Skip to content

Commit

Permalink
Merge pull request #980 from presidentbeef/support_bare_extensions
Browse files Browse the repository at this point in the history
Support bare extensions on template files
  • Loading branch information
presidentbeef committed Jan 3, 2017
2 parents 3d93b06 + 54854d2 commit f54dcb8
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
3 changes: 2 additions & 1 deletion lib/brakeman/app_tree.rb
Expand Up @@ -101,7 +101,8 @@ def model_paths
end

def template_paths
@template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}")
@template_paths ||= find_paths("app/**/views", "*.{#{VIEW_EXTENSIONS}}") +
find_paths("app/**/views", "*.{erb,haml,slim}").reject { |path| path.count(".") > 1 }
end

def layout_exists?(name)
Expand Down
1 change: 1 addition & 0 deletions test/apps/rails5/app/views/widget/no_html.haml
@@ -0,0 +1 @@
%h1= params[:x].html_safe
15 changes: 14 additions & 1 deletion test/tests/rails5.rb
Expand Up @@ -12,7 +12,7 @@ def expected
@@expected ||= {
:controller => 0,
:model => 0,
:template => 8,
:template => 9,
:generic => 10
}
end
Expand Down Expand Up @@ -209,6 +209,19 @@ def test_cross_site_scripting_in_layout
:user_input => nil
end

def test_cross_site_scripting_in_template_with_no_html_extension
assert_warning :type => :template,
:warning_code => 2,
:fingerprint => "dba79beeea8871929d0f5191b1df66822689d2e8cfffa4a58e45e07cb4c6ea43",
:warning_type => "Cross Site Scripting",
:line => 1,
:message => /^Unescaped\ parameter\ value/,
:confidence => 0,
:relative_path => "app/views/widget/no_html.haml",
:code => s(:call, s(:call, nil, :params), :[], s(:lit, :x)),
:user_input => nil
end

def test_if_expression_in_templates
assert_warning :type => :template,
:warning_code => 2,
Expand Down

0 comments on commit f54dcb8

Please sign in to comment.