update XSS tests

2026-04-29 02:35:15 +02:00 · 2021-10-03 23:15:51 +01:00
parent 6dc3ce335b
commit 6a32c0cde0
5 changed files with 159 additions and 6 deletions
--- a/ql/test/query-tests/security/cwe-079/StoredXSS.expected
+++ b/ql/test/query-tests/security/cwe-079/StoredXSS.expected
@@ -0,0 +1,46 @@
+edges
+| app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  |
+| app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  |
+| app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text |
+| app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  |
+| app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
+| app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
+| app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  | app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  |
+nodes
+| app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | semmle.label | call to read :  |
+| app/controllers/foo/stores_controller.rb:9:22:9:23 | dt :  | semmle.label | dt :  |
+| app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | semmle.label | call to raw_name :  |
+| app/controllers/foo/stores_controller.rb:13:55:13:56 | dt :  | semmle.label | dt :  |
+| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | semmle.label | ...[...] |
+| app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | semmle.label | call to display_text |
+| app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | semmle.label | @instance_text |
+| app/views/foo/stores/show.html.erb:41:64:41:87 | ... + ... :  | semmle.label | ... + ... :  |
+| app/views/foo/stores/show.html.erb:41:76:41:87 | call to display_text :  | semmle.label | call to display_text :  |
+| app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | semmle.label | call to handle |
+| app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | semmle.label | call to raw_name |
+| app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | semmle.label | call to handle |
+| app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | semmle.label | call to raw_name |
+| app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | semmle.label | @other_user_raw_name |
+subpaths
+#select
+| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:2:9:2:20 | call to display_text | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:5:9:5:36 | ...[...] | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:9:9:9:26 | ...[...] | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:33:3:33:14 | call to display_text | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read :  | app/views/foo/stores/show.html.erb:38:3:38:16 | @instance_text | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:8:10:8:29 | call to read | stored value |
+| app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | Cross-site scripting vulnerability due to $@ | app/views/foo/stores/show.html.erb:47:5:47:16 | call to handle | stored value |
+| app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | Cross-site scripting vulnerability due to $@ | app/views/foo/stores/show.html.erb:50:5:50:18 | call to raw_name | stored value |
+| app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | Cross-site scripting vulnerability due to $@ | app/views/foo/stores/show.html.erb:64:3:64:18 | call to handle | stored value |
+| app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | Cross-site scripting vulnerability due to $@ | app/views/foo/stores/show.html.erb:70:3:70:20 | call to raw_name | stored value |
+| app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name :  | app/views/foo/stores/show.html.erb:84:5:84:24 | @other_user_raw_name | Cross-site scripting vulnerability due to $@ | app/controllers/foo/stores_controller.rb:12:28:12:48 | call to raw_name | stored value |
--- a/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
+++ b/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
@@ -22,10 +22,4 @@ class BarsController < ApplicationController
    @html_escaped = ERB::Util.html_escape(params[:text])
    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
  end
-
-  def show_stored
-    dt = File.read("foo.txt")
-    @instance_text = dt
-    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
-  end
 end
--- a/ql/test/query-tests/security/cwe-079/app/controllers/foo/stores_controller.rb
+++ b/ql/test/query-tests/security/cwe-079/app/controllers/foo/stores_controller.rb
@@ -0,0 +1,15 @@
+class StoresController < ApplicationController
+  helper_method :user_handle
+  def user_handle
+    User.find(1).handle
+  end
+
+  def show
+    dt = File.read("foo.txt")
+    @instance_text = dt
+    @user = User.find 1
+    @safe_user_handle = ERB::Util.html_escape(@user.handle)
+    @other_user_raw_name = User.find(2).raw_name
+    render "foo/stores/show", locals: { display_text: dt, safe_text: "hello" }
+  end
+end
--- a/ql/test/query-tests/security/cwe-079/app/models/user.rb
+++ b/ql/test/query-tests/security/cwe-079/app/models/user.rb
@@ -0,0 +1,14 @@
+class User < ActiveRecord::Base
+  def is_dummy_user?
+    self.user_id == 0
+  end
+
+  def raw_name
+    me = self
+    me.handle
+  end
+
+  def display_name
+    self.real_name || self.handle
+  end
+end
--- a/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
+++ b/ql/test/query-tests/security/cwe-079/app/views/foo/stores/show.html.erb
@@ -0,0 +1,84 @@
+<%# BAD: A local rendered raw as a local variable %>
+<%= raw display_text %>
+
+<%# BAD: A local rendered raw via the local_assigns hash %>
+<%= raw local_assigns[:display_text] %>
+
+<% key = :display_text %>
+<%# BAD: A local rendered raw via the locals_assigns hash %>
+<%= raw local_assigns[key] %>
+
+<ul>
+<% for key in [:display_text, :safe_text] do %>
+  <%# BAD: A local rendered raw via the locals hash %>
+  <%# TODO: we miss that `key` can take `:display_text` as a value here %>
+  <li><%= raw local_assigns[key] %></li>
+<% end %>
+</ul>
+
+<%# GOOD: A local rendered with default escaping via the local_assigns hash %>
+<%= local_assigns[display_text] %>
+
+<%# GOOD: default escaping of rendered text %>
+<%=
+  full_text = prefix + local_assigns[:display_text]
+  full_text
+%>
+
+<%# GOOD: default escaping of rendered text (from instance var) %>
+<%= @instance_text %>
+
+<%# BAD: html_safe marks string as not requiring HTML escaping %>
+<%=
+  display_text.html_safe
+%>
+
+<%# BAD: html_safe marks string as not requiring HTML escaping %>
+<%=
+  @instance_text.html_safe
+%>
+
+<%= render partial: 'foo/bars/widget', locals: { display_text: "widget_" + display_text } %>
+
+<%# BAD: user_name_handle is a helper method that returns unsanitized database content %>
+<%= user_name_handle.html_safe %>
+
+<%# BAD: Direct to a database value without escaping %>
+<%= @user.handle.html_safe %>
+
+<%# BAD: Indirect to a database value without escaping %>
+<%= @user.raw_name.html_safe %>
+
+<%# GOOD: Direct to a database value with escaping %>
+<%= @user.handle %>
+
+<%# GOOD: @safe_user_handle is manually escaped in the controller %>
+<%= @safe_user_handle %>
+
+<%# GOOD: object_id is a built-in method, not an ORM access method %>
+<%= @user.object_id.html_safe %>
+
+<%# BAD: Direct to a database value without escaping %>
+<%=
+  some_user = User.find 1
+  some_user.handle.html_safe
+%>
+
+<%# BAD: Indirect to a database value without escaping %>
+<%=
+  some_user = User.find 1
+  some_user.raw_name.html_safe
+%>
+
+<%# GOOD: Direct to a database value with escaping %>
+<%=
+  some_user = User.find 1
+  some_user.handle
+%>
+
+<%# BAD: Indirect to a database value without escaping %>
+<%# TODO: we do not detect that `display_name` can return a DB field %>
+<%= @user.display_name.html_safe %>
+
+<%# BAD: Indirect to a database value without escaping %>
+<%= @other_user_raw_name.html_safe %>