From 750ea2da99c2b0674f184db6ef2a2c1747552779 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Fri, 7 Feb 2014 16:45:16 -0800 Subject: [PATCH] Add more tests for HAML XSS --- .../app/controllers/other_controller.rb | 4 +++ .../app/views/other/test_haml_stuff.html.haml | 4 +++ test/tests/rails2.rb | 32 ++++++++++++++++--- test/tests/tabs_output.rb | 4 +-- 4 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 test/apps/rails2/app/views/other/test_haml_stuff.html.haml diff --git a/test/apps/rails2/app/controllers/other_controller.rb b/test/apps/rails2/app/controllers/other_controller.rb index 828f1e5f..87181ccf 100644 --- a/test/apps/rails2/app/controllers/other_controller.rb +++ b/test/apps/rails2/app/controllers/other_controller.rb @@ -65,4 +65,8 @@ class OtherController < ApplicationController render :xss_dupes, :layout => 'thing' end + + def test_haml_stuff + render :locals => { :user => User.first } + end end diff --git a/test/apps/rails2/app/views/other/test_haml_stuff.html.haml b/test/apps/rails2/app/views/other/test_haml_stuff.html.haml new file mode 100644 index 00000000..494f5898 --- /dev/null +++ b/test/apps/rails2/app/views/other/test_haml_stuff.html.haml @@ -0,0 +1,4 @@ +%tr + %td= user.age.to_i + %td= user.stuff + %td= user.status diff --git a/test/tests/rails2.rb b/test/tests/rails2.rb index e7c0a194..f42c9818 100644 --- a/test/tests/rails2.rb +++ b/test/tests/rails2.rb @@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase @expected ||= { :controller => 1, :model => 3, - :template => 45, + :template => 47, :generic => 49 } else @expected ||= { :controller => 1, :model => 3, - :template => 45, + :template => 47, :generic => 50 } end end @@ -1119,6 +1119,30 @@ class Rails2Tests < Test::Unit::TestCase :relative_path => "app/views/layouts/thing.html.erb" end + def test_cross_site_scripting_in_haml + assert_warning :type => :template, + :warning_code => 2, + :fingerprint => "702f9bae476402bb2614794276083849342540bd8b5e8f2fc35b15b40e9f34fc", + :warning_type => "Cross Site Scripting", + :line => 3, + :message => /^Unescaped\ model\ attribute/, + :confidence => 0, + :relative_path => "app/views/other/test_haml_stuff.html.haml", + :user_input => nil + end + + def test_cross_site_scripting_in_haml2 + assert_warning :type => :template, + :warning_code => 2, + :fingerprint => "79cbc87a06ad9247362be97ba4b6cc12b9619fd0f68d468b81cbed376bfbcc5c", + :warning_type => "Cross Site Scripting", + :line => 4, + :message => /^Unescaped\ model\ attribute/, + :confidence => 0, + :relative_path => "app/views/other/test_haml_stuff.html.haml", + :user_input => nil + end + def test_dangerous_send_try assert_warning :type => :warning, :warning_type => "Dangerous Send", @@ -1287,13 +1311,13 @@ class Rails2WithOptionsTests < Test::Unit::TestCase @expected ||= { :controller => 1, :model => 4, - :template => 45, + :template => 47, :generic => 49 } else @expected ||= { :controller => 1, :model => 4, - :template => 45, + :template => 47, :generic => 50 } end end diff --git a/test/tests/tabs_output.rb b/test/tests/tabs_output.rb index 86ed80a4..3588f88f 100644 --- a/test/tests/tabs_output.rb +++ b/test/tests/tabs_output.rb @@ -3,9 +3,9 @@ class TestTabsOutput < Test::Unit::TestCase def test_reported_warnings if Brakeman::Scanner::RUBY_1_9 - assert_equal 99, Report.lines.to_a.count + assert_equal 101, Report.lines.to_a.count else - assert_equal 100, Report.lines.to_a.count + assert_equal 102, Report.lines.to_a.count end end end -- GitLab