From b3eb0845b2cf767cdc9bafd630ca91bc48b7c090 Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Fri, 12 Jul 2013 17:17:04 -0700
Subject: [PATCH] Add tests for ignored warnings

---
 .../rails2/app/views/other/ignore_me.html.erb |  2 +
 test/apps/rails2/config/brakeman.ignore       | 42 +++++++++++++++++++
 test/tests/rails2.rb                          | 21 ++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 test/apps/rails2/app/views/other/ignore_me.html.erb
 create mode 100644 test/apps/rails2/config/brakeman.ignore

diff --git a/test/apps/rails2/app/views/other/ignore_me.html.erb b/test/apps/rails2/app/views/other/ignore_me.html.erb
new file mode 100644
index 00000000..9750af2e
--- /dev/null
+++ b/test/apps/rails2/app/views/other/ignore_me.html.erb
@@ -0,0 +1,2 @@
+Going to ignore the warning below
+<%= User.first(:conditions => "x = #{params[:x]}").bio %>
diff --git a/test/apps/rails2/config/brakeman.ignore b/test/apps/rails2/config/brakeman.ignore
new file mode 100644
index 00000000..864bb804
--- /dev/null
+++ b/test/apps/rails2/config/brakeman.ignore
@@ -0,0 +1,42 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "6300805e44167e6c3446efbd06b97206928855a2bfc6e1f3e61c097795956b13",
+      "message": "Unescaped model attribute",
+      "file": "app/views/other/ignore_me.html.erb",
+      "line": 2,
+      "link": "http://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "User.first(:conditions => (\"x = #{params[:x]}\")).bio",
+      "render_path": null,
+      "location": {
+        "type": "template",
+        "template": "other/ignore_me"
+      },
+      "user_input": null,
+      "confidence": "High",
+      "note": ""
+    },
+    {
+      "warning_type": "SQL Injection",
+      "warning_code": 0,
+      "fingerprint": "f2fa1da45eea252150f6920454822bda3ed5c83a2c376c1296a98037969dd45f",
+      "message": "Possible SQL injection",
+      "file": "app/views/other/ignore_me.html.erb",
+      "line": 2,
+      "link": "http://brakemanscanner.org/docs/warning_types/sql_injection/",
+      "code": "User.first(:conditions => (\"x = #{params[:x]}\"))",
+      "render_path": null,
+      "location": {
+        "type": "template",
+        "template": "other/ignore_me"
+      },
+      "user_input": "params[:x]",
+      "confidence": "High",
+      "note": "Ignoring for testing"
+    }
+  ],
+  "updated": "2013-07-12 16:58:59 -0700",
+  "brakeman_version": "2.0.0"
+}
diff --git a/test/tests/rails2.rb b/test/tests/rails2.rb
index 9bc8e6b7..0b0e1fa0 100644
--- a/test/tests/rails2.rb
+++ b/test/tests/rails2.rb
@@ -1195,6 +1195,27 @@ class Rails2Tests < Test::Unit::TestCase
       :relative_path => "app/controllers/other_controller.rb"
   end
 
+  def test_ignored_sql_warning
+    assert_no_warning :type => :template,
+      :warning_code => 0,
+      :fingerprint => "f2fa1da45eea252150f6920454822bda3ed5c83a2c376c1296a98037969dd45f",
+      :warning_type => "SQL Injection",
+      :line => 2,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/views/other/ignore_me.html.erb"
+  end
+
+  def test_ignored_xss_warning
+    assert_no_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "6300805e44167e6c3446efbd06b97206928855a2bfc6e1f3e61c097795956b13",
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :relative_path => "app/views/other/ignore_me.html.erb"
+  end
 end
 
 Rails2WithOptions = BrakemanTester.run_scan "rails2", "Rails 2", :collapse_mass_assignment => false
-- 
GitLab