Add test for interpolation in first argument

1c63c28d · Justin Collins · 65445789 · 1c63c28d · 1c63c28d
隐藏空白更改
内联并排

Showing with 14 addition and 1 deletion

test/apps/rails3.1/app/models/product.rb test/apps/rails3.1/app/models/product.rb +4 -0

test/tests/test_rails31.rb test/tests/test_rails31.rb +10 -1

未找到文件。
--- a/test/apps/rails3.1/app/models/product.rb
+++ b/test/apps/rails3.1/app/models/product.rb
@@ -169,4 +169,8 @@ class Product < ActiveRecord::Base
    #Should not warn
    Product.last("blah = '#{params[:id].to_f}'")
  end
+
+  def test_interpolation_in_first_arg
+    Product.where("x = #{params[:x]} AND y = ?", y)
+  end
 end
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
      :model => 0,
      :template => 4,
      :controller => 1,
-      :warning => 44 }
+      :warning => 45 }
  end

  def test_without_protection
@@ -411,6 +411,15 @@ class Rails31Tests < Test::Unit::TestCase
      :file => /product\.rb/
  end

+  def test_sql_injection_interpolation_in_first_arg
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 174,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /product\.rb/
+  end
+
  def test_select_vulnerability
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",