diff options
| author | Ben Toews <mastahyeti@users.noreply.github.com> | 2017-02-08 11:23:26 -0700 |
|---|---|---|
| committer | Matthew Draper <matthew@trebex.net> | 2017-11-09 22:32:16 +1030 |
| commit | f989b341eccc6a86fd1ddfff7f1441920855c84e (patch) | |
| tree | 9cde6c82ff135be475431e308c1f59b1d57a0cae /activerecord/test/cases | |
| parent | be6e1b8f7dbce1940f47339657faab2c1fdeaa54 (diff) | |
| download | rails-f989b341eccc6a86fd1ddfff7f1441920855c84e.tar.gz rails-f989b341eccc6a86fd1ddfff7f1441920855c84e.tar.bz2 rails-f989b341eccc6a86fd1ddfff7f1441920855c84e.zip | |
add config to check arguments to unsafe AR methods
Diffstat (limited to 'activerecord/test/cases')
| -rw-r--r-- | activerecord/test/cases/unsafe_raw_sql_test.rb | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/activerecord/test/cases/unsafe_raw_sql_test.rb b/activerecord/test/cases/unsafe_raw_sql_test.rb new file mode 100644 index 0000000000..d05f0f12d9 --- /dev/null +++ b/activerecord/test/cases/unsafe_raw_sql_test.rb @@ -0,0 +1,177 @@ +# frozen_string_literal: true + +require "cases/helper" +require "models/post" +require "models/comment" + +class UnsafeRawSqlTest < ActiveRecord::TestCase + fixtures :posts, :comments + + test "order: allows string column name" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order("title").pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order("title").pluck(:id) + end + + test "order: allows symbol column name" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(:title).pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(:title).pluck(:id) + end + + test "order: allows downcase symbol direction" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(title: :asc).pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(title: :asc).pluck(:id) + end + + test "order: allows upcase symbol direction" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(title: :ASC).pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(title: :ASC).pluck(:id) + end + + test "order: allows string direction" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(title: "asc").pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(title: "asc").pluck(:id) + end + + test "order: allows multiple columns" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(:author_id, :title).pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(:author_id, :title).pluck(:id) + end + + test "order: allows mixed" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.order(:author_id, title: :asc).pluck(:id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_order(:author_id, title: :asc).pluck(:id) + end + + test "order: disallows invalid column name" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.order("title asc").pluck(:id) + end + end + end + + test "order: disallows invalid direction" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.order(title: :foo).pluck(:id) + end + end + end + + test "order: disallows invalid column with direction" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.order(foo: :asc).pluck(:id) + end + end + end + + test "pluck: allows string column name" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.pluck("title") + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_pluck("title") + end + + test "pluck: allows symbol column name" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.pluck(:title) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_pluck(:title) + end + + test "pluck: allows multiple column names" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.pluck(:title, :id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_pluck(:title, :id) + end + + test "pluck: allows column names with includes" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.includes(:comments).pluck(:title, :id) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.includes(:comments).unsafe_raw_pluck(:title, :id) + end + + test "pluck: allows auto-generated attributes" do + enabled, disabled = with_configs(:enabled, :disabled) do + Post.pluck(:tags_count) + end + + assert_equal enabled, disabled + assert_equal disabled, Post.unsafe_raw_pluck(:tags_count) + end + + test "pluck: disallows invalid column name" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.pluck("length(title)") + end + end + end + + test "pluck: disallows invalid column name amongst valid names" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.pluck(:title, "length(title)") + end + end + end + + test "pluck: disallows invalid column names with includes" do + with_config(:disabled) do + assert_raises(ArgumentError) do + Post.includes(:comments).pluck(:title, "length(title)") + end + end + end + + def with_configs(*new_values, &blk) + new_values.map { |nv| with_config(nv, &blk) } + end + + def with_config(new_value, &blk) + old_value = ActiveRecord::Base.allow_unsafe_raw_sql + ActiveRecord::Base.allow_unsafe_raw_sql = new_value + blk.call + ensure + ActiveRecord::Base.allow_unsafe_raw_sql = old_value + end +end |