From 1c63c28dad0eee528ee3f5eb75548df00555090a Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Thu, 19 Jul 2012 22:16:16 -0700
Subject: [PATCH] Add test for interpolation in first argument

---
 test/apps/rails3.1/app/models/product.rb |  4 ++++
 test/tests/test_rails31.rb               | 11 ++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/test/apps/rails3.1/app/models/product.rb b/test/apps/rails3.1/app/models/product.rb
index c879ee1e..e8755435 100644
--- a/test/apps/rails3.1/app/models/product.rb
+++ b/test/apps/rails3.1/app/models/product.rb
@@ -169,4 +169,8 @@ class Product < ActiveRecord::Base
     #Should not warn
     Product.last("blah = '#{params[:id].to_f}'")
   end
+
+  def test_interpolation_in_first_arg
+    Product.where("x = #{params[:x]} AND y = ?", y)
+  end
 end
diff --git a/test/tests/test_rails31.rb b/test/tests/test_rails31.rb
index c3deaea2..3ea95faf 100644
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
       :model => 0,
       :template => 4,
       :controller => 1,
-      :warning => 44 }
+      :warning => 45 }
   end
 
   def test_without_protection
@@ -411,6 +411,15 @@ class Rails31Tests < Test::Unit::TestCase
       :file => /product\.rb/
   end
 
+  def test_sql_injection_interpolation_in_first_arg
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 174,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /product\.rb/
+  end
+
   def test_select_vulnerability
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",
-- 
GitLab