Permalink
Browse files

Change method names for sub-patterns

  • Loading branch information...
1 parent 3c6cd8c commit 626bf542c9358b189f4aaf2fc4975f12560eb17c @LTe committed Jun 8, 2012
@@ -6,8 +6,8 @@ module Checks
class XssFlashCheck < Check
def pattern
[
- flash_warning_assignment_from_params,
- flash_warning_assignment_from_dynamic_string
+ pattern_params,
+ pattern_dynamic_string
].join("|")
end
@@ -26,7 +26,7 @@ def include_node?(node, klass)
end
#high CWE-79 flash\[\:warning\]\s*=\s*.*params\s*\[
- def flash_warning_assignment_from_params
+ def pattern_params
<<-EOT
ElementAssignment<
arguments = ActualArguments<
@@ -48,7 +48,7 @@ def flash_warning_assignment_from_params
end
#medium CWE-79 flash\[\:warning\]\s*=\s*.*#\{
- def flash_warning_assignment_from_dynamic_string
+ def pattern_dynamic_string
<<-EOT
ElementAssignment<
arguments = ActualArguments<
@@ -5,8 +5,8 @@ module Checks
class XssLoggerCheck < Check
def pattern
[
- send_params_to_logger,
- send_dynamic_string_to_logger,
+ pattern_params,
+ pattern_dynamic_string,
].join("|")
end
@@ -17,7 +17,7 @@ def check(node)
private
#low CWE-79 logger.*params\s*\[
- def send_params_to_logger
+ def pattern_params
<<-EOT
SendWithArguments<
arguments = ActualArguments<
@@ -36,7 +36,7 @@ def send_params_to_logger
end
#low CWE-79 logger.*#\{
- def send_dynamic_string_to_logger
+ def pattern_dynamic_string
<<-EOT
SendWithArguments<
arguments = ActualArguments<
@@ -4,7 +4,7 @@ module Checks
# that are called and can mark dangerous string as safe for html.
class XssMarkCheck < Check
def pattern
- mark_as_check
+ pattern_mark_as
@dmajda
dmajda Jun 11, 2012

Do you think it makes sense for the pattern method to delegate in situations like this (when there is only one call inside)? To me it actually seems a bit useless and I'd put the pattern into the pattern method directly.

@LTe
LTe Jun 12, 2012 Owner

In current state we can easily add new check (just wrap into Array and join with "|"). I think checks should looks similar.

end
def check(node)
@@ -14,7 +14,7 @@ def check(node)
private
#info CWE-000 (mark_as_xss_protected|mark_methods_as_xss_safe)
- def mark_as_check
+ def pattern_mark_as
<<-EOT
Send<
name = :mark_as_xss_protected | :mark_methods_as_xss_safe
@@ -6,8 +6,8 @@ module Checks
class XssRenderApiCheck < Check
def pattern
[
- render_api_error_with_params,
- render_api_error_with_dynamic_string
+ pattern_params,
+ pattern_dynamic_string
].join("|")
end
@@ -26,7 +26,7 @@ def include_node?(node, klass)
end
#high CWE-79 render_api_error.*params\s*\[
- def render_api_error_with_params
+ def pattern_params
<<-EOT
SendWithArguments<
name = :render_api_error,
@@ -44,7 +44,7 @@ def render_api_error_with_params
end
#medium CWE-79 render_api_error.*#\{
- def render_api_error_with_dynamic_string
+ def pattern_dynamic_string
<<-EOT
SendWithArguments<
arguments = ActualArguments<
@@ -6,7 +6,7 @@ module Checks
# command includes unescaped input.
class XssSendCheck < Check
def pattern
- send_file_and_data
+ pattern_send
end
def check(node)
@@ -17,7 +17,7 @@ def check(node)
#medium CWE-79 send_file.*:disposition\s*=>\s*\'inline\'
#medium CWE-79 send_data.*:disposition\s*=>\s*\'inline\'
- def send_file_and_data
+ def pattern_send
<<-EOT
SendWithArguments<
name = :send_file | :send_data,

0 comments on commit 626bf54

Please sign in to comment.