rb/stored-xss structure and initial implementation (FileSystemReadAccess sources)

2026-04-28 02:05:14 +02:00 · 2021-09-25 19:06:21 +01:00
parent 1c08592637
commit a2084f813e
7 changed files with 165 additions and 16 deletions
--- a/ql/test/query-tests/security/cwe-079/StoredXSS.qlref
+++ b/ql/test/query-tests/security/cwe-079/StoredXSS.qlref
@@ -0,0 +1 @@
+queries/security/cwe-079/StoredXSS.ql
--- a/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
+++ b/ql/test/query-tests/security/cwe-079/app/controllers/foo/bars_controller.rb
@@ -22,4 +22,10 @@ class BarsController < ApplicationController
    @html_escaped = ERB::Util.html_escape(params[:text])
    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
  end
+
+  def show_stored
+    dt = File.read("foo.txt")
+    @instance_text = dt
+    render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
+  end
 end