Add test for model attribute in `or` expression

7956fa06 · Justin Collins · 2f57faed · 7956fa06 · 7956fa06 · 7956fa06
3 changed file
--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
@@ -137,6 +137,8 @@ class HomeController < ApplicationController
    end

    @more_user_input = x || params[:z] || z
+
+    @user = User.find(current_user)
  end

  private

--- a/test/apps/rails2/app/views/home/test_xss_with_or.html.erb
+++ b/test/apps/rails2/app/views/home/test_xss_with_or.html.erb
@@ -5,3 +5,5 @@
 <%= @user_input %>

 <%= @more_user_input %>
+
+<%= @user.name || 'nothing dangerous' %>
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 32,
-        :warning => 31 }
+        :template => 33,
+        :warning => 31}
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 32,
+        :template => 33,
        :warning => 32 }
    end
  end
@@ -633,6 +633,15 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /test_xss_with_or\.html\.erb/
  end

+  def test_xss_with_model_in_or
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 9,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
  def test_cross_site_scripting_strip_tags
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",