Add tests for XSS changes

4444db1b · Justin Collins · 0aed16dd · 4444db1b · 4444db1b
隐藏空白更改
内联并排

Showing with 56 addition and 1 deletion

test/apps/rails4/app/views/another/various_xss.html.erb test/apps/rails4/app/views/another/various_xss.html.erb +8 -0

test/tests/rails4.rb test/tests/rails4.rb +48 -1

未找到文件。
--- a/test/apps/rails4/app/views/another/various_xss.html.erb
+++ b/test/apps/rails4/app/views/another/various_xss.html.erb
+<%= link_to 'stuff', cool_thing_url(params[:x]) %> Don't warn
+<%= link_to 'stuff', Thing.find(params[:id]).home_url %> Warn
+<%= link_to 'stuff', Thing.find(params[:id]).home_path %> Don't warn
+<%= link_to 'other stuff', home_path(Thing.find(params[:id])) %> Don't warn
+<%= raw(x(params[:x])) %> Warn with warning code 2 not 5
+<% form_for Thing.first do |t| %>
+  <%== t.select(things, Thing.new(params[:t]).stuff) %>
+<% end %>
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -13,7 +13,7 @@ class Rails4Tests < Test::Unit::TestCase
    @expected ||= {
      :controller => 0,
      :model => 2,
-      :template => 4,
+      :template => 6,
      :generic => 60
    }
  end
@@ -584,6 +584,53 @@ class Rails4Tests < Test::Unit::TestCase
      :user_input => nil
  end

+  def test_cross_site_scripting_warning_code_for_weak_xss
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :warning_type => "Cross Site Scripting",
+      :line => 5,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 2,
+      :relative_path => "app/views/another/various_xss.html.erb",
+      :user_input => s(:call, s(:call, nil, :params), :[], s(:lit, :x))
+  end
+
+  def test_cross_site_scripting_no_warning_on_helper_methods_with_targets
+    assert_no_warning :type => :template,
+      :warning_code => 2,
+      :warning_type => "Cross Site Scripting",
+      :line => 7,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 2,
+      :relative_path => "app/views/another/various_xss.html.erb",
+      :user_input => s(:call, s(:call, nil, :params), :[], s(:lit, :t))
+  end
+
+  def test_cross_site_scripting_warn_on_url_methods_in_href
+    assert_warning :type => :template,
+      :warning_code => 4,
+      :fingerprint => "92d5f7afb5676d2aca85d6dc796d3606ec225c178a3727ba6a790138276a7c1c",
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unsafe\ parameter\ value\ in\ link_to\ href/,
+      :confidence => 1,
+      :relative_path => "app/views/another/various_xss.html.erb",
+      :user_input => s(:call, nil, :params)
+  end
+
+  def test_cross_site_scripting_no_warning_on_path_methods_in_href
+    assert_no_warning :type => :template,
+      :warning_code => 4,
+      :fingerprint => "75956429768c8c53ee3f9932320db67a9d2e0d6fe87431eb290156d0d31d8dba",
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Unsafe\ parameter\ value\ in\ link_to\ href/,
+      :confidence => 1,
+      :relative_path => "app/views/another/various_xss.html.erb",
+      :user_input => s(:call, nil, :params)
+  end
+
+
  def test_sql_injection_in_chained_string_building
    assert_warning :type => :warning,
      :warning_code => 0,