Merge branch 'select_warning_in_rails2'

Conflicts: lib/brakeman/checks/check_cross_site_scripting.rb

Merge branch 'select_warning_in_rails2'
Conflicts: lib/brakeman/checks/check_cross_site_scripting.rb
cc66c44c · Justin Collins · a2fdd0fc · b9bc807f · cc66c44c · cc66c44c
3 changed file
--- a/lib/brakeman/checks/check_cross_site_scripting.rb
+++ b/lib/brakeman/checks/check_cross_site_scripting.rb
@@ -38,7 +38,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                           :field_field, :fields_for, :h, :hidden_field,
                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button,
+                           :link_to, :mail_to, :radio_button, :select,
                           :submit_tag, :text_area, :text_field,
                           :text_field_tag, :url_encode, :url_for,
                           :will_paginate].merge tracker.options[:safe_methods]
@@ -58,10 +58,6 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
      @known_dangerous << :strip_tags
    end

-    if tracker.options[:rails3]
-      @ignore_methods << :select
-    end
-
    tracker.each_template do |name, template|
      @current_template = template
      template[:outputs].each do |out|

--- a/lib/brakeman/checks/check_select_vulnerability.rb
+++ b/lib/brakeman/checks/check_select_vulnerability.rb
@@ -5,7 +5,7 @@ require 'brakeman/checks/base_check'
 class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
  Brakeman::Checks.add self

-  @description = "Looks for unsafe uses of select() helper in some versions of Rails 3.x"
+  @description = "Looks for unsafe uses of select() helper"

  def run_check

@@ -15,6 +15,8 @@ class Brakeman::CheckSelectVulnerability < Brakeman::BaseCheck
      suggested_version = "3.1.4"
    elsif version_between? "3.2.0", "3.2.1"
      suggested_version = "3.2.2"
+    elsif version_between? "2.0.0", "3.0.0"
+      suggested_version = "3 or use options_for_select"
    else
      return
    end

--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -582,9 +582,9 @@ class Rails2Tests < Test::Unit::TestCase
  def test_select_vulnerability
    assert_warning :type => :template,
      :warning_type => "Cross Site Scripting",
-      :line => 1,
-      :message => "Unescaped parameter value near line 1: params[:blah]",
-      :confidence => 0,
+      :line => 3,
+      :message => /^Upgrade\ to\ Rails\ 3\ or\ use\ options_for_se/,
+      :confidence => 1,
      :file => /not_used\.html\.erb/
  end