Ruby: StackTraceExposure: add test for a specific rescue type

2022-11-24 14:08:34 +00:00 · 2022-11-24 14:08:34 +00:00 · 50b10be2db
--- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected
+++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected
@ -4,7 +4,9 @@ nodes
 | StackTraceExposure.rb:6:18:6:28 | call to backtrace | semmle.label | call to backtrace |
 | StackTraceExposure.rb:11:10:11:17 | call to caller :  | semmle.label | call to caller :  |
 | StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt |
+| StackTraceExposure.rb:18:18:18:28 | call to backtrace | semmle.label | call to backtrace |
 subpaths
 #select
 | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information |
 | StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller :  | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |
+| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information |
--- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb
+++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb
@ -12,4 +12,10 @@ class FooController < ApplicationController
    render body: bt, content_type: "text/plain"
  end

+  def show3
+    not_a_method()
+  rescue NoMethodError => e
+    render body: e.backtrace, content_type: "text/plain"
+  end
+
 end