github · Copilot · Jun 11, 2026 · Jun 11, 2026
@@ -1 +1,2 @@
-experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
+query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -1,27 +1,27 @@
 require 'zlib'
 
 class TestController < ActionController::Base
-  gzip_path = params[:path]
+  gzip_path = params[:path] # $ Source
 
-  Zlib::GzipReader.open(gzip_path).read
+  Zlib::GzipReader.open(gzip_path).read # $ Alert
   Zlib::GzipReader.open(gzip_path) do |uncompressedfile|
     puts uncompressedfile.read
-  end
+  end # $ Alert
   Zlib::GzipReader.open(gzip_path) do |uncompressedfile|
     uncompressedfile.each do |entry|
       puts entry
     end
-  end
-  uncompressedfile = Zlib::GzipReader.open(gzip_path)
+  end # $ Alert
+  uncompressedfile = Zlib::GzipReader.open(gzip_path) # $ Alert
   uncompressedfile.each do |entry|
     puts entry
   end
 
-  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read
-  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry|
+  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).read # $ Alert
+  Zlib::GzipReader.new(File.open(gzip_path, 'rb')).each do |entry| # $ Alert
     puts entry
   end
 
-  Zlib::GzipReader.zcat(open(gzip_path))
+  Zlib::GzipReader.zcat(open(gzip_path)) # $ Alert
 end
 
@@ -1,21 +1,21 @@
 require 'zip'
 
 class TestController < ActionController::Base
-  zipfile_path = params[:path]
+  zipfile_path = params[:path] # $ Source
 
   Zip::InputStream.open(zipfile_path) do |input|
     while (entry = input.get_next_entry)
       puts :file_name, entry.name
       input
     end
-  end
+  end # $ Alert
   Zip::InputStream.open(zipfile_path) do |input|
     input.read
-  end
-  input = Zip::InputStream.open(zipfile_path)
+  end # $ Alert
+  input = Zip::InputStream.open(zipfile_path) # $ Alert
 
-  Zip::File.open(zipfile_path).read "10GB"
-  Zip::File.open(zipfile_path).extract "10GB", "./"
+  Zip::File.open(zipfile_path).read "10GB" # $ Alert
+  Zip::File.open(zipfile_path).extract "10GB", "./" # $ Alert
 
   Zip::File.open(zipfile_path) do |zip_file|
     # Handle entries one by one
@@ -25,33 +25,33 @@ class TestController < ActionController::Base
       # Extract to file or directory based on name in the archive
       entry.extract
       # Read into memory
-      entry.get_input_stream.read
+      entry.get_input_stream.read # $ Alert
     end
   end
 
   zip_file = Zip::File.open(zipfile_path)
   zip_file.each do |entry|
-    entry.extract
-    entry.get_input_stream.read
+    entry.extract # $ Alert
+    entry.get_input_stream.read # $ Alert
   end
 
   # Find specific entry
   Zip::File.open(zipfile_path) do |zip_file|
     zip_file.glob('*.xml').each do |entry|
-      zip_file.read(entry.name)
-      entry.extract
+      zip_file.read(entry.name) # $ Alert
+      entry.extract # $ Alert
     end
     entry = zip_file.glob('*.csv').first
     raise 'File too large when extracted' if entry.size > MAX_SIZE
-    puts entry.get_input_stream.read
+    puts entry.get_input_stream.read # $ Alert
   end
 
   zip_file = Zip::File.open(zipfile_path)
   entry = zip_file.glob('*.csv')
-  puts entry.get_input_stream.read
+  puts entry.get_input_stream.read # $ Alert
 
   zip_file = Zip::File.open(zipfile_path)
   zip_file.glob('*') do |entry|
-    entry.get_input_stream.read
+    entry.get_input_stream.read # $ Alert
   end
 end
@@ -1 +1,2 @@
-experimental/ldap-improper-auth/ImproperLdapAuth.ql
+query: experimental/ldap-improper-auth/ImproperLdapAuth.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -2,7 +2,7 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is used directly as password
     # (i.e a remote flow source)
-    pass = params[:pass]
+    pass = params[:pass] # $ Source
 
