From 3fa49d84cae665028c3b25b12cf2d249bf930134 Mon Sep 17 00:00:00 2001 From: Matthew Treinish Date: Tue, 25 Jul 2017 15:51:29 -0400 Subject: [PATCH] Add a unit test with a simple sql injection ala xkcd This commit adds a basic unit tests with a simple sql injection attack for a test name. All of the database interactions on the insert are done through sqlalchemy and the ORM should be protecting us against this attack vector. The test added here is just to sanity check this and so we have something to point to. It's not intended to actually be a thorough or even a real security test or a thorough security audit. Change-Id: Iee5ed994328cf44834a1becb246f9983881d2129 --- subunit2sql/tests/db/test_api.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/subunit2sql/tests/db/test_api.py b/subunit2sql/tests/db/test_api.py index a4bf852..425cc43 100644 --- a/subunit2sql/tests/db/test_api.py +++ b/subunit2sql/tests/db/test_api.py @@ -88,6 +88,12 @@ class TestDatabaseAPI(base.TestCase): ['fake_test1', 'fake_test2', 'fake_test3']) self.assertEqual([], result) + def test_get_test_with_sql_injection(self): + api.create_test("test_terror'); DROP TABLE tests;") + res = api.get_all_tests() + self.assertEqual(len(res), 1) + self.assertEqual(res[0].test_id, "test_terror'); DROP TABLE tests;") + def test_create_run_and_list(self): res = api.create_run() self.assertIsNotNone(res)