Add tests for YAML.load

7be07960 · Justin Collins · 1f2402b3 · 7be07960 · 7be07960
隐藏空白更改
内联并排

Showing with 45 addition and 2 deletion

test/apps/rails3/app/controllers/home_controller.rb test/apps/rails3/app/controllers/home_controller.rb +8 -1

test/tests/test_rails3.rb test/tests/test_rails3.rb +37 -1

未找到文件。
--- a/test/apps/rails3/app/controllers/home_controller.rb
+++ b/test/apps/rails3/app/controllers/home_controller.rb
@@ -102,7 +102,7 @@ class HomeController < ApplicationController
  end

  def test_yaml_file_access
-    #Should not warn
+    #Should not warn about access, but about remote code execution
    YAML.load "some/path/#{params[:user][:file]}"

    #Should warn
@@ -119,6 +119,13 @@ class HomeController < ApplicationController
    User.find(1).assign_attributes(params[:update])
  end

+  def test_yaml_load
+    YAML.load params[:input]
+    YAML.load some_method #No warning
+    YAML.load x(cookies[:store])
+    YAML.load User.first.bad_stuff
+  end
+
  private

  def filter_it

--- a/test/tests/test_rails3.rb
+++ b/test/tests/test_rails3.rb
@@ -15,7 +15,7 @@ class Rails3Tests < Test::Unit::TestCase
      :controller => 1,
      :model => 5,
      :template => 32,
-      :warning => 43
+      :warning => 47
    }
  end

@@ -848,4 +848,40 @@ class Rails3Tests < Test::Unit::TestCase
      :confidence => 0,
      :file => /secret_token\.rb/
  end
+
+  def test_remote_code_execution_yaml_load_params_interpolated
+    assert_warning :type => :warning,
+      :warning_type => "Remote Code Execution",
+      :line => 106,
+      :message => /^YAML\.load\ called\ with\ parameter\ value/,
+      :confidence => 0,
+      :file => /home_controller\.rb/
+  end
+
+  def test_remote_code_execution_yaml_load_params
+    assert_warning :type => :warning,
+      :warning_type => "Remote Code Execution",
+      :line => 123,
+      :message => /^YAML\.load\ called\ with\ parameter\ value/,
+      :confidence => 0,
+      :file => /home_controller\.rb/
+  end
+
+  def test_remote_code_execution_yaml_load_indirect_cookies
+    assert_warning :type => :warning,
+      :warning_type => "Remote Code Execution",
+      :line => 125,
+      :message => /^YAML\.load\ called\ with\ cookies\ value/,
+      :confidence => 1,
+      :file => /home_controller\.rb/
+  end
+
+  def test_remote_code_execution_yaml_load_model_attribue
+    assert_warning :type => :warning,
+      :warning_type => "Remote Code Execution",
+      :line => 126,
+      :message => /^YAML\.load\ called\ with\ model\ attribute/,
+      :confidence => 1,
+      :file => /home_controller\.rb/
+  end
 end