From 1a2b2c20b2ed4267d6923f7813af76d2b94110d2 Mon Sep 17 00:00:00 2001 From: Carolyn Liu Date: Sat, 27 Apr 2024 22:26:52 -0400 Subject: [PATCH 1/2] added check for active search service in account request search test --- .../java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java index 8af4c8065df..b8dd94b7b70 100644 --- a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java @@ -197,6 +197,10 @@ public void testSqlInjectionInDeleteAccountRequest() throws Exception { public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); + if (!TestProperties.isSearchServiceActive()) { + return; + } + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); accountRequestDb.createAccountRequest(accountRequest); From aadf8a3c391df190d28543511449adcbb0772427 Mon Sep 17 00:00:00 2001 From: Carolyn Liu Date: Sat, 27 Apr 2024 23:01:23 -0400 Subject: [PATCH 2/2] moved account request search test to AccountRequestSearchIT and updated variables and asserts accordingly --- .../storage/sqlapi/AccountRequestsDbIT.java | 18 ------------------ .../sqlsearch/AccountRequestSearchIT.java | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java index b8dd94b7b70..7ddac3b9913 100644 --- a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java @@ -193,22 +193,4 @@ public void testSqlInjectionInDeleteAccountRequest() throws Exception { assertEquals(accountRequest, actual); } - @Test - public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { - ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); - - if (!TestProperties.isSearchServiceActive()) { - return; - } - - AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); - accountRequestDb.createAccountRequest(accountRequest); - - String searchInjection = "institute'; DROP TABLE account_requests; --"; - List actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection); - assertEquals(0, actualInjection.size()); - - AccountRequest actual = accountRequestDb.getAccountRequest("test@gmail.com", "institute"); - assertEquals(accountRequest, actual); - } } diff --git a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java index db64c17c2ab..88f3bb7a5e5 100644 --- a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java +++ b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java @@ -152,6 +152,25 @@ public void testSearchAccountRequest_noSearchService_shouldThrowException() { () -> accountRequestsDb.searchAccountRequestsInWholeSystem("anything")); } + @Test + public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { + ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); + + if (!TestProperties.isSearchServiceActive()) { + return; + } + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestsDb.createAccountRequest(accountRequest); + + String searchInjection = "institute'; DROP TABLE account_requests; --"; + List actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); + assertEquals(typicalBundle.accountRequests.size(), actualInjection.size()); + + AccountRequest actual = accountRequestsDb.getAccountRequest("test@gmail.com", "institute"); + assertEquals(accountRequest, actual); + } + /** * Verifies that search results match with expected output. *