Fix link_to logic messed up during refactoring

and add test for it so it won't happen again

Fix link_to logic messed up during refactoring
and add test for it so it won't happen again
f1ac8eea · Justin Collins · e62cf7e8 · f1ac8eea · f1ac8eea · f1ac8eea
3 changed file
--- a/lib/brakeman/checks/check_link_to.rb
+++ b/lib/brakeman/checks/check_link_to.rb
@@ -89,7 +89,7 @@ class Brakeman::CheckLinkTo < Brakeman::CheckCrossSiteScripting
  # Check if we should warn about the matched result
  def check_matched(result, matched = nil)
    return false unless matched
-    return false if matched.type == :model and not tracker.options[:ignore_model_output]
+    return false if matched.type == :model and tracker.options[:ignore_model_output]

    message = "Unescaped #{friendly_type_of matched} in link_to"


--- a/test/apps/rails2/app/views/home/test_link_to.html.erb
+++ b/test/apps/rails2/app/views/home/test_link_to.html.erb
@@ -5,3 +5,5 @@
 <% end %>

 <%= link_to params[:evil], "http://brakemanscanner.org" %>
+
+<%= link_to make_awesome(User.find(1).name), "http://google.com" %>
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 3,
-        :template => 43,
+        :template => 44,
        :warning => 46 }
    else
      @expected ||= {
        :controller => 1,
        :model => 3,
-        :template => 43,
+        :template => 44,
        :warning => 47 }
    end
  end
@@ -427,6 +427,17 @@ class Rails2Tests < Test::Unit::TestCase
      :relative_path => "app/views/home/test_model.html.erb"
  end

+  def test_indirect_model_in_link_to
+    assert_warning :type => :template,
+      :warning_code => 3,
+      :fingerprint => "8941c902e7c71d0df4ebb1888c8ed9ac99affaf385be657838452ac3eefe563c",
+      :warning_type => "Cross Site Scripting",
+      :line => 9,
+      :message => /^Unescaped\ model\ attribute\ in\ l/,
+      :confidence => 1,
+      :relative_path => "app/views/home/test_link_to.html.erb"
+  end
+
  def test_escaped_parameter_in_link_to
    assert_no_warning :type => :template,
      :warning_type => "Cross Site Scripting",
@@ -1158,13 +1169,13 @@ class Rails2WithOptionsTests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 4,
-        :template => 43,
+        :template => 44,
        :warning => 46 }
    else
      @expected ||= {
        :controller => 1,
        :model => 4,
-        :template => 43,
+        :template => 44,
        :warning => 47 }
    end
  end