diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2010-12-07 09:49:37 -0800 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2011-02-08 14:21:12 -0800 |
commit | 0b58a7ff420d7ef4b643c521a62be7259dd2f5cb (patch) | |
tree | d5314aa04b853619912bec01f47526cddb1ef2f8 /activerecord/test/cases/base_test.rb | |
parent | 6b1018526fb304727ee4191afc2d8a5e29e49eea (diff) | |
download | rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.gz rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.tar.bz2 rails-0b58a7ff420d7ef4b643c521a62be7259dd2f5cb.zip |
limit() should sanitize limit values
This fixes CVE-2011-0448
Diffstat (limited to 'activerecord/test/cases/base_test.rb')
-rw-r--r-- | activerecord/test/cases/base_test.rb | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/activerecord/test/cases/base_test.rb b/activerecord/test/cases/base_test.rb index 1fa5d2ac5f..1730d9fb56 100644 --- a/activerecord/test/cases/base_test.rb +++ b/activerecord/test/cases/base_test.rb @@ -54,6 +54,40 @@ class BasicsTest < ActiveRecord::TestCase assert_nil Edge.primary_key end + def test_limit_with_comma + assert_nothing_raised do + Topic.limit("1,2").all + end + end + + def test_limit_without_comma + assert_nothing_raised do + assert_equal 1, Topic.limit("1").all.length + end + + assert_nothing_raised do + assert_equal 1, Topic.limit(1).all.length + end + end + + def test_invalid_limit + assert_raises(ArgumentError) do + Topic.limit("asdfadf").all + end + end + + def test_limit_should_sanitize_sql_injection_for_limit_without_comas + assert_raises(ArgumentError) do + Topic.limit("1 select * from schema").all + end + end + + def test_limit_should_sanitize_sql_injection_for_limit_with_comas + assert_raises(ArgumentError) do + Topic.limit("1, 7 procedure help()").all + end + end + def test_select_symbol topic_ids = Topic.select(:id).map(&:id).sort assert_equal Topic.find(:all).map(&:id).sort, topic_ids |