     # BAD: user input is not sanitized
     ldap = Net::LDAP.new(
@@ -12,7 +12,7 @@ def some_request_handler
         auth: {
             method: :simple,
             username: 'uid=admin,dc=example,dc=com',
-            password: pass
+            password: pass # $ Alert
         }
     )
     ldap.bind
@@ -21,14 +21,14 @@ def some_request_handler
   def some_request_handler
     # A string tainted by user input is used directly as password
     # (i.e a remote flow source)
-    pass = params[:pass]
+    pass = params[:pass] # $ Source
 
     # BAD: user input is not sanitized
     ldap = Net::LDAP.new
     ldap.host = your_server_ip_address
     ldap.encryption(:method => :simple_tls)
     ldap.port = 639
-    ldap.auth "admin", pass
+    ldap.auth "admin", pass # $ Alert
     ldap.bind
   end
 end
@@ -56,4 +56,4 @@ def safe_paths
         }
     )
   end
-end
+end
@@ -1 +1,2 @@
-experimental/insecure-randomness/InsecureRandomness.ql
+query: experimental/insecure-randomness/InsecureRandomness.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -3,7 +3,7 @@
 def generate_password_1(length)
   chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a + ['!', '@', '#', '$', '%']
   # BAD: rand is not cryptographically secure
-  password = (1..length).collect { chars[rand(chars.size)] }.join
+  password = (1..length).collect { chars[rand(chars.size)] }.join # $ Alert
 end
 
 def generate_password_2(length)
@@ -16,4 +16,4 @@ def generate_password_2(length)
 end
 
 password = generate_password_1(10)
-password = generate_password_2(10)
+password = generate_password_2(10)
@@ -2,11 +2,11 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is used directly as DN
     # (i.e a remote flow source)
-    dc = params[:dc]
+    dc = params[:dc] # $ Source
 
     # A string tainted by user input is used directly as search filter or attribute
     # (i.e a remote flow source)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source
 
     # LDAP Connection
     ldap = Net::LDAP.new(
@@ -22,20 +22,20 @@ def some_request_handler
 
     # BAD: user input is used as DN 
     # where dc is unsanitized
-    ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""])
+    ldap.search(base: "ou=people,dc=#{dc},dc=com", filter: "cn=George", attributes: [""]) # $ Alert
 
     # BAD: user input is used as search filter
     # where name is unsanitized
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""]) # $ Alert
 
     # BAD: user input is used as attribute
     # where name is unsanitized
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [name]) # $ Alert
 
     # BAD: user input is used as search filter
     # where name is unsanitized
     filter = Net::LDAP::Filter.eq('cn', name)
-    ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""])
+    ldap.search(base: "ou=people,dc=example,dc=com", filter: filter, attributes: [""]) # $ Alert
 
     # GOOD: user input is not used in the LDAP query
     result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=George", attributes: [""])
@@ -63,4 +63,4 @@ def safe_paths
     end
     result = ldap.search(base: "ou=people,dc=example,dc=com", filter: "cn=#{name}", attributes: [""])
   end
-end
+end
@@ -1 +1,2 @@
-experimental/ldap-injection/LdapInjection.ql
+query: experimental/ldap-injection/LdapInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -2,7 +2,7 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is inserted into a template 
     # (i.e a remote flow source)
-    name = params[:name]
+    name = params[:name] # $ Source
 
     # Template with the source
     bad_text = "
@@ -12,11 +12,11 @@ def some_request_handler
 
     # BAD: user input is evaluated
     # where name is unsanitized
-    template = ERB.new(bad_text).result(binding) 
+    template = ERB.new(bad_text).result(binding)  # $ Alert
 
