Add tests for improved CheckFileAccess

a618c0d1 · Justin Collins · 10751a9c · a618c0d1 · a618c0d1
隐藏空白更改
内联并排

Showing with 45 addition and 1 deletion

test/apps/rails3.1/app/controllers/users_controller.rb test/apps/rails3.1/app/controllers/users_controller.rb +7 -0

test/tests/test_rails31.rb test/tests/test_rails31.rb +38 -1

未找到文件。
--- a/test/apps/rails3.1/app/controllers/users_controller.rb
+++ b/test/apps/rails3.1/app/controllers/users_controller.rb
@@ -102,5 +102,12 @@ class UsersController < ApplicationController
    redirect_to User.find_by_name(params[:name])
  end

+  def test_file_access_params
+    File.unlink(blah(params[:file]))
+    Pathname.readlines("blah/#{cookies[:file]}")
+    File.delete(params[:file])
+    IO.read(User.find_by_name('bob').file_path)
+  end
+
  include UserMixin
 end
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
      :model => 0,
      :template => 4,
      :controller => 1,
-      :warning => 40 }
+      :warning => 44 }
  end

  def test_without_protection
@@ -454,4 +454,41 @@ class Rails31Tests < Test::Unit::TestCase
      :confidence => 0,
      :file => /users\/mixin_default\.html\.erb/
  end
+
+
+  def test_file_access_indirect_user_input
+    assert_warning :type => :warning,
+      :warning_type => "File Access",
+      :line => 106,
+      :message => /^Parameter\ value\ used\ in\ file\ name/,
+      :confidence => 2,
+      :file => /users_controller\.rb/
+  end
+
+  def test_file_access_in_string_interpolation
+    assert_warning :type => :warning,
+      :warning_type => "File Access",
+      :line => 107,
+      :message => /^Cookie\ value\ used\ in\ file\ name/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_file_access_direct_user_input
+    assert_warning :type => :warning,
+      :warning_type => "File Access",
+      :line => 108,
+      :message => /^Parameter\ value\ used\ in\ file\ name/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_file_access_model_attribute
+    assert_warning :type => :warning,
+      :warning_type => "File Access",
+      :line => 109,
+      :message => /^User\ input\ value\ used\ in\ file\ name/,
+      :confidence => 1,
+      :file => /users_controller\.rb/
+  end
 end