forked from go-catupiry/query_parser_to_db
-
Notifications
You must be signed in to change notification settings - Fork 0
/
GORMAdapter_security_test.go
70 lines (51 loc) · 1.7 KB
/
GORMAdapter_security_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package query_parser_to_db
import (
"net/url"
"testing"
"github.com/stretchr/testify/assert"
"gorm.io/gorm"
)
func TestGORMAdapterSecurity(t *testing.T) {
assert := assert.New(t)
db := GetFakeGormDB()
err := db.AutoMigrate(&ContentModelStub{})
assert.Nil(err)
t.Run("Should ignore contains params if has 'drop table users;' dryRun", func(t *testing.T) {
urlString := "https://example.com/example?title_contains='he;drop table users;'&limit=5&page=1"
parsedURL, _ := url.Parse(urlString)
// rawParamName
q := NewQuery(50)
err := q.ParseFromURLValues(parsedURL.Query())
assert.Nil(err)
query := GetFakeGormDB()
query.DryRun = true
query2, err := q.SetDatabaseQueryForModel(query, &ContentModelStub{})
assert.Nil(err)
query = query2.(*gorm.DB)
records := []ContentModelStub{}
r := query.Find(&records)
assert.Nil(r.Error)
assert.Equal("SELECT * FROM `content_model_stubs`", r.Statement.SQL.String())
assert.Equal(0, len(r.Statement.Vars))
query.DryRun = false
})
t.Run("Should ignore = params if has 'drop table users;' dryRun", func(t *testing.T) {
urlString := "https://example.com/example?title='he;drop table users;'&limit=5&page=1"
parsedURL, _ := url.Parse(urlString)
// rawParamName
q := NewQuery(50)
err := q.ParseFromURLValues(parsedURL.Query())
assert.Nil(err)
query := GetFakeGormDB()
query.DryRun = true
query2, err := q.SetDatabaseQueryForModel(query, &ContentModelStub{})
assert.Nil(err)
query = query2.(*gorm.DB)
records := []ContentModelStub{}
r := query.Find(&records)
assert.Nil(r.Error)
assert.Equal("SELECT * FROM `content_model_stubs`", r.Statement.SQL.String())
assert.Equal(0, len(r.Statement.Vars))
query.DryRun = false
})
}