Skip to content

B
Brakeman

李少辉-开发者 / Brakeman

通知 1
Star 0
Fork 0
B
Brakeman

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 1c63c28d 编写于 作者: J Justin Collins
浏览文件
操作

Add test for interpolation in first argument

上级 65445789
隐藏空白更改
内联 并排
Showing with 14 addition and 1 deletion
test/apps/rails3.1/app/models/product.rb
浏览文件 @ 1c63c28d
...@@ -169,4 +169,8 @@ class Product < ActiveRecord::Base ...@@ -169,4 +169,8 @@ class Product < ActiveRecord::Base
#Should not warn #Should not warn
Product.last("blah = '#{params[:id].to_f}'") Product.last("blah = '#{params[:id].to_f}'")
end end
def test_interpolation_in_first_arg
Product.where("x = #{params[:x]} AND y = ?", y)
end
end end
test/tests/test_rails31.rb
浏览文件 @ 1c63c28d
...@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase ...@@ -15,7 +15,7 @@ class Rails31Tests < Test::Unit::TestCase
:model => 0, :model => 0,
:template => 4, :template => 4,
:controller => 1, :controller => 1,
:warning => 44 } :warning => 45 }
end end
def test_without_protection def test_without_protection
...@@ -411,6 +411,15 @@ class Rails31Tests < Test::Unit::TestCase ...@@ -411,6 +411,15 @@ class Rails31Tests < Test::Unit::TestCase
:file => /product\.rb/ :file => /product\.rb/
end end
def test_sql_injection_interpolation_in_first_arg
assert_warning :type => :warning,
:warning_type => "SQL Injection",
:line => 174,
:message => /^Possible\ SQL\ injection/,
:confidence => 0,
:file => /product\.rb/
end
def test_select_vulnerability def test_select_vulnerability
assert_warning :type => :template, assert_warning :type => :template,
:warning_type => "Cross Site Scripting", :warning_type => "Cross Site Scripting",
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册