Add tests for update_all SQLi

yubik9 · Feb 4, 2013 · 33cd485 · 33cd485
1 parent f87f873
commit 33cd485
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 1 deletion.
diff --git a/test/apps/rails3.1/app/controllers/users_controller.rb b/test/apps/rails3.1/app/controllers/users_controller.rb
@@ -135,6 +135,23 @@ def test_assign_twice
     assign_ivar
   end
 
+  def update_all_users
+    #Unsafe
+    User.update_all params[:yaysql]
+    User.update_all "name = 'Bob'", "name = '#{params[:name]}'"
+    User.update_all "old = TRUE", ["name = '#{params[:name]}' AND age > ?", params[:age]]
+    User.update_all "old = TRUE", ["name = ? AND age > ?", params[:name], params[:age]], :order => params[:order]
+
+    User.where(:name => params[:name]).update_all(params[:update])
+    User.where(:admin => true).update_all("setting = #{params[:setting]}")
+    User.where(:name => params[:name]).update_all(["active = ?, age = #{params[:age]}", params[:active]]).limit(1)
+
+    #Safe(ish)
+    User.update_all ["name = ?", params[:new_name]], ["name = ?", params[:old_name]]
+    User.update_all({:old => true}, ["name = ? AND age > ?", params[:name], params[:age]])
+    User.update_all({:admin => true}, { :name => params[:name] }, :limit => params[:limit])
+  end
+
   private
 
   def simple_helper

diff --git a/test/tests/test_rails31.rb b/test/tests/test_rails31.rb
@@ -15,7 +15,7 @@ def expected
       :model => 3,
       :template => 22,
       :controller => 1,
-      :warning => 51 }
+      :warning => 58 }
   end
 
   def test_without_protection
@@ -755,6 +755,69 @@ def test_to_sql_interpolation
       :file => /product\.rb/
   end
 
+  def test_sql_injection_update_all
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 140,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_interpolation
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 141,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_interp_array
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 142,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_order_param
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 143,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_on_where
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 145,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_on_where_interp
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 146,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
+  def test_sql_injection_update_all_where_interp_array
+    assert_warning :type => :warning,
+      :warning_type => "SQL Injection",
+      :line => 147,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :file => /users_controller\.rb/
+  end
+
   def test_validates_format
     assert_warning :type => :model,
       :warning_type => "Format Validation",