From 47f2686148bcaa04f24c1ed895d75ff877be12e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janosch=20M=C3=BCller?= <janosch84@gmail.com>
Date: Fri, 28 Sep 2018 02:50:21 +0200
Subject: Handle more unsafe String methods (#33990)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Handle more unsafe String methods

* Fix codeclimate issue

* Revert stylistic change

[Janosch Müller + Rafael Mendonça França]
---
 activesupport/test/safe_buffer_test.rb | 43 +++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 9 deletions(-)

(limited to 'activesupport/test/safe_buffer_test.rb')

diff --git a/activesupport/test/safe_buffer_test.rb b/activesupport/test/safe_buffer_test.rb
index 70dec6b3d2..49a3951623 100644
--- a/activesupport/test/safe_buffer_test.rb
+++ b/activesupport/test/safe_buffer_test.rb
@@ -75,16 +75,41 @@ class SafeBufferTest < ActiveSupport::TestCase
     assert_equal "my_test", str
   end
 
-  test "Should not return safe buffer from gsub" do
-    altered_buffer = @buffer.gsub("", "asdf")
-    assert_equal "asdf", altered_buffer
-    assert_not_predicate altered_buffer, :html_safe?
-  end
+  {
+    capitalize: nil,
+    chomp: nil,
+    chop: nil,
+    delete: "foo",
+    delete_prefix: "foo",
+    delete_suffix: "foo",
+    downcase: nil,
+    gsub: ["foo", "bar"],
+    lstrip: nil,
+    next: nil,
+    reverse: nil,
+    rstrip: nil,
+    slice: "foo",
+    squeeze: nil,
+    strip: nil,
+    sub: ["foo", "bar"],
+    succ: nil,
+    swapcase: nil,
+    tr: ["foo", "bar"],
+    tr_s: ["foo", "bar"],
+    unicode_normalize: nil,
+    upcase: nil,
+  }.each do |unsafe_method, dummy_args|
+    test "Should not return safe buffer from #{unsafe_method}" do
+      skip unless String.method_defined?(unsafe_method)
+      altered_buffer = @buffer.send(unsafe_method, *dummy_args)
+      assert_not_predicate altered_buffer, :html_safe?
+    end
 
-  test "Should not return safe buffer from gsub!" do
-    @buffer.gsub!("", "asdf")
-    assert_equal "asdf", @buffer
-    assert_not_predicate @buffer, :html_safe?
+    test "Should not return safe buffer from #{unsafe_method}!" do
+      skip unless String.method_defined?("#{unsafe_method}!")
+      @buffer.send("#{unsafe_method}!", *dummy_args)
+      assert_not_predicate @buffer, :html_safe?
+    end
   end
 
   test "Should escape dirty buffers on add" do
-- 
cgit v1.2.3