 +56,4 @@ def safe_paths
         }
     )
   end
-end
+end

ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.qlref

@@ -1 +1,2 @@
-experimental/insecure-randomness/InsecureRandomness.ql
+query: experimental/insecure-randomness/InsecureRandomness.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

ruby/ql/test/query-tests/experimental/InsecureRandomness/InsecureRandomness.rb

@@ -3,7 +3,7 @@
 def generate_password_1(length)
   chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
   # BAD: rand is not cryptographically secure
-  password = (1..length).collect { chars[rand(chars.size)] }.join
+  password = (1..length).collect { chars[rand(chars.size)] }.join # $ Alert
 end
 
 def generate_password_2(length)
@@ -16,4 +16,4 @@ def generate_password_2(length)
 end
 
 password = generate_password_1(10)
-password = generate_password_2(10)
+password = generate_password_2(10)

ruby/ql/test/query-tests/experimental/LdapInjection/LdapInjection.rb

@@ -2,11 +2,11 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is used directly as DN
     # (i.e a remote flow source)
-    dc = params[:dc]
+    dc = params[:dc] # $ Source
 
     # A string tainted by user input is used directly as search filter or attribute
     # (i.e a remote flow source)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source
 
     # LDAP Connection
     ldap = Net::LDAP.new(
@@ -22,20 +22,20 @@ def some_request_handler
 
     # BAD: user input is used as DN 
     # where dc is unsanitized
-    ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""])
+    ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""]) # $ Alert
 
     # BAD: user input is used as search filter
     # where name is unsanitized
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""]) # $ Alert
 
     # BAD: user input is used as attribute
     # where name is unsanitized
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name]) # $ Alert
 
     # BAD: user input is used as search filter
     # where name is unsanitized
     filter = Net::LDAP::Filter.eq('cn', name)
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""]) # $ Alert
 
     # GOOD: user input is not used in the LDAP query
     result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [""])
@@ -63,4 +63,4 @@ def safe_paths
     end
     result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
   end
-end
+end

ruby/ql/test/query-tests/experimental/LdapInjection/Ldapinjection.qlref

@@ -1 +1,2 @@
-experimental/ldap-injection/LdapInjection.ql
+query: experimental/ldap-injection/LdapInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

ruby/ql/test/query-tests/experimental/TemplateInjection/ErbInjection.rb

@@ -2,7 +2,7 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is inserted into a template 
     # (i.e a remote flow source)
-    name = params[:name]
+    name = params[:name] # $ Source
 
     # Template with the source
     bad_text = "
@@ -12,11 +12,11 @@ def some_request_handler
 
     # BAD: user input is evaluated
     # where name is unsanitized
-    template = ERB.new(bad_text).result(binding) 
+    template = ERB.new(bad_text).result(binding)  # $ Alert
 
     # BAD: user input is evaluated
     # where name is unsanitized
-    render inline: bad_text
+    render inline: bad_text # $ Alert
 
     # Template with the source 
     good_text = "