Add test for to_s in SQL

ec9d604c · Justin Collins · 87fe19d6 · ec9d604c · ec9d604c · ec9d604c
Showing with 17 addition and 6 deletion

test/apps/rails4/app/models/account.rb test/apps/rails4/app/models/account.rb +5 -0

test/apps/rails4/app/models/user.rb test/apps/rails4/app/models/user.rb +0 -5

test/tests/rails4.rb test/tests/rails4.rb +12 -1

未找到文件。
--- a/test/apps/rails4/app/models/account.rb
+++ b/test/apps/rails4/app/models/account.rb
@@ -33,4 +33,9 @@ class Account < ActiveRecord::Base
    sql += "GROUP BY title, id "
    Account.connection.select_all(sql)
  end
+
+  def self.get_all_countries(locale)
+    q = "country_#{locale} ASC".to_s
+    c = User.order(q)
+  end
 end
--- a/test/apps/rails4/app/models/user.rb
+++ b/test/apps/rails4/app/models/user.rb
@@ -12,9 +12,4 @@ class User < ActiveRecord::Base
  def symbol_stuff
    self.where(User.table_name.to_sym)
  end
-
-  def self.get_all_countries(locale)
-    q = "country_#{locale} ASC".to_s
-    c = User.order(q)
-  end
 end
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -16,7 +16,7 @@ class Rails4Tests < Test::Unit::TestCase
      :controller => 0,
      :model => 2,
      :template => 3,
-      :generic => 51
+      :generic => 52
    }
  end

@@ -631,7 +631,18 @@ class Rails4Tests < Test::Unit::TestCase
      :confidence => 1,
      :relative_path => "app/models/email.rb",
      :user_input => s(:lvar, :task_table)
+  end

+  def test_sql_injection_with_to_s_on_string_interp
+    assert_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "4617dc460e895a734ac500b963bae96ee133e272611464519e7dcf52810075aa",
+      :warning_type => "SQL Injection",
+      :line => 39,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 1,
+      :relative_path => "app/models/account.rb",
+      :user_input => s(:lvar, :locale)
  end

  def test_format_validation_model_alias_processing