Test for mass assign with "params ||=" in filter

0cd51835 · Justin Collins · d4de81cf · 0cd51835 · 0cd51835
隐藏空白更改
内联并排

Showing with 21 addition and 4 deletion

test/apps/rails2/app/controllers/home_controller.rb test/apps/rails2/app/controllers/home_controller.rb +10 -2

test/tests/test_rails2.rb test/tests/test_rails2.rb +11 -2

未找到文件。
--- a/test/apps/rails2/app/controllers/home_controller.rb
+++ b/test/apps/rails2/app/controllers/home_controller.rb
 class HomeController < ApplicationController
  before_filter :filter_it, :only => :test_filter
+  before_filter :or_equals, :only => :test_mass_assign_with_or_equals

-  def index
-  end
+  def index; end

  def test_params
    @name = params[:name]
@@ -123,9 +123,17 @@ class HomeController < ApplicationController
    SQL
  end

+  def test_mass_assign_with_or_equals
+    User.new(params[:still_bad])
+  end
+
  private

  def filter_it
    @filtered = params[:evil_input]
  end
+
+  def or_equals
+    params[:still_bad] ||= {}
+  end
 end
--- a/test/tests/test_rails2.rb
+++ b/test/tests/test_rails2.rb
@@ -12,13 +12,13 @@ class Rails2Tests < Test::Unit::TestCase
        :controller => 1,
        :model => 2,
        :template => 27,
-        :warning => 28 }
+        :warning => 29 }
    else
      @expected ||= {
        :controller => 1,
        :model => 2,
        :template => 27,
-        :warning => 29 }
+        :warning => 30 }
    end
  end

@@ -91,6 +91,15 @@ class Rails2Tests < Test::Unit::TestCase
      :file => /other_controller\.rb/
  end

+  def test_mass_assignment_with_or_equals_in_filter
+    assert_warning :type => :warning,
+      :warning_type => "Mass Assignment",
+      :line => 127,
+      :message => /^Unprotected\ mass\ assignment/,
+      :confidence => 0,
+      :file => /home_controller\.rb/
+  end
+
  def test_redirect
    assert_warning :type => :warning,
      :warning_type => "Redirect",