diff --git a/test/apps/rails3.1/app/controllers/admin_controller.rb b/test/apps/rails3.1/app/controllers/admin_controller.rb index 89e99bf94679074297b5dc7f1bb1cbc5fa50636a..49cb2eaa7c9b32997abc36360fd9568bd14f9e43 100644 --- a/test/apps/rails3.1/app/controllers/admin_controller.rb +++ b/test/apps/rails3.1/app/controllers/admin_controller.rb @@ -29,4 +29,23 @@ class AdminController < ApplicationController def show_detailed_exceptions? yeah_sure_they_are_an_admin_right? current_user end + + def make_system_calls + `#{"blah #{why?}"}` + + # Some command injection of literals + # which should not raise warnings + or_input = if admin + "rm -rf" + else + :symbol + end + + system "cd / && #{or_input}" + `cd / && #{or_input}` + + system "echo #{1}" + exec "nmap 192.168.#{1}.1" + + end end diff --git a/test/tests/rails31.rb b/test/tests/rails31.rb index 6d97b632c302bb96a7b1279150277c14084c6f25..494be13481262487390377835757a69ce8f35745 100644 --- a/test/tests/rails31.rb +++ b/test/tests/rails31.rb @@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase :model => 3, :template => 23, :controller => 4, - :generic => 73 } + :generic => 74 } end def test_without_protection @@ -1086,4 +1086,60 @@ class Rails31Tests < Test::Unit::TestCase :confidence => 1, :relative_path => "app/controllers/admin_controller.rb" end + + def test_command_injection_interpolation_inside_interpolation + assert_warning :type => :warning, + :warning_code => 14, + :fingerprint => "5ef09b79bf1d08ccd42e376238f9a618227da4990ea7702a1d4da2e83f4820fe", + :warning_type => "Command Injection", + :line => 34, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/controllers/admin_controller.rb", + :user_input => s(:call, nil, :why?) + end + + def test_command_injection_or_literal_system + assert_no_warning :type => :warning, + :warning_code => 14, + :fingerprint => "7de48cc753c090a61ac49a6885bc87198b1a7a72e5629eb2a188b671b95c7f13", + :warning_type => "Command Injection", + :line => 42, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/controllers/admin_controller.rb" + end + + def test_command_injection_or_literal_backticks + assert_no_warning :type => :warning, + :warning_code => 14, + :fingerprint => "a9ec8db240351f05e084a6acc9f7980d97718eb4cb386d9ea8079d224dfecef9", + :warning_type => "Command Injection", + :line => 43, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/controllers/admin_controller.rb" + end + + def test_command_injection_integer_command + assert_no_warning :type => :warning, + :warning_code => 14, + :fingerprint => "44d7403b6d2dfe4b74c32b80d924fed3d034637f0e13b3c31193ef9279a674f3", + :warning_type => "Command Injection", + :line => 45, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/controllers/admin_controller.rb" + end + + def test_command_injection_integer_exec + assert_no_warning :type => :warning, + :warning_code => 14, + :fingerprint => "11ab37cedddb3b4c9cd1c29db6b6ab8cd8a6a0063862448075cc22e9cd8b0882", + :warning_type => "Command Injection", + :line => 46, + :message => /^Possible\ command\ injection/, + :confidence => 1, + :relative_path => "app/controllers/admin_controller.rb" + end end diff --git a/test/to_test.rb b/test/to_test.rb index 4f91f563666e0a1fa0ae7b29d285c0a7e59c9606..5b2e9f591b2e27e6886126364aa22015c7e53ad8 100644 --- a/test/to_test.rb +++ b/test/to_test.rb @@ -57,7 +57,8 @@ class #{name}Tests < Test::Unit::TestCase #{w.line ? ":line => " : "#noline"}#{w.line}, :message => /^#{Regexp.escape w.message[0,40]}/, :confidence => #{w.confidence}, - :relative_path => #{w.relative_path.inspect} + :relative_path => #{w.relative_path.inspect}, + :user_input => #{w.user_input} end RUBY end.join("\n")