Merge branch 'handle_render_template'

b334d35f · Justin Collins · 69ddd66d · 90da34c7 · b334d35f · b334d35f
5 changed file
--- a/lib/brakeman/processors/base_processor.rb
+++ b/lib/brakeman/processors/base_processor.rb
@@ -251,7 +251,7 @@ class Brakeman::BaseProcessor < SexpProcessor
      value = args[1]
    end

-    types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :text, :update, :xml]
+    types_in_hash = Set[:action, :file, :inline, :js, :json, :nothing, :partial, :template, :text, :update, :xml]

    #render :layout => "blah" means something else when in a template
    if in_view

--- a/lib/brakeman/processors/lib/render_helper.rb
+++ b/lib/brakeman/processors/lib/render_helper.rb
@@ -8,7 +8,7 @@ module Brakeman::RenderHelper
    process_default exp
    @rendered = true
    case exp[1]
-    when :action
+    when :action, :template
      process_action exp[2][1], exp[3]
    when :default
      begin

--- a/test/apps/rails2/app/controllers/other_controller.rb
+++ b/test/apps/rails2/app/controllers/other_controller.rb
@@ -25,4 +25,10 @@ class OtherController < ApplicationController
    @user = User.first
    @user.update_attribute(:attr, params[:attr])
  end
+
+  def test_render_template
+    @something_bad = params[:bad]
+
+    render :template => 'home/test_render_template'
+  end
 end
--- a/test/apps/rails2/app/views/home/test_render_template.html.haml
+++ b/test/apps/rails2/app/views/home/test_render_template.html.haml
+= @something_bad
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 26,
+        :template => 27,
        :warning => 25 }
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
-        :template => 26,
+        :template => 27,
        :warning => 26 }
    end
  end
@@ -541,6 +541,15 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /not_used\.html\.erb/
  end

+  def test_explicit_render_template
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unescaped parameter value near line 2: params\[:ba/,
+      :confidence => 0,
+      :file => /home\/test_render_template\.html\.haml/
+  end
+
  def test_check_send
    assert_warning :type => :warning,
      :warning_type => "Dangerous Send",