Merge branch 'immediate_model_attribute_in_or'

Treat model attribute as immediate value in `or` expressions

Conflicts:
	lib/brakeman/checks/base_check.rb

lib/brakeman/checks/base_check.rb

@@ -352,6 +352,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       when :if
         ((sexp? exp.then_clause and has_immediate_model? exp.then_clause, out) or
          (sexp? exp.else_clause and has_immediate_model? exp.else_clause, out))
+      when :or
+        has_immediate_model? exp.lhs or
+        has_immediate_model? exp.rhs
       else
         false
       end

test/apps/rails2/app/controllers/home_controller.rb

@@ -137,6 +137,8 @@ class HomeController < ApplicationController
     end
 
     @more_user_input = x || params[:z] || z
+
+    @user = User.find(current_user)
   end
 
   private

test/apps/rails2/app/views/home/test_xss_with_or.html.erb

@@ -5,3 +5,5 @@
 <%= @user_input %>
 
 <%= @more_user_input %>
+
+<%= @user.name || 'nothing dangerous' %>

test/tests/test_rails2.rb

@@ -11,13 +11,13 @@ class Rails2Tests < Test::Unit::TestCase
       @expected ||= {
         :controller => 1,
         :model => 2,
-        :template => 32,
-        :warning => 31 }
+        :template => 33,
+        :warning => 31}
     else
       @expected ||= {
         :controller => 1,
         :model => 2,
-        :template => 32,
+        :template => 33,
         :warning => 32 }
     end
   end
@@ -633,6 +633,15 @@ class Rails2Tests < Test::Unit::TestCase
       :file => /test_xss_with_or\.html\.erb/
   end
 
+  def test_xss_with_model_in_or
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 9,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /test_xss_with_or\.html\.erb/
+  end
+
   def test_cross_site_scripting_strip_tags
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",