Permalink
Browse files

Add tests for YAML.load

  • Loading branch information...
1 parent 1f2402b commit 7be079605f0e38ff0a24abe3019bf54ce9c33ac8 @presidentbeef committed Jan 19, 2013
Showing with 45 additions and 2 deletions.
  1. +8 −1 test/apps/rails3/app/controllers/home_controller.rb
  2. +37 −1 test/tests/test_rails3.rb
@@ -102,7 +102,7 @@ def test_content_tag
end
def test_yaml_file_access
- #Should not warn
+ #Should not warn about access, but about remote code execution
YAML.load "some/path/#{params[:user][:file]}"
#Should warn
@@ -119,6 +119,13 @@ def test_more_mass_assignment_methods
User.find(1).assign_attributes(params[:update])
end
+ def test_yaml_load
+ YAML.load params[:input]
+ YAML.load some_method #No warning
+ YAML.load x(cookies[:store])
+ YAML.load User.first.bad_stuff
+ end
+
private
def filter_it
View
@@ -15,7 +15,7 @@ def expected
:controller => 1,
:model => 5,
:template => 32,
- :warning => 43
+ :warning => 47
}
end
@@ -848,4 +848,40 @@ def test_session_secret_token
:confidence => 0,
:file => /secret_token\.rb/
end
+
+ def test_remote_code_execution_yaml_load_params_interpolated
+ assert_warning :type => :warning,
+ :warning_type => "Remote Code Execution",
+ :line => 106,
+ :message => /^YAML\.load\ called\ with\ parameter\ value/,
+ :confidence => 0,
+ :file => /home_controller\.rb/
+ end
+
+ def test_remote_code_execution_yaml_load_params
+ assert_warning :type => :warning,
+ :warning_type => "Remote Code Execution",
+ :line => 123,
+ :message => /^YAML\.load\ called\ with\ parameter\ value/,
+ :confidence => 0,
+ :file => /home_controller\.rb/
+ end
+
+ def test_remote_code_execution_yaml_load_indirect_cookies
+ assert_warning :type => :warning,
+ :warning_type => "Remote Code Execution",
+ :line => 125,
+ :message => /^YAML\.load\ called\ with\ cookies\ value/,
+ :confidence => 1,
+ :file => /home_controller\.rb/
+ end
+
+ def test_remote_code_execution_yaml_load_model_attribue
+ assert_warning :type => :warning,
+ :warning_type => "Remote Code Execution",
+ :line => 126,
+ :message => /^YAML\.load\ called\ with\ model\ attribute/,
+ :confidence => 1,
+ :file => /home_controller\.rb/
+ end
end

0 comments on commit 7be0796

Please sign in to comment.