Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#12048] SQL injection test for AccountRequestsDbIT #12788

Merged
merged 12 commits into from
Mar 4, 2024
Merged

[#12048] SQL injection test for AccountRequestsDbIT #12788

merged 12 commits into from
Mar 4, 2024

Conversation

weiquu
Copy link
Contributor

@weiquu weiquu commented Feb 24, 2024

Part of #12048

EuniceSim142
EuniceSim142 requested changes Feb 24, 2024
View reviewed changes
Copy link
Contributor

@EuniceSim142 EuniceSim142 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, other than 1 thing.

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java Outdated Show resolved Hide resolved
@weiquu weiquu requested a review from EuniceSim142 February 24, 2024 08:28
@weiquu weiquu added the s.ToReview The PR is waiting for review(s) label Feb 24, 2024
@weiquu weiquu added this to the V9.0.0-beta.0 milestone Feb 24, 2024
@weiquu weiquu requested a review from jayasting98 February 25, 2024 04:16
jayasting98
jayasting98 reviewed Feb 25, 2024
View reviewed changes
Copy link
Contributor

@jayasting98 jayasting98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be testing the UPDATE and DELETE queries too? I mean like using the updateAccountRequest and deleteAccountRequest methods.

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java Outdated Show resolved Hide resolved
@weiquu
Copy link
Contributor Author

weiquu commented Feb 25, 2024

Should we be testing the UPDATE and DELETE queries too? I mean like using the updateAccountRequest and deleteAccountRequest methods.

Updated with these tests!

@weiquu weiquu requested a review from jayasting98 February 25, 2024 09:34
jayasting98
jayasting98 reviewed Feb 27, 2024
View reviewed changes
Copy link
Contributor

@jayasting98 jayasting98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing.

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java Show resolved Hide resolved
@weiquu weiquu requested a review from jayasting98 February 29, 2024 07:50
jayasting98
jayasting98 approved these changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@jayasting98 jayasting98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems okay to me. Thanks!

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java
Comment on lines +186 to +189
String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com";
String nameInjection = "name'; DROP TABLE account_requests; --";
String instituteInjection = "institute'; DROP TABLE account_requests; --";
AccountRequest accountRequestInjection = new AccountRequest(emailInjection, nameInjection, instituteInjection);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Actually, I should have combined everything in one shot like you did.

src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java
accountRequestDb.createAccountRequest(accountRequest);

String searchInjection = "institute'; DROP TABLE account_requests; --";
List<AccountRequest> actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this use SQL? I thought it's Solr. Still, I guess there's no harm, and it's possible the implementation may change to use SQL, but I'm not sure it's likely, even if PostgreSQL can do full-text search.

@jayasting98 jayasting98 added s.FinalReview The PR is ready for final review c.Task Other non-user-facing works, e.g. refactoring, adding tests and removed s.ToReview The PR is waiting for review(s) labels Feb 29, 2024
@EuniceSim142 EuniceSim142 added s.ToMerge The PR is approved by all reviewers including final reviewer; ready for merging and removed s.FinalReview The PR is ready for final review labels Mar 4, 2024
@EuniceSim142 EuniceSim142 merged commit 648d606 into TEAMMATES:master Mar 4, 2024
10 of 11 checks passed
@weiquu weiquu self-assigned this Mar 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EuniceSim142 EuniceSim142 EuniceSim142 approved these changes

@jayasting98 jayasting98 jayasting98 approved these changes

Assignees

@weiquu weiquu

Labels
c.Task Other non-user-facing works, e.g. refactoring, adding tests s.ToMerge The PR is approved by all reviewers including final reviewer; ready for merging
Projects
None yet
Milestone
V9.0.0-beta.0
Development

Successfully merging this pull request may close these issues.
4 participants
@weiquu @jayasting98 @EuniceSim142 @kevin9foong