Add fialing test cases, whereby there is a call that validates and throws an exception prior to the sink

Author: ropwareJB

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.cs

@@ -196,6 +196,22 @@ public static bool ContainsPath(string? fullPath, string? path, bool excludeSame
             }
         }
 
+        /* Test that the given `fullPath` exists within the given `path` directory.
+         * If it does not, throw an exception to terminate the request.
+        */
+        public static void ContainsPathValidationThrowing(string? fullPath, string? path)
+        {
+            fullPath = Path.GetFullPath(fullPath);
+            path = Path.GetFullPath(path);
+
+            fullPath = AddBackslashIfNotPresent(fullPath);
+            path = AddBackslashIfNotPresent(path);
+
+            if (!fullPath!.StartsWith(path, StringComparison.OrdinalIgnoreCase)) {
+                throw new Exception("Attempting path traversal");
+            }
+        }
+
         static void Main(string[] args)
         {
             string zipFileName;
@@ -231,5 +247,19 @@ static void fp_throw(ZipArchive archive, string root){
                 entry.ExtractToFile(destinationOnDisk, true);
             }
         }
+
+        /**
+        * Negative - dangerous path terminates early due to exception thrown by guarded condition in descendent call.
+        */
+        static void fp_throw_nested_exception(ZipArchive archive, string root){
+            foreach (var entry in archive.Entries){
+                string destinationOnDisk = Path.GetFullPath(Path.Combine(root, entry.FullName));
+                string fullRoot = Path.GetFullPath(root + Path.DirectorySeparatorChar);
+                ContainsPathValidationThrowing(destinationOnDisk, fullRoot);
+                // NEGATIVE, above exception short circuits by exception on invalid input by path traversal.
+                entry.ExtractToFile(destinationOnDisk, true);
+            }
+        }
+
     }
 }