-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* sql injection test * Update src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java Co-authored-by: EuniceSim142 <[email protected]> * change database name * fix lint * rewrite email sql * fix lint * add tests for other methods --------- Co-authored-by: EuniceSim142 <[email protected]> Co-authored-by: Kevin Foong <[email protected]>
- Loading branch information
1 parent
0f9d990
commit 648d606
Showing
1 changed file
with
120 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ | |
import teammates.storage.sqlentity.AccountRequest; | ||
|
||
/** | ||
* SUT: {@link CoursesDb}. | ||
* SUT: {@link AccountRequestsDb}. | ||
*/ | ||
public class AccountRequestsDbIT extends BaseTestCaseWithSqlDatabaseAccess { | ||
|
||
|
@@ -88,4 +88,123 @@ public void testUpdateAccountRequest() throws Exception { | |
accountRequest.getEmail(), accountRequest.getInstitute()); | ||
verifyEquals(accountRequest, actual); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInCreateAccountRequestEmailField() throws Exception { | ||
______TS("SQL Injection test in email field"); | ||
|
||
// Attempt to use SQL commands in email field | ||
String email = "email'/**/OR/**/1=1/**/@gmail.com"; | ||
AccountRequest accountRequest = new AccountRequest(email, "name", "institute"); | ||
|
||
// The system should treat the input as a plain text string | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); | ||
assertEquals(email, actual.getEmail()); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInCreateAccountRequestNameField() throws Exception { | ||
______TS("SQL Injection test in name field"); | ||
|
||
// Attempt to use SQL commands in name field | ||
String name = "name'; SELECT * FROM account_requests; --"; | ||
AccountRequest accountRequest = new AccountRequest("[email protected]", name, "institute"); | ||
|
||
// The system should treat the input as a plain text string | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); | ||
assertEquals(name, actual.getName()); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInCreateAccountRequestInstituteField() throws Exception { | ||
______TS("SQL Injection test in institute field"); | ||
|
||
// Attempt to use SQL commands in institute field | ||
String institute = "institute'; DROP TABLE account_requests; --"; | ||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", institute); | ||
|
||
// The system should treat the input as a plain text string | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), institute); | ||
assertEquals(institute, actual.getInstitute()); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInGetAccountRequest() throws Exception { | ||
______TS("SQL Injection test in getAccountRequest"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute"); | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
|
||
String instituteInjection = "institute'; DROP TABLE account_requests; --"; | ||
AccountRequest actualInjection = accountRequestDb.getAccountRequest(accountRequest.getEmail(), instituteInjection); | ||
assertNull(actualInjection); | ||
|
||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); | ||
assertEquals(accountRequest, actual); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Exception { | ||
______TS("SQL Injection test in getAccountRequestByRegistrationKey"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute"); | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
|
||
String regKeyInjection = "regKey'; DROP TABLE account_requests; --"; | ||
AccountRequest actualInjection = accountRequestDb.getAccountRequestByRegistrationKey(regKeyInjection); | ||
assertNull(actualInjection); | ||
|
||
AccountRequest actual = accountRequestDb.getAccountRequestByRegistrationKey(accountRequest.getRegistrationKey()); | ||
assertEquals(accountRequest, actual); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInUpdateAccountRequest() throws Exception { | ||
______TS("SQL Injection test in updateAccountRequest"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute"); | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
|
||
String nameInjection = "newName'; DROP TABLE account_requests; --"; | ||
accountRequest.setName(nameInjection); | ||
accountRequestDb.updateAccountRequest(accountRequest); | ||
|
||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); | ||
assertEquals(accountRequest, actual); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionInDeleteAccountRequest() throws Exception { | ||
______TS("SQL Injection test in deleteAccountRequest"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute"); | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
|
||
String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com"; | ||
String nameInjection = "name'; DROP TABLE account_requests; --"; | ||
String instituteInjection = "institute'; DROP TABLE account_requests; --"; | ||
AccountRequest accountRequestInjection = new AccountRequest(emailInjection, nameInjection, instituteInjection); | ||
accountRequestDb.deleteAccountRequest(accountRequestInjection); | ||
|
||
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); | ||
assertEquals(accountRequest, actual); | ||
} | ||
|
||
@Test | ||
public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { | ||
______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute"); | ||
accountRequestDb.createAccountRequest(accountRequest); | ||
|
||
String searchInjection = "institute'; DROP TABLE account_requests; --"; | ||
List<AccountRequest> actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection); | ||
assertEquals(0, actualInjection.size()); | ||
|
||
AccountRequest actual = accountRequestDb.getAccountRequest("[email protected]", "institute"); | ||
assertEquals(accountRequest, actual); | ||
} | ||
} |