From ea011e739d1c1db6eb61caf772e844c81277afd9 Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Tue, 4 Sep 2012 15:40:44 -0700
Subject: [PATCH] Add test for user input in string interpolation

because there's an error when string interpolation has more than one
expression inside.
---
 .../apps/rails3.1/app/controllers/other_controller.rb |  5 +++++
 .../app/views/other/test_string_interp.html.erb       |  1 +
 test/apps/rails3.1/config/routes.rb                   |  1 +
 test/tests/test_rails31.rb                            | 11 ++++++++++-
 4 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 test/apps/rails3.1/app/views/other/test_string_interp.html.erb

diff --git a/test/apps/rails3.1/app/controllers/other_controller.rb b/test/apps/rails3.1/app/controllers/other_controller.rb
index 80056020..65100ca9 100644
--- a/test/apps/rails3.1/app/controllers/other_controller.rb
+++ b/test/apps/rails3.1/app/controllers/other_controller.rb
@@ -36,4 +36,9 @@ class OtherController < ApplicationController
     @b = params[:badder!]
     render :test_partial
   end
+
+  def test_string_interp
+    @user = User.find(current_user)
+    @greeting = "Hello, #{greeted += 1; @user.name}!"
+  end
 end
diff --git a/test/apps/rails3.1/app/views/other/test_string_interp.html.erb b/test/apps/rails3.1/app/views/other/test_string_interp.html.erb
new file mode 100644
index 00000000..215d57f2
--- /dev/null
+++ b/test/apps/rails3.1/app/views/other/test_string_interp.html.erb
@@ -0,0 +1 @@
+<%= raw @greeting %>
diff --git a/test/apps/rails3.1/config/routes.rb b/test/apps/rails3.1/config/routes.rb
index 8dd8f642..1509917b 100644
--- a/test/apps/rails3.1/config/routes.rb
+++ b/test/apps/rails3.1/config/routes.rb
@@ -15,6 +15,7 @@ Rails31::Application.routes.draw do
     put 'dee', :to => :d
     get 'test_partial1'
     get 'test_partial2'
+    get 'test_string_interp'
   end
 
   match 'e', :to => 'other#e', :as => 'eeeee'
diff --git a/test/tests/test_rails31.rb b/test/tests/test_rails31.rb
index 710c3ee4..ee8e40e6 100644
--- a/test/tests/test_rails31.rb
+++ b/test/tests/test_rails31.rb
@@ -13,7 +13,7 @@ class Rails31Tests < Test::Unit::TestCase
   def expected
     @expected ||= {
       :model => 0,
-      :template => 14,
+      :template => 15,
       :controller => 1,
       :warning => 48 }
   end
@@ -527,6 +527,15 @@ class Rails31Tests < Test::Unit::TestCase
       :file => /\/g\.html\.erb/
   end
 
+  def test_xss_multiple_exp_in_string_interpolation
+    assert_warning :type => :template,
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :file => /test_string_interp\.html\.erb/
+  end
+
   def test_cross_site_scripting_select_tag_CVE_2012_3463
     assert_warning :type => :template,
       :warning_type => "Cross Site Scripting",
-- 
GitLab