Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bd92403

Browse files
nickrolfenickrolfe
committed
Ruby: fix qhelp
1 parent 11154a9 commit bd92403

3 files changed

Lines changed: 19 additions & 21 deletions

File tree

ruby/ql/src/queries/security/cwe-1333/RegExpInjection.qhelp

Lines changed: 2 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -26,31 +26,12 @@ special meaning.
2626
The following examples construct regular expressions from an HTTP request
2727
parameter without sanitizing it first:
2828
</p>
29-
<sample language="ruby">
30-
class UsersController < ActionController::Base
31-
def first_example
32-
# BAD: Unsanitized user input is used to construct a regular expression
33-
regex = /#{ params[:key] }/
34-
end
35-
36-
def second_example
37-
# BAD: Unsanitized user input is used to construct a regular expression
38-
regex = Regexp.new(params[:key])
39-
end
40-
end
41-
</sample>
29+
<sample src="examples/regexp_injection_bad.rb" />
4230
<p>
4331
Instead, the request parameter should be sanitized first. This ensures that the
4432
user cannot insert characters that have special meanings in regular expressions.
4533
</p>
46-
<sample language="ruby">
47-
class UsersController < ActionController::Base
48-
def example
49-
# GOOD: User input is sanitized before constructing the regular expression
50-
regex = Regexp.new(Regex.escape(params[:key]))
51-
end
52-
end
53-
</sample>
34+
<sample src="examples/regexp_injection_good.rb" />
5435
</example>
5536

5637
<references>

ruby/ql/src/queries/security/cwe-1333/examples/regexp_injection_bad.rb

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
class UsersController < ActionController::Base
2+
def first_example
3+
# BAD: Unsanitized user input is used to construct a regular expression
4+
regex = /#{ params[:key] }/
5+
end
6+
7+
def second_example
8+
# BAD: Unsanitized user input is used to construct a regular expression
9+
regex = Regexp.new(params[:key])
10+
end
11+
end

ruby/ql/src/queries/security/cwe-1333/examples/regexp_injection_good.rb

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
class UsersController < ActionController::Base
2+
def example
3+
# GOOD: User input is sanitized before constructing the regular expression
4+
regex = Regexp.new(Regex.escape(params[:key]))
5+
end
6+
end

0 commit comments

Comments
 (0)