diff options
author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-07-07 23:34:25 +0200 |
---|---|---|
committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-07-07 23:34:25 +0200 |
commit | 87ea46f7fa2b269f065181f7765352184bb59717 (patch) | |
tree | 20e37379d319535c954480e86765a580342118bd /xt/lib/Bugzilla/Test/Search/InjectionTest.pm | |
parent | 814b24fdc9407a741967322041ff817665f8e00b (diff) | |
download | bugzilla-87ea46f7fa2b269f065181f7765352184bb59717.tar.gz bugzilla-87ea46f7fa2b269f065181f7765352184bb59717.tar.xz |
Bug 574879: Create a test that assures the correctness of Search.pm's
boolean charts
r=glob, a=mkanat
Diffstat (limited to 'xt/lib/Bugzilla/Test/Search/InjectionTest.pm')
-rw-r--r-- | xt/lib/Bugzilla/Test/Search/InjectionTest.pm | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/xt/lib/Bugzilla/Test/Search/InjectionTest.pm b/xt/lib/Bugzilla/Test/Search/InjectionTest.pm new file mode 100644 index 000000000..211026232 --- /dev/null +++ b/xt/lib/Bugzilla/Test/Search/InjectionTest.pm @@ -0,0 +1,77 @@ +# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Everything Solved, Inc. +# Portions created by the Initial Developer are Copyright (C) 2010 the +# Initial Developer. All Rights Reserved. +# +# Contributor(s): +# Max Kanat-Alexander <mkanat@bugzilla.org> + +# This module represents the SQL Injection tests that get run on a single +# operator/field combination for Bugzilla::Test::Search. +package Bugzilla::Test::Search::InjectionTest; +use base qw(Bugzilla::Test::Search::FieldTest); + +use strict; +use warnings; +use Bugzilla::Test::Search::Constants; +use Test::Exception; + +sub num_tests { return NUM_SEARCH_TESTS } + +sub _known_broken { + my ($self) = @_; + my $operator_broken = INJECTION_BROKEN_OPERATOR->{$self->operator}; + # We don't want to auto-vivify $operator_broken and thus make it true. + my @field_ok = $operator_broken ? @{ $operator_broken->{field_ok} || [] } + : (); + + return {} if grep { $_ eq $self->field } @field_ok; + + my $field_broken = INJECTION_BROKEN_FIELD->{$self->field}; + # We don't want to auto-vivify $field_broken and thus make it true. + my @operator_ok = $field_broken ? @{ $field_broken->{operator_ok} || [] } + : (); + return {} if grep { $_ eq $self->operator } @operator_ok; + + return $operator_broken || $field_broken || {}; +} + +sub sql_error_ok { return $_[0]->_known_broken->{sql_error} } + +# Injection tests don't have to skip any fields. +sub field_not_yet_implemented { undef } +# Injection tests don't do translation. +sub translated_value { $_[0]->test_value } + +sub name { return "injection-" . $_[0]->SUPER::name; } + +# Injection tests don't check content. +sub _test_content {} + +sub _test_sql { + my $self = shift; + my ($sql) = @_; + my $dbh = Bugzilla->dbh; + my $name = $self->name; + if (my $error_ok = $self->sql_error_ok) { + throws_ok { $dbh->selectall_arrayref($sql) } $error_ok, + "$name: SQL query dies, as we expect"; + return; + } + return $self->SUPER::_test_sql(@_); +} + +1;
\ No newline at end of file |