mirror of
https://github.com/github/codeql.git
synced 2025-12-18 09:43:15 +01:00
40 lines
742 B
Ruby
40 lines
742 B
Ruby
class FooController < ActionController::Base
|
|
def bad_handler1
|
|
check = params[:check]
|
|
name = params[:name]
|
|
|
|
if check
|
|
# BAD
|
|
authenticate_user! name
|
|
end
|
|
end
|
|
|
|
def bad_handler2
|
|
# BAD
|
|
login if params[:login]
|
|
do_something_else
|
|
end
|
|
|
|
def bad_handler3
|
|
# BAD. Not detected: its the last statement in the method, so it doesn't
|
|
# match the heuristic for an action.
|
|
login if params[:login]
|
|
end
|
|
|
|
def bad_handler4
|
|
p = (params[:name] == "foo")
|
|
# BAD
|
|
if p
|
|
verify!
|
|
end
|
|
end
|
|
|
|
def good_handler
|
|
name = params[:name]
|
|
# Call to a sensitive action, but the guard is not derived from user input.
|
|
if should_auth_user?
|
|
authenticate_user! name
|
|
end
|
|
end
|
|
end
|