Add some more test cases for rb/reflected-xss

alexrford · alexrford · commit 5cfefb102708 · 2021-09-15T20:50:46.000+01:00
diff --git a/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected b/ql/test/query-tests/security/cwe-079/ReflectedXSS.expected
@@ -1,28 +1,33 @@
 edges
-| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  |
-| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name |
-| app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params :  | app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] :  |
-| app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] :  | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
-| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/controllers/foo/bars_controller.rb:20:22:20:23 | dt :  |
-| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  |
-| app/controllers/foo/bars_controller.rb:20:22:20:23 | dt :  | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text :  |
+| app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params :  | app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name |
+| app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params :  | app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
+| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  |
+| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text |
+| app/controllers/foo/bars_controller.rb:20:17:20:22 | call to params :  | app/controllers/foo/bars_controller.rb:20:17:20:29 | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:20:17:20:29 | ...[...] :  | app/views/foo/bars/show.html.erb:63:5:63:13 | @safe_foo |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text :  |
 | app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
 | app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
 | app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text :  | app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... :  |
 | app/views/foo/bars/show.html.erb:54:29:54:34 | call to params :  | app/views/foo/bars/show.html.erb:54:29:54:44 | ...[...] |
+| app/views/foo/bars/show.html.erb:57:13:57:18 | call to params :  | app/views/foo/bars/show.html.erb:57:13:57:28 | ...[...] |
 nodes
-| app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | semmle.label | call to params :  |
-| app/controllers/foo/bars_controller.rb:10:12:10:29 | ...[...] :  | semmle.label | ...[...] :  |
-| app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params :  | semmle.label | call to params :  |
-| app/controllers/foo/bars_controller.rb:18:21:18:36 | ...[...] :  | semmle.label | ...[...] :  |
-| app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | semmle.label | call to params :  |
-| app/controllers/foo/bars_controller.rb:20:22:20:23 | dt :  | semmle.label | dt :  |
-| app/controllers/foo/bars_controller.rb:21:53:21:54 | dt :  | semmle.label | dt :  |
+| app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:9:12:9:29 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt :  | semmle.label | dt :  |
+| app/controllers/foo/bars_controller.rb:20:17:20:22 | call to params :  | semmle.label | call to params :  |
+| app/controllers/foo/bars_controller.rb:20:17:20:29 | ...[...] :  | semmle.label | ...[...] :  |
+| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt :  | semmle.label | dt :  |
 | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
 | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
 | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | semmle.label | @user_website |
@@ -36,14 +41,19 @@ nodes
 | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name | semmle.label | call to user_name |
 | app/views/foo/bars/show.html.erb:54:29:54:34 | call to params :  | semmle.label | call to params :  |
 | app/views/foo/bars/show.html.erb:54:29:54:44 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/bars/show.html.erb:57:13:57:18 | call to params :  | semmle.label | call to params :  |
+| app/views/foo/bars/show.html.erb:57:13:57:28 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/bars/show.html.erb:63:5:63:13 | @safe_foo | semmle.label | @safe_foo |
 #select
-| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params :  | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:21:18:26 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params :  | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:19:10:19:15 | call to params | a user-provided value |
-| app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params :  | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:10:12:10:17 | call to params | a user-provided value |
+| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params :  | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params :  | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name | app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params :  | app/views/foo/bars/show.html.erb:47:5:47:13 | call to user_name | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:9:12:9:17 | call to params | a user-provided value |
 | app/views/foo/bars/show.html.erb:54:29:54:44 | ...[...] | app/views/foo/bars/show.html.erb:54:29:54:34 | call to params :  | app/views/foo/bars/show.html.erb:54:29:54:44 | ...[...] | Cross-site scripting vulnerability due to $@. | app/views/foo/bars/show.html.erb:54:29:54:34 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:57:13:57:28 | ...[...] | app/views/foo/bars/show.html.erb:57:13:57:18 | call to params :  | app/views/foo/bars/show.html.erb:57:13:57:28 | ...[...] | Cross-site scripting vulnerability due to $@. | app/views/foo/bars/show.html.erb:57:13:57:18 | call to params | a user-provided value |
+| app/views/foo/bars/show.html.erb:63:5:63:13 | @safe_foo | app/controllers/foo/bars_controller.rb:20:17:20:22 | call to params :  | app/views/foo/bars/show.html.erb:63:5:63:13 | @safe_foo | Cross-site scripting vulnerability due to $@. | app/controllers/foo/bars_controller.rb:20:17:20:22 | call to params | a user-provided value |
diff --git a/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb b/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
@@ -1,5 +1,4 @@
 class BarsController < ApplicationController
-
   helper_method :user_name, :user_name_memo
 
   def index
@@ -18,6 +17,9 @@ def show
     @user_website = params[:website]
     dt = params[:text]
     @instance_text = dt
+    @safe_foo = params[:text]
+    @safe_foo = "safe_foo"
+    @html_escaped = ERB::Util.html_escape(params[:text])
     render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
   end
 end
diff --git a/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb b/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb
@@ -52,3 +52,21 @@
 
 <%# BAD: unsanitized user-input should not be passed to link_to as the URL %>
 <%= link_to "user website", params[:website] %>
+
+<%# BAD: unsanitized user-input should not be passed to link_to as the URL %>
+<%= link_to params[:website], class: "user-link" do %>
+  user website
+<% end %>
+
+<%# GOOD: @safe_foo is a hardcoded string here at runtime %>
+<%# TODO: we mistakenly flag this up due to overly broad flow through instance variables %>
+<%= @safe_foo.html_safe %>
+
+<%# GOOD: @html_escaped is manually escaped in the controller %>
+<%= @html_escaped.html_safe %>
+
+<%# GOOD: @html_escaped is manually escaped in the controller %>
+<%=
+  html_escaped_in_template = h params[:text]
+  html_escaped_in_template.html_safe
+%>
