Sha256: 0775f427cadce92a035be86668ae81c47fac830b2f0b87c9d6072fa494d2c368
Contents?: true
Size: 1.19 KB
Versions: 2
Compression:
Stored size: 1.19 KB
Contents
# frozen_string_literal: false
require 'test_helper'
class TestCasesControllerTest < ActionDispatch::IntegrationTest
include TaintedLoveHelpers
test "should get xss" do
assert_report do
get test_cases_xss_url(search: '<img src=x oenrror=alert(1)>'.taint)
end
assert_response :success
end
test "should get unsafe_render" do
assert_report do
get test_cases_unsafe_render_url(file: 'xss'.taint)
end
assert_response :success
end
test "should get render_inline" do
assert_report do
get test_cases_render_inline_url(template: '<%= `id` %>'.taint)
end
assert_response :success
end
test "user input is tainted" do
# Since there's no actual app running, some values are not tainted
# by ReplaceRackBuilder
params = {
get_param: 'asdf',
get_array_param: ["abc", "def"].each(&:taint),
}
headers = {}
headers['HTTP_AAA'.taint] = 'asdf'
cookies[:something] = 'asdf'.taint
get test_cases_taint_test_url('route_param', params: params), headers: headers
json = JSON.parse(response.body)
json.each do |(value_type, tainted, tags)|
assert tainted, "#{value_type} is not tainted"
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| tainted_love-0.4.1 | tests/rails/test/controllers/test_cases_controller_test.rb |
| tainted_love-0.4.0 | tests/rails/test/controllers/test_cases_controller_test.rb |