File tree Expand file tree Collapse file tree
ruby/ql/src/experimental/CWE-522-DecompressionBombs Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -81,16 +81,18 @@ module ZipInputStream {
8181 /**
8282 * Gets a node of `Zip::InputStream` member
8383 *
84- * Note that if you use the lower level Zip::InputStream interface, rubyzip does not check the entry sizes.
84+ * Note that if you use the lower level Zip::InputStream interface, rubyZip does not check the entry sizes.
8585 */
8686 private API:: Node zipInputStream ( ) {
8787 result = API:: getTopLevelMember ( "Zip" ) .getMember ( "InputStream" )
8888 }
8989
9090 /**
91- * The return values of following methods
92- * `ZipIO.read`
93- * `ZipEntry.extract`
91+ * The methods
92+ * `Zip::InputStream.read`
93+ * `Zip::InputStream.extract`
94+ *
95+ * as source of decompression bombs, they need an additional taint step for a dataflow or taint tracking query
9496 */
9597 class DecompressionBombSink extends DecompressionBomb:: Range {
9698 DecompressionBombSink ( ) { this = zipInputStream ( ) .getMethod ( [ "open" , "new" ] ) }
You can’t perform that action at this time.
0 commit comments