Java: Change main ZipSlip location to the source.

aschackmull · aschackmull · commit c3f71c2d4294 · 2018-10-31T11:38:28.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -172,5 +172,5 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
 
 from Node source, Node sink
 where any(ZipSlipConfiguration c).hasFlow(source, sink)
-select sink, "Unsanitized $@, which may contain '..', is used in a file system operation.", source,
-  "archive entry"
+select source, "Unsanitized archive entry, which may contain '..', is used in a $@.", sink,
+  "file system operation"
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected
@@ -1,3 +1,3 @@
-| ZipTest.java:9:48:9:51 | file | Unsanitized $@, which may contain '..', is used in a file system operation. | ZipTest.java:7:19:7:33 | getName(...) | archive entry |
-| ZipTest.java:10:49:10:52 | file | Unsanitized $@, which may contain '..', is used in a file system operation. | ZipTest.java:7:19:7:33 | getName(...) | archive entry |
-| ZipTest.java:11:36:11:39 | file | Unsanitized $@, which may contain '..', is used in a file system operation. | ZipTest.java:7:19:7:33 | getName(...) | archive entry |
+| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:9:48:9:51 | file | file system operation |
+| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:10:49:10:52 | file | file system operation |
+| ZipTest.java:7:19:7:33 | getName(...) | Unsanitized archive entry, which may contain '..', is used in a $@. | ZipTest.java:11:36:11:39 | file | file system operation |
