Merge branch 'master' into use_call_indexing

6687214e · Justin Collins · f63f5301 · 4b41b1ae · 6687214e · 6687214e
隐藏空白更改
内联并排

Showing with 15 addition and 2 deletion

test/apps/rails2/app/controllers/home_controller.rb test/apps/rails2/app/controllers/home_controller.rb +4 -0

test/tests/test_rails2.rb test/tests/test_rails2.rb +11 -2

未找到文件。
--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
@@ -69,6 +69,10 @@ class HomeController < ApplicationController
    redirect_to url 
  end

+  def test_sql_nested
+    User.humans.alive.find(:all, :conditions => "age > #{params[:age]}")
+  end
+
  private

  def filter_it

--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
        :controller => 1,
        :model => 2,
        :template => 15,
-        :warning => 17 }
+        :warning => 18 }
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
        :template => 15,
-        :warning => 18 }
+        :warning => 19 }
    end
  end

@@ -316,6 +316,15 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /test_sql\.html\.erb/
  end

+  def test_sql_injection_call_chain
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 73,
+      :message => /^Possible SQL injection near line 73: User.humans.alive.find/,
+      :confidence => 0,
+      :file => /home_controller\.rb/ 
+  end
+
  def test_escape_once
    results = find :type => :template,
      :warning_type => "Cross Site Scripting",