opendev/subunit2sql
Code Issues Proposed changes

Add a unit test with a simple sql injection ala xkcd

Browse Source 
This commit adds a basic unit tests with a simple sql injection attack
for a test name. All of the database interactions on the insert are done
through sqlalchemy and the ORM should be protecting us against this
attack vector. The test added here is just to sanity check this and so
we have something to point to. It's not intended to actually be a
thorough or even a real security test or a thorough security audit.

Change-Id: Iee5ed994328cf44834a1becb246f9983881d2129
This commit is contained in:
Matthew Treinish 2017-07-25 15:51:29 -04:00
parent 4f5c3943c6
commit 3fa49d84ca
No known key found for this signature in database
GPG Key ID: FD12A0F214C9E177
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
subunit2sql/tests/db/test_api.py
View File

@ -88,6 +88,12 @@ class TestDatabaseAPI(base.TestCase):
['fake_test1', 'fake_test2', 'fake_test3'])
self.assertEqual([], result)
def test_get_test_with_sql_injection(self):
api.create_test("test_terror'); DROP TABLE tests;")
res = api.get_all_tests()
self.assertEqual(len(res), 1)
self.assertEqual(res[0].test_id, "test_terror'); DROP TABLE tests;")
def test_create_run_and_list(self):
res = api.create_run()
self.assertIsNotNone(res)