tests

alexrford · alexrford · commit e403fc77d3c2 · 2021-08-24T17:21:22.000+01:00
diff --git a/ql/test/library-tests/frameworks/ActionController.expected b/ql/test/library-tests/frameworks/ActionController.expected
@@ -2,11 +2,15 @@ actionControllerControllerClasses
 | ActiveRecordInjection.rb:27:1:58:3 | FooController |
 | ActiveRecordInjection.rb:60:1:90:3 | BarController |
 | ActiveRecordInjection.rb:92:1:96:3 | BazController |
+| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController |
 actionControllerActionMethods
 | ActiveRecordInjection.rb:32:3:57:5 | some_request_handler |
 | ActiveRecordInjection.rb:61:3:69:5 | some_other_request_handler |
 | ActiveRecordInjection.rb:71:3:89:5 | safe_paths |
 | ActiveRecordInjection.rb:93:3:95:5 | yet_another_handler |
+| app/controllers/foo/bars_controller.rb:3:3:5:5 | index |
+| app/controllers/foo/bars_controller.rb:7:3:13:5 | show_debug |
+| app/controllers/foo/bars_controller.rb:15:3:19:5 | show |
 paramsCalls
 | ActiveRecordInjection.rb:35:30:35:35 | call to params |
 | ActiveRecordInjection.rb:39:30:39:35 | call to params |
@@ -21,6 +25,11 @@ paramsCalls
 | ActiveRecordInjection.rb:83:12:83:17 | call to params |
 | ActiveRecordInjection.rb:88:15:88:20 | call to params |
 | ActiveRecordInjection.rb:94:22:94:27 | call to params |
+| app/controllers/foo/bars_controller.rb:8:21:8:26 | call to params |
+| app/controllers/foo/bars_controller.rb:9:10:9:15 | call to params |
+| app/controllers/foo/bars_controller.rb:16:21:16:26 | call to params |
+| app/controllers/foo/bars_controller.rb:17:10:17:15 | call to params |
+| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
 paramsSources
 | ActiveRecordInjection.rb:35:30:35:35 | call to params |
 | ActiveRecordInjection.rb:39:30:39:35 | call to params |
@@ -35,6 +44,14 @@ paramsSources
 | ActiveRecordInjection.rb:83:12:83:17 | call to params |
 | ActiveRecordInjection.rb:88:15:88:20 | call to params |
 | ActiveRecordInjection.rb:94:22:94:27 | call to params |
+| app/controllers/foo/bars_controller.rb:8:21:8:26 | call to params |
+| app/controllers/foo/bars_controller.rb:9:10:9:15 | call to params |
+| app/controllers/foo/bars_controller.rb:16:21:16:26 | call to params |
+| app/controllers/foo/bars_controller.rb:17:10:17:15 | call to params |
+| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
 redirectToCalls
-responseBodySetterCalls
+| app/controllers/foo/bars_controller.rb:12:5:12:30 | call to redirect_to |
 actionControllerHelperMethods
+getAssociatedControllerClasses
+| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/_widget.html.erb:0:0:0:0 | app/views/foo/bars/_widget.html.erb |
+| app/controllers/foo/bars_controller.rb:1:1:20:3 | BarsController | app/views/foo/bars/show.html.erb:0:0:0:0 | app/views/foo/bars/show.html.erb |
diff --git a/ql/test/library-tests/frameworks/ActionController.ql b/ql/test/library-tests/frameworks/ActionController.ql
@@ -1,9 +1,19 @@
-import codeql_ruby.frameworks.ActionController
+private import ruby
+private import codeql_ruby.frameworks.ActionController
+private import codeql_ruby.frameworks.ActionView
 
 query predicate actionControllerControllerClasses(ActionControllerControllerClass cls) { any() }
+
 query predicate actionControllerActionMethods(ActionControllerActionMethod m) { any() }
+
 query predicate paramsCalls(ParamsCall c) { any() }
+
 query predicate paramsSources(ParamsSource src) { any() }
+
 query predicate redirectToCalls(RedirectToCall c) { any() }
-query predicate responseBodySetterCalls(ResponseBodySetterCall c) { any() }
-query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
+
+query predicate actionControllerHelperMethods(ActionControllerHelperMethod m) { any() }
+
+query predicate getAssociatedControllerClasses(ActionControllerControllerClass cls, ErbFile f) {
+  cls = getAssociatedControllerClass(f)
+}
diff --git a/ql/test/library-tests/frameworks/ActionView.expected b/ql/test/library-tests/frameworks/ActionView.expected