     # BAD: user input is evaluated
     # where name is unsanitized
-    render inline: bad_text
+    render inline: bad_text # $ Alert
 
     # Template with the source 
     good_text = "

@@ -2,7 +2,7 @@ class FooController < ActionController::Base
   def some_request_handler
     # A string tainted by user input is inserted into a template 
     # (i.e a remote flow source)
-    name = params[:name]
+    name = params[:name] # $ Source
 
     # Template with the source (no sanitizer)
     bad_text = "
@@ -11,7 +11,7 @@ def some_request_handler
       " % name
     # BAD: renders user input
     # where text is unsanitized
-    Slim::Template.new{ bad_text }.render 
+    Slim::Template.new{ bad_text }.render  # $ Alert
 
     # Template with the source (no sanitizer)
     bad2_text = "
@@ -20,7 +20,7 @@ def some_request_handler
       " 
     # BAD: renders user input
     # where text is unsanitized
-    Slim::Template.new{ bad2_text }.render 
+    Slim::Template.new{ bad2_text }.render  # $ Alert
 
     # Template with the source (no render)
     good_text = "
@@ -64,4 +64,4 @@ def safe_paths
       " % name2
     template_bar1 = Slim::Template.new{ text_bar2 }.render 
   end
-end
+end
@@ -1 +1,2 @@
-experimental/template-injection/TemplateInjection.ql
+query: experimental/template-injection/TemplateInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
@@ -2,7 +2,7 @@
 
 class FooController < ActionController::Base
   def libxml_handler(event:, context:)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source
 
     xml = <<-XML
       <root>
@@ -18,13 +18,13 @@ def libxml_handler(event:, context:)
     results1 = doc.find_first('//foo')
 
     # BAD: XPath query is constructed from user input
-    results2 = doc.find_first("//#{name}")
+    results2 = doc.find_first("//#{name}") # $ Alert
 
     # GOOD: XPath query is not constructed from user input
     results3 = doc.find('//foo')
 
     # BAD: XPath query is constructed from user input
-    results4 = doc.find("//#{name}")
+    results4 = doc.find("//#{name}") # $ Alert
   end
 end
 

@@ -2,7 +2,7 @@
 
 class FooController < ActionController::Base
   def nokogiri_handler(event:, context:)
-    name = params[:user_name]
+    name = params[:user_name] # $ Source
 
     xml = <<-XML
       <root>
@@ -18,27 +18,27 @@ def nokogiri_handler(event:, context:)
     results1 = doc.at('//foo')
 
     # BAD: XPath query is constructed from user input
-    results2 = doc.at("//#{name}")
+    results2 = doc.at("//#{name}") # $ Alert
 
     # GOOD: XPath query is not constructed from user input
     results3 = doc.xpath('//foo')
 
     # BAD: XPath query is constructed from user input
-    results4 = doc.xpath("//#{name}")
+    results4 = doc.xpath("//#{name}") # $ Alert
 
     # GOOD: XPath query is not constructed from user input
     results5 = doc.at_xpath('//foo')
 
     # BAD: XPath query is constructed from user input
-    results6 = doc.at_xpath("//#{name}")
+    results6 = doc.at_xpath("//#{name}") # $ Alert
 
     # GOOD: XPath query is not constructed from user input
     doc.xpath('//foo').each do |element|
         puts element.text
     end
 
     # BAD: XPath query constructed from user input
-    doc.xpath("//#{name}").each do |element|
+    doc.xpath("//#{name}").each do |element| # $ Alert
         puts element.text
     end
 
@@ -48,7 +48,7 @@ def nokogiri_handler(event:, context:)
     end
 
     # BAD: XPath query constructed from user input
-    doc.search("//#{name}").each do |element|
+    doc.search("//#{name}").each do |element| # $ Alert
         puts element.text
     end
   end
@@ -85,4 +85,4 @@ def nokogiri_safe_handler(event:, context:)
     results9 = doc.at_xpath("//#{safe_name}")
 
   end
-end
+end