Tests no warnings for primary_key and table_name_prefix

f6b4662e · Justin Collins · 8d165fb4 · f6b4662e · f6b4662e
隐藏空白更改
内联并排

Showing with 28 addition and 0 deletion

test/apps/rails3.1/app/models/user.rb test/apps/rails3.1/app/models/user.rb +4 -0

test/tests/rails31.rb test/tests/rails31.rb +24 -0

未找到文件。
--- a/test/apps/rails3.1/app/models/user.rb
+++ b/test/apps/rails3.1/app/models/user.rb
@@ -42,4 +42,8 @@ class User < ActiveRecord::Base
               " OR #{table_name}.user_id = ?",
                 stuff, stuff, user.id, user.id)
  end
+
+  def self.more_safe_stuff
+    where("#{User.primary_key} = #{table_name_prefix}a.thing")
+  end
 end
--- a/test/tests/rails31.rb
+++ b/test/tests/rails31.rb
@@ -1006,6 +1006,30 @@ class Rails31Tests < Test::Unit::TestCase
      :user_input => s(:call, nil, :child_id)
  end

+  def test_sql_injection_primary_key
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "b9a4789e68bee09651fc948e3c78b60fb6b611a96b284eea2cb37b2ca9e83d97",
+      :warning_type => "SQL Injection",
+      :line => 47,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb",
+      :user_input => s(:call, s(:const, :User), :primary_key)
+  end
+
+  def test_sql_injection_table_name_prefix
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "841b2af00d0992f49b753a3a6c1118a95ec9a7519ec434d7b0613d40d9fd67fe",
+      :warning_type => "SQL Injection",
+      :line => 47,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 1,
+      :relative_path => "app/models/user.rb",
+      :user_input => s(:call, nil, :table_name_prefix)
+  end
+
  def test_validates_format
    assert_warning :type => :model,
      :warning_type => "Format Validation",