diff options
-rw-r--r-- | activerecord/test/cases/unsafe_raw_sql_test.rb | 174 |
1 files changed, 96 insertions, 78 deletions
diff --git a/activerecord/test/cases/unsafe_raw_sql_test.rb b/activerecord/test/cases/unsafe_raw_sql_test.rb index 89eb02594a..53418bb914 100644 --- a/activerecord/test/cases/unsafe_raw_sql_test.rb +++ b/activerecord/test/cases/unsafe_raw_sql_test.rb @@ -8,70 +8,77 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase fixtures :posts, :comments test "order: allows string column name" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order("title").pluck(:id) - end + ids_expected = Post.order(Arel.sql("title")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order("title").pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order("title").pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("title")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows symbol column name" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(:title).pluck(:id) - end + ids_expected = Post.order(Arel.sql("title")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:title).pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:title).pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("title")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows downcase symbol direction" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(title: :asc).pluck(:id) - end + ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: :asc).pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: :asc).pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows upcase symbol direction" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(title: :ASC).pluck(:id) - end + ids_expected = Post.order(Arel.sql("title") => Arel.sql("ASC")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: :ASC).pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: :ASC).pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("ASC")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows string direction" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(title: "asc").pluck(:id) - end + ids_expected = Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(title: "asc").pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(title: "asc").pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("title") => Arel.sql("asc")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows multiple columns" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(:author_id, :title).pluck(:id) - end + ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:author_id, :title).pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:author_id, :title).pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("author_id"), Arel.sql("title")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: allows mixed" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(:author_id, title: :asc).pluck(:id) - end + ids_expected = Post.order(Arel.sql("author_id"), Arel.sql("title") => Arel.sql("asc")).pluck(:id) + + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(:author_id, title: :asc).pluck(:id) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(:author_id, title: :asc).pluck(:id) } - assert_equal enabled, disabled - assert_equal disabled, Post.order(Arel.sql("author_id"), Arel.sql("title") => Arel.sql("asc")).pluck(:id) + assert_equal ids_expected, ids_enabled + assert_equal ids_expected, ids_disabled end test "order: disallows invalid column name" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ActiveRecord::UnknownAttributeReference) do Post.order("title asc").pluck(:id) end @@ -79,7 +86,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "order: disallows invalid direction" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ArgumentError) do Post.order(title: :foo).pluck(:id) end @@ -87,7 +94,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "order: disallows invalid column with direction" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ActiveRecord::UnknownAttributeReference) do Post.order(foo: :asc).pluck(:id) end @@ -95,15 +102,14 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "order: always allows Arel" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.order(Arel.sql("length(title)")).pluck(:title) - end + ids_enabled = with_unsafe_raw_sql_enabled { Post.order(Arel.sql("length(title)")).pluck(:title) } + ids_disabled = with_unsafe_raw_sql_disabled { Post.order(Arel.sql("length(title)")).pluck(:title) } - assert_equal enabled, disabled + assert_equal ids_enabled, ids_disabled end test "order: logs deprecation warning for unrecognized column" do - with_config(:deprecated) do + with_unsafe_raw_sql_deprecated do ActiveSupport::Deprecation.expects(:warn).with do |msg| msg =~ /\ADangerous query method used with .*length\(title\)/ end @@ -113,52 +119,57 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "pluck: allows string column name" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.pluck("title") - end + titles_expected = Post.pluck(Arel.sql("title")) + + titles_enabled = with_unsafe_raw_sql_enabled { Post.pluck("title") } + titles_disabled = with_unsafe_raw_sql_disabled { Post.pluck("title") } - assert_equal enabled, disabled - assert_equal disabled, Post.pluck(Arel.sql("title")) + assert_equal titles_expected, titles_enabled + assert_equal titles_expected, titles_disabled end test "pluck: allows symbol column name" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.pluck(:title) - end + titles_expected = Post.pluck(Arel.sql("title")) + + titles_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:title) } + titles_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:title) } - assert_equal enabled, disabled - assert_equal disabled, Post.pluck(Arel.sql("title")) + assert_equal titles_expected, titles_enabled + assert_equal titles_expected, titles_disabled end test "pluck: allows multiple column names" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.pluck(:title, :id) - end + values_expected = Post.pluck(Arel.sql("title"), Arel.sql("id")) + + values_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:title, :id) } + values_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:title, :id) } - assert_equal enabled, disabled - assert_equal disabled, Post.pluck(Arel.sql("title"), Arel.sql("id")) + assert_equal values_expected, values_enabled + assert_equal values_expected, values_disabled end test "pluck: allows column names with includes" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.includes(:comments).pluck(:title, :id) - end + values_expected = Post.includes(:comments).pluck(Arel.sql("title"), Arel.sql("id")) + + values_enabled = with_unsafe_raw_sql_enabled { Post.includes(:comments).pluck(:title, :id) } + values_disabled = with_unsafe_raw_sql_disabled { Post.includes(:comments).pluck(:title, :id) } - assert_equal enabled, disabled - assert_equal disabled, Post.includes(:comments).pluck(Arel.sql("title"), Arel.sql("id")) + assert_equal values_expected, values_enabled + assert_equal values_expected, values_disabled end test "pluck: allows auto-generated attributes" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.pluck(:tags_count) - end + values_expected = Post.pluck(Arel.sql("tags_count")) + + values_enabled = with_unsafe_raw_sql_enabled { Post.pluck(:tags_count) } + values_disabled = with_unsafe_raw_sql_disabled { Post.pluck(:tags_count) } - assert_equal enabled, disabled - assert_equal disabled, Post.pluck(Arel.sql("tags_count")) + assert_equal values_expected, values_enabled + assert_equal values_expected, values_disabled end test "pluck: disallows invalid column name" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ActiveRecord::UnknownAttributeReference) do Post.pluck("length(title)") end @@ -166,7 +177,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "pluck: disallows invalid column name amongst valid names" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ActiveRecord::UnknownAttributeReference) do Post.pluck(:title, "length(title)") end @@ -174,7 +185,7 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "pluck: disallows invalid column names with includes" do - with_config(:disabled) do + with_unsafe_raw_sql_disabled do assert_raises(ActiveRecord::UnknownAttributeReference) do Post.includes(:comments).pluck(:title, "length(title)") end @@ -182,15 +193,14 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end test "pluck: always allows Arel" do - enabled, disabled = with_configs(:enabled, :disabled) do - Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) - end + values_enabled = with_unsafe_raw_sql_enabled { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) } + values_disabled = with_unsafe_raw_sql_disabled { Post.includes(:comments).pluck(:title, Arel.sql("length(title)")) } - assert_equal enabled, disabled + assert_equal values_enabled, values_disabled end test "pluck: logs deprecation warning" do - with_config(:deprecated) do + with_unsafe_raw_sql_deprecated do ActiveSupport::Deprecation.expects(:warn).with do |msg| msg =~ /\ADangerous query method used with .*length\(title\)/ end @@ -199,8 +209,16 @@ class UnsafeRawSqlTest < ActiveRecord::TestCase end end - def with_configs(*new_values, &blk) - new_values.map { |nv| with_config(nv, &blk) } + def with_unsafe_raw_sql_enabled(&blk) + with_config(:enabled, &blk) + end + + def with_unsafe_raw_sql_disabled(&blk) + with_config(:disabled, &blk) + end + + def with_unsafe_raw_sql_deprecated(&blk) + with_config(:deprecated, &blk) end def with_config(new_value, &blk) |