Merge branch 'user_input_in_or_is_immediate'

03be9d0b · Justin Collins · 6a5f9cb0 · 6ecdcef8 · 03be9d0b · 03be9d0b
4 changed file
--- a/lib/brakeman/checks/base_check.rb
+++ b/lib/brakeman/checks/base_check.rb
@@ -296,6 +296,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
      when :if
        (sexp? exp[2] and has_immediate_user_input? exp[2]) or 
        (sexp? exp[3] and has_immediate_user_input? exp[3])
+      when :or
+        has_immediate_user_input? exp[1] or
+        has_immediate_user_input? exp[2]
      else
        false
      end

--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
@@ -127,6 +127,18 @@ class HomeController < ApplicationController
    User.new(params[:still_bad])
  end

+  def test_xss_with_or
+    @params_or_something = params[:x] || something
+
+    if some_condition
+      @user_input = true
+    else
+      @user_input = params[:y]
+    end
+
+    @more_user_input = x || params[:z] || z
+  end
+
  private

  def filter_it

--- a/test/apps/rails2/app/views/home/test_xss_with_or.html.erb
+++ b/test/apps/rails2/app/views/home/test_xss_with_or.html.erb
+<%= params[:x] || nil %>
+
+<%= @params_or_something %>
+
+<%= @user_input %>
+
+<%= @more_user_input %>
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 27,
+        :template => 31,
        :warning => 29 }
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 27,
+        :template => 31,
        :warning => 30 }
    end
  end
@@ -593,6 +593,42 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /home\/test_render_template\.html\.haml/
  end

+  def test_xss_with_or_in_view
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
+  def test_xss_with_or_from_action
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
+  def test_xss_with_or_from_if_branches
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 5,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
+  def test_xss_with_nested_or
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 7,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
  def test_check_send
    assert_warning :type => :warning,
      :warning_type => "Dangerous Send",