Merge pull request #605 from github/add_interp_string_lib_test

Process inner body expressions in library methods

Merge pull request #605 from github/add_interp_string_lib_test
Process inner body expressions in library methods
2738c6cf · Justin · d671c9ac · 3b4ff891 · 2738c6cf · 2738c6cf
3 changed file
--- a/lib/brakeman/processors/library_processor.rb
+++ b/lib/brakeman/processors/library_processor.rb
@@ -106,8 +106,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
    exp.node_type = :methdef

    if @current_class
+      exp.body = process_all! exp.body
      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
    elsif @current_module
+      exp.body = process_all! exp.body
      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
    end

@@ -119,8 +121,10 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
    exp.node_type = :selfdef

    if @current_class
+      exp.body = process_all! exp.body
      @current_class[:public][exp.method_name] = { :src => exp, :file => @file_name }
    elsif @current_module
+      exp.body = process_all! exp.body
      @current_module[:public][exp.method_name] = { :src => exp, :file => @file_name }
    end


--- a/test/apps/rails4/lib/sweet_lib.rb
+++ b/test/apps/rails4/lib/sweet_lib.rb
@@ -2,4 +2,9 @@ class SweetLib
  def do_some_cool_stuff bad
    `ls #{bad}`
  end
+
+  def test_find_group
+    #Should warn, no escaping done for :group
+    system("rm #{@bad}")
+  end
 end
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -16,7 +16,7 @@ class Rails4Tests < Test::Unit::TestCase
      :controller => 0,
      :model => 1,
      :template => 2,
-      :generic => 47
+      :generic => 48
    }
  end

@@ -555,7 +555,7 @@ class Rails4Tests < Test::Unit::TestCase
  def test_command_injection_in_library
    assert_warning :type => :warning,
      :warning_code => 14,
-      :fingerprint => "9a11e7271784d69c667ad82481596096781a4873297d3f7523d290f51465f9d6",
+      :fingerprint => "21857e8872d187312a0b2470876bf6c8a8885df84c510d766f4639d95ae7cef7",
      :warning_type => "Command Injection",
      :line => 3,
      :message => /^Possible\ command\ injection/,
@@ -564,6 +564,18 @@ class Rails4Tests < Test::Unit::TestCase
      :user_input => s(:lvar, :bad)
  end

+  def test_command_injection_interpolated_string_in_library
+    assert_warning :type => :warning,
+      :warning_code => 14,
+      :fingerprint => "69855e4f6509c389b337195c00517b13b89a69773dcd1281ee3ae5577c8f2cf0",
+      :warning_type => "Command Injection",
+      :line => 8,
+      :message => /^Possible\ command\ injection/,
+      :confidence => 1,
+      :relative_path => "lib/sweet_lib.rb",
+      :user_input => s(:ivar, :@bad)
+  end
+
  def test_command_injection_from_not_skipping_before_filter
    assert_warning :type => :warning,
      :warning_code => 14,