diff options
author | Ryuta Kamizono <kamipo@gmail.com> | 2019-03-18 06:47:40 +0900 |
---|---|---|
committer | Ryuta Kamizono <kamipo@gmail.com> | 2019-03-18 06:52:41 +0900 |
commit | 2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3 (patch) | |
tree | c5aa4cb4e52fdc37ccb673f1349bb23787eb42ea /activerecord/test/cases/adapters/postgresql | |
parent | c399f7d07a88d333fa05a361c66a252d9fa462bb (diff) | |
download | rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.gz rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.tar.bz2 rails-2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3.zip |
Add test case to prevent possible SQL injection
Diffstat (limited to 'activerecord/test/cases/adapters/postgresql')
-rw-r--r-- | activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb index 4fac7ffdc0..5e4bf232e1 100644 --- a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb +++ b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb @@ -17,13 +17,23 @@ if supports_optimizer_hints? posts = posts.select(:id).where(author_id: [0, 1]) assert_includes posts.explain, "Seq Scan on posts" end + end + def test_optimizer_hints_is_sanitized assert_sql(%r{\ASELECT /\*\+ SeqScan\(posts\) \*/}) do posts = Post.optimizer_hints("/*+ SeqScan(posts) */") posts = posts.select(:id).where(author_id: [0, 1]) assert_includes posts.explain, "Seq Scan on posts" end + assert_sql(%r{\ASELECT /\*\+ "posts"\.\*, \*/}) do + posts = Post.optimizer_hints("**// \"posts\".*, //**") + posts = posts.select(:id).where(author_id: [0, 1]) + assert_equal({ "id" => 1 }, posts.first.as_json) + end + end + + def test_optimizer_hints_with_unscope assert_sql(%r{\ASELECT "posts"\."id"}) do posts = Post.optimizer_hints("/*+ SeqScan(posts) */") posts = posts.select(:id).where(author_id: [0, 1]) |