@@ -0,0 +1,23 @@
+htmlSafeCalls
+| app/views/foo/bars/show.html.erb:23:3:23:25 | call to html_safe |
+| app/views/foo/bars/show.html.erb:27:3:27:25 | call to html_safe |
+rawCalls
+| app/views/foo/bars/_widget.html.erb:1:5:1:21 | call to raw |
+| app/views/foo/bars/_widget.html.erb:2:5:2:20 | call to raw |
+| app/views/foo/bars/_widget.html.erb:3:5:3:29 | call to raw |
+| app/views/foo/bars/show.html.erb:1:14:1:29 | call to raw |
+| app/views/foo/bars/show.html.erb:2:5:2:21 | call to raw |
+| app/views/foo/bars/show.html.erb:3:5:3:20 | call to raw |
+| app/views/foo/bars/show.html.erb:4:5:4:29 | call to raw |
+| app/views/foo/bars/show.html.erb:5:5:5:21 | call to raw |
+| app/views/foo/bars/show.html.erb:7:5:7:19 | call to raw |
+renderCalls
+| app/controllers/foo/bars_controller.rb:4:5:4:37 | call to render |
+| app/controllers/foo/bars_controller.rb:18:5:18:76 | call to render |
+| app/views/foo/bars/show.html.erb:31:5:31:89 | call to render |
+renderToCalls
+| app/controllers/foo/bars_controller.rb:10:16:10:97 | call to render_to_string |
+viewComponentClasses
+| app/components/DummyComponent.rb:1:1:2:3 | DummyComponent |
+linkToCalls
+| app/views/foo/bars/show.html.erb:33:5:33:41 | call to link_to |
diff --git a/ql/test/library-tests/frameworks/ActionView.ql b/ql/test/library-tests/frameworks/ActionView.ql
@@ -0,0 +1,14 @@
+import codeql_ruby.frameworks.ActionController
+import codeql_ruby.frameworks.ActionView
+
+query predicate htmlSafeCalls(HtmlSafeCall c) { any() }
+
+query predicate rawCalls(RawCall c) { any() }
+
+query predicate renderCalls(RenderCall c) { any() }
+
+query predicate renderToCalls(RenderToCall c) { any() }
+
+query predicate viewComponentClasses(ViewComponentClass cls) { any() }
+
+query predicate linkToCalls(LinkToCall c) { any() }
diff --git a/ql/test/library-tests/frameworks/app/components/DummyComponent.rb b/ql/test/library-tests/frameworks/app/components/DummyComponent.rb
@@ -0,0 +1,2 @@
+class DummyComponent < ViewComponent::Base
+end
diff --git a/ql/test/library-tests/frameworks/app/controllers/foo/bars_controller.rb b/ql/test/library-tests/frameworks/app/controllers/foo/bars_controller.rb
@@ -0,0 +1,20 @@
+class BarsController < ApplicationController
+
+  def index
+    render template: "foo/bars/index"
+  end
+
+  def show_debug
+    @user_website = params[:website]
+    dt = params[:text]
+    rendered = render_to_string "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
+    puts rendered
+    redirect_to action: "show"
+  end
+
+  def show
+    @user_website = params[:website]
+    dt = params[:text]
+    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
+  end
+end
diff --git a/ql/test/library-tests/frameworks/app/views/foo/bars/_widget.html.erb b/ql/test/library-tests/frameworks/app/views/foo/bars/_widget.html.erb
@@ -0,0 +1,4 @@
+<%= raw @display_text %>
+<%= raw display_text %>
+<%= raw locals[:display_text] %>
+<%= @display_text %>
diff --git a/ql/test/library-tests/frameworks/app/views/foo/bars/show.html.erb b/ql/test/library-tests/frameworks/app/views/foo/bars/show.html.erb
@@ -0,0 +1,33 @@
+<a href="<%= raw user_website %>">website</a>
+<%= raw @display_text %>
+<%= raw display_text %>
+<%= raw locals[:display_text] %>
+<%= raw params[:text] %>
+<% key = :display_text %>
+<%= raw locals[key] %>
+
+<ul>
+<% key = [:display_text, :safe_text] do
+  <li><%= raw locals[key] %></li>
+<% end %>
+</ul>
+
+<%= @display_text %>
+
+<%=
+  full_text = prefix + locals[:display_text]
+  full_text
+%>
+
+<%=
+  @display_text.html_safe
+%>
+
+<%=
+  @display_text.html_safe
+  @display_text
+%>
+
+<%= render partial: 'foo/bars/widget', locals: { display_text: "widget_" + display_text } %>
+
+<%= link_to "some website", @user_website %>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+class DummyComponent < ViewComponent::Base`
	`2`	`+end`