diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java index 6807e43a9b4..10199b80415 100644 --- a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java @@ -237,19 +237,4 @@ public void testSqlInjectionInDeleteAccountRequest() throws Exception { assertEquals(accountRequest, actual); } - @Test - public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { - ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); - - AccountRequest accountRequest = - new AccountRequest("test@gmail.com", "name", "institute", AccountRequestStatus.PENDING, "comments"); - accountRequestDb.createAccountRequest(accountRequest); - - String searchInjection = "institute'; DROP TABLE account_requests; --"; - List actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection); - assertEquals(0, actualInjection.size()); - - AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getId()); - assertEquals(accountRequest, actual); - } } diff --git a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java index a9b196eafc8..6afe88ab767 100644 --- a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java +++ b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java @@ -162,6 +162,25 @@ public void testSearchAccountRequest_noSearchService_shouldThrowException() { () -> accountRequestsDb.searchAccountRequestsInWholeSystem("anything")); } + @Test + public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { + ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); + + if (!TestProperties.isSearchServiceActive()) { + return; + } + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestsDb.createAccountRequest(accountRequest); + + String searchInjection = "institute'; DROP TABLE account_requests; --"; + List actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); + assertEquals(typicalBundle.accountRequests.size(), actualInjection.size()); + + AccountRequest actual = accountRequestsDb.getAccountRequest("test@gmail.com", "institute"); + assertEquals(accountRequest, actual); + } + /** * Verifies that search results match with expected output. *