Ruby: update StoredXSS test output

alexrford · alexrford · commit fd8dd5e10309 · 2023-01-20T13:40:19.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected b/ruby/ql/test/query-tests/security/cwe-079/StoredXSS.expected
@@ -4,12 +4,17 @@ edges
 | app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text |
 | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:83:5:83:24 | @other_user_raw_name |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text |
-| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] |
-| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:5:9:5:21 | call to local_assigns [element :display_text] :  |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:9:9:9:21 | call to local_assigns [element :display_text] :  |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:15:15:15:27 | call to local_assigns [element :display_text] :  |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  |
+| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
+| app/views/foo/stores/show.html.erb:5:9:5:21 | call to local_assigns [element :display_text] :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] |
+| app/views/foo/stores/show.html.erb:9:9:9:21 | call to local_assigns [element :display_text] :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] |
+| app/views/foo/stores/show.html.erb:15:15:15:27 | call to local_assigns [element :display_text] :  | app/views/foo/stores/show.html.erb:15:15:15:32 | ...[...] |
 | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
-| app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
+| app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] :  |
 | app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  |
 | app/views/foo/stores/show.html.erb:87:17:87:28 | call to handle :  | app/views/foo/stores/show.html.erb:87:3:87:29 | call to sprintf |
 nodes
@@ -18,10 +23,15 @@ nodes
 | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | semmle.label | call to raw_name :  |
 | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | semmle.label | dt :  |
 | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/bars/_widget.html.erb:8:9:8:21 | call to local_assigns [element :display_text] :  | semmle.label | call to local_assigns [element :display_text] :  |
 | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
 | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/stores/show.html.erb:5:9:5:21 | call to local_assigns [element :display_text] :  | semmle.label | call to local_assigns [element :display_text] :  |
 | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/stores/show.html.erb:9:9:9:21 | call to local_assigns [element :display_text] :  | semmle.label | call to local_assigns [element :display_text] :  |
 | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/stores/show.html.erb:15:15:15:27 | call to local_assigns [element :display_text] :  | semmle.label | call to local_assigns [element :display_text] :  |
+| app/views/foo/stores/show.html.erb:15:15:15:32 | ...[...] | semmle.label | ...[...] |
 | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | semmle.label | call to display_text |
 | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | semmle.label | @instance_text |
 | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | semmle.label | ... + ... :  |
@@ -41,6 +51,7 @@ subpaths
 | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
 | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
 | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:15:15:15:32 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:15:15:15:32 | ...[...] | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
 | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
 | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | Stored cross-site scripting vulnerability due to $@. | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
 | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | Stored cross-site scripting vulnerability due to $@. | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | stored value |
diff --git a/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb b/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
@@ -11,7 +11,7 @@
 <ul>
 <% for key in [:display_text, :safe_text] do %>
   <%# BAD: A local rendered raw via the locals hash %>
-  <%# TODO: we miss that `key` can take `:display_text` as a value here %>
+
   <li><%= raw local_assigns[key] %></li>
 <% end %>
 </ul>
@@ -88,4 +88,4 @@
 %>
 
 <%# GOOD: The `foo.bar.baz` is not recognized as a source %>
-<%= @other_user_raw_name.foo.bar.baz.html_safe %>
+<%= @other_user_raw_name.foo.bar.baz.html_safe %>
