Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid duplicate eval() warnings #670

Merged
merged 1 commit into from Jun 27, 2015
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.
+31 −1
Diff settings

Always

Just for now

@@ -20,6 +20,9 @@ def run_check

#Warns if eval includes user input
def process_result result
return if duplicate? result or result[:call].original_line
add_result result

if input = include_user_input?(result[:call].arglist)
warn :result => result,
:warning_type => "Dangerous Eval",
@@ -83,4 +83,8 @@ def open_stuff
open("#{params[:x]}/something/something") # remote code execution warning
open("some_path/#{params[:x]}/something/something") # file access warning
end

def eval_it
@x = eval(params[:x])
end
end
@@ -0,0 +1 @@
<%= @x %>
Copy path View file
@@ -14,7 +14,7 @@ def expected
:controller => 0,
:model => 2,
:template => 4,
:generic => 59
:generic => 60
}
end

@@ -1022,6 +1022,28 @@ def test_before_filter_block
:user_input => s(:call, s(:call, nil, :params), :[], s(:lit, :x))
end

def test_eval_duplicates
assert_warning :type => :warning,
:warning_code => 13,
:fingerprint => "33067304aaa21c6a874fed3b9bb0084cb66b607cc620065cb8ab06a640d3ab14",
:warning_type => "Dangerous Eval",
:line => 88,
:message => /^User\ input\ in\ eval/,
:confidence => 0,
:relative_path => "app/controllers/users_controller.rb",
:user_input => s(:call, s(:params), :[], s(:lit, :x))

assert_no_warning :type => :template,
:warning_code => 13,
:fingerprint => "dc94bedbdf82991d7a356de94650325c256c5876227480b3b98e24aadaab1fd5",
:warning_type => "Dangerous Eval",
:line => 1,
:message => /^User\ input\ in\ eval/,
:confidence => 0,
:relative_path => "app/views/users/eval_it.html.erb",
:user_input => s(:call, s(:params), :[], s(:lit, :x))
end

def test_cross_site_request_forgery_setting_in_api_controller
assert_no_warning :type => :controller,
:warning_code => 7,
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.