CheckSQL: Add test for merge_conditions

which does not appear to be in Rails 3

CheckSQL: Add test for merge_conditions
which does not appear to be in Rails 3
c0a92e5a · Justin Collins · dac47f51 · c0a92e5a · c0a92e5a
隐藏空白更改
内联并排

Showing with 16 addition and 0 deletion

test/apps/rails2/app/models/user.rb test/apps/rails2/app/models/user.rb +7 -0

test/tests/test_rails2.rb test/tests/test_rails2.rb +9 -0

未找到文件。
--- a/test/apps/rails2/app/models/user.rb
+++ b/test/apps/rails2/app/models/user.rb
@@ -14,4 +14,11 @@ class User < ActiveRecord::Base
  def get_something x
    self.find(:all, :conditions => "where blah = #{x}")
  end
+
+  def test_merge_conditions
+    #Should not warn
+    User.find(:all, :conditions => merge_conditions(some_conditions))
+    User.find(:all, :conditions => self.merge_conditions(some_conditions))
+    find(:all, :conditions => User.merge_conditions(some_conditions))
+  end
 end
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -474,6 +474,15 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /home_controller\.rb/ 
  end

+  def test_sql_injection_merge_conditions
+    assert_no_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 22,
+      :message => /^Possible SQL injection near line 22: find/,
+      :confidence => 0,
+      :file => /user\.rb/
+  end
+
  def test_escape_once
    results = find :type => :template,
      :warning_type => "Cross Site Scripting",