From 5c2bfbcbf64658dcd92336e6b4ffb940d337828c Mon Sep 17 00:00:00 2001
From: aastha <aastjais@amazon.com>
Date: Wed, 15 May 2024 16:53:49 +0530
Subject: [PATCH 1/2] Added missing samples of Ruby

---
 .../sendfile-injection/sendfile-injection.rb  | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 ruby/src/detectors/sendfile-injection/sendfile-injection.rb

diff --git a/ruby/src/detectors/sendfile-injection/sendfile-injection.rb b/ruby/src/detectors/sendfile-injection/sendfile-injection.rb
new file mode 100644
index 0000000..f9a55d2
--- /dev/null
+++ b/ruby/src/detectors/sendfile-injection/sendfile-injection.rb
@@ -0,0 +1,32 @@
+=begin
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+=end
+
+# {fact rule=sendfile-injection@v1.0 defects=1}
+def download
+    begin
+      path = "/opt/wwwdata/assets/" + params[:asset_name].to_s
+      # Noncompliant: 'path' is unsanitized.
+      send_file path, disposition: "attachment"
+    rescue
+      redirect_to "/home"
+    end
+ end
+ # {/fact}
+ 
+ # {fact rule=sendfile-injection@v1.0 defects=0}
+ def download
+    begin
+      path = File.expand_path("/opt/wwwdata/assets/" + params[:asset_name].to_s)
+      if path.start_with?("/opt/wwwdata/assets/")
+        # Compliant: 'path' is sanitized before passing in send_file.
+        send_file path, disposition: "attachment"
+      else
+         head 403
+      end
+    rescue
+      redirect_to "/home"
+    end
+ end
+ # {/fact}
\ No newline at end of file

From 266bbe62588cf5ec83ee07ba31d7d3142c95761e Mon Sep 17 00:00:00 2001
From: aastha <aastjais@amazon.com>
Date: Tue, 28 May 2024 10:49:36 +0530
Subject: [PATCH 2/2] Addressed cosmetic comments

---
 ruby/src/detectors/sendfile-injection/sendfile-injection.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ruby/src/detectors/sendfile-injection/sendfile-injection.rb b/ruby/src/detectors/sendfile-injection/sendfile-injection.rb
index f9a55d2..3d69a2f 100644
--- a/ruby/src/detectors/sendfile-injection/sendfile-injection.rb
+++ b/ruby/src/detectors/sendfile-injection/sendfile-injection.rb
@@ -4,7 +4,7 @@
 =end
 
 # {fact rule=sendfile-injection@v1.0 defects=1}
-def download
+def send_file_injection_noncompliant
     begin
       path = "/opt/wwwdata/assets/" + params[:asset_name].to_s
       # Noncompliant: 'path' is unsanitized.
@@ -16,7 +16,7 @@ def download
  # {/fact}
  
  # {fact rule=sendfile-injection@v1.0 defects=0}
- def download
+ def send_file_injection_compliant
     begin
       path = File.expand_path("/opt/wwwdata/assets/" + params[:asset_name].to_s)
       if path.start_with?("/opt/wwwdata/assets/")