Add test cases

joefarebrother · joefarebrother · commit 89838981b74a · 2024-03-22T14:04:52.000Z
diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.expected
@@ -0,0 +1,12 @@
+edges
+| test.rb:17:9:17:14 | call to params | test.rb:17:9:17:29 | call to require | provenance |  |
+| test.rb:17:9:17:29 | call to require | test.rb:17:9:17:37 | call to permit! | provenance |  |
+| test.rb:17:9:17:37 | call to permit! | test.rb:8:18:8:28 | call to user_params | provenance |  |
+nodes
+| test.rb:8:18:8:28 | call to user_params | semmle.label | call to user_params |
+| test.rb:17:9:17:14 | call to params | semmle.label | call to params |
+| test.rb:17:9:17:29 | call to require | semmle.label | call to require |
+| test.rb:17:9:17:37 | call to permit! | semmle.label | call to permit! |
+subpaths
+#select
+| test.rb:8:18:8:28 | call to user_params | test.rb:17:9:17:14 | call to params | test.rb:8:18:8:28 | call to user_params | mass assignment |
diff --git a/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref b/ruby/ql/test/query-tests/security/cwe-915/MassAssignment.qlref
@@ -0,0 +1 @@
+queries/security/cwe-915/MassAssignment.ql
diff --git a/ruby/ql/test/query-tests/security/cwe-915/test.rb b/ruby/ql/test/query-tests/security/cwe-915/test.rb
@@ -0,0 +1,19 @@
+class User < ApplicationRecord
+
+end
+
+class UserController < ActionController::Base
+    def create
+        # BAD: arbitrary params are permitted to be used for this assignment
+        User.new(user_params).save!
+    end
+
+    def create2
+        # GOOD: the permitted parameters are explicitly specified
+        User.new(params[:user].permit(:name,:address))
+    end
+
+    def user_params
+        params.require(:user).permit!
+    end
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-915/MassAssignment.ql`