From 2d5d537d19d62e9c132cf49f7dbc9eb8ff9190e3 Mon Sep 17 00:00:00 2001
From: Ryuta Kamizono <kamipo@gmail.com>
Date: Mon, 18 Mar 2019 06:47:40 +0900
Subject: Add test case to prevent possible SQL injection

---
 .../test/cases/adapters/mysql2/optimizer_hints_test.rb         | 10 ++++++++++
 .../test/cases/adapters/postgresql/optimizer_hints_test.rb     | 10 ++++++++++
 2 files changed, 20 insertions(+)

(limited to 'activerecord/test')

diff --git a/activerecord/test/cases/adapters/mysql2/optimizer_hints_test.rb b/activerecord/test/cases/adapters/mysql2/optimizer_hints_test.rb
index 31a002e935..b9794c5710 100644
--- a/activerecord/test/cases/adapters/mysql2/optimizer_hints_test.rb
+++ b/activerecord/test/cases/adapters/mysql2/optimizer_hints_test.rb
@@ -13,13 +13,23 @@ if supports_optimizer_hints?
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "| index | index_posts_on_author_id | index_posts_on_author_id |"
       end
+    end
 
+    def test_optimizer_hints_is_sanitized
       assert_sql(%r{\ASELECT /\*\+ NO_RANGE_OPTIMIZATION\(posts index_posts_on_author_id\) \*/}) do
         posts = Post.optimizer_hints("/*+ NO_RANGE_OPTIMIZATION(posts index_posts_on_author_id) */")
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "| index | index_posts_on_author_id | index_posts_on_author_id |"
       end
 
+      assert_sql(%r{\ASELECT /\*\+  `posts`\.\*,  \*/}) do
+        posts = Post.optimizer_hints("**// `posts`.*, //**")
+        posts = posts.select(:id).where(author_id: [0, 1])
+        assert_equal({ "id" => 1 }, posts.first.as_json)
+      end
+    end
+
+    def test_optimizer_hints_with_unscope
       assert_sql(%r{\ASELECT `posts`\.`id`}) do
         posts = Post.optimizer_hints("/*+ NO_RANGE_OPTIMIZATION(posts index_posts_on_author_id) */")
         posts = posts.select(:id).where(author_id: [0, 1])
diff --git a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
index 4fac7ffdc0..5e4bf232e1 100644
--- a/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
+++ b/activerecord/test/cases/adapters/postgresql/optimizer_hints_test.rb
@@ -17,13 +17,23 @@ if supports_optimizer_hints?
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "Seq Scan on posts"
       end
+    end
 
+    def test_optimizer_hints_is_sanitized
       assert_sql(%r{\ASELECT /\*\+ SeqScan\(posts\) \*/}) do
         posts = Post.optimizer_hints("/*+ SeqScan(posts) */")
         posts = posts.select(:id).where(author_id: [0, 1])
         assert_includes posts.explain, "Seq Scan on posts"
       end
 
+      assert_sql(%r{\ASELECT /\*\+  "posts"\.\*,  \*/}) do
+        posts = Post.optimizer_hints("**// \"posts\".*, //**")
+        posts = posts.select(:id).where(author_id: [0, 1])
+        assert_equal({ "id" => 1 }, posts.first.as_json)
+      end
+    end
+
+    def test_optimizer_hints_with_unscope
       assert_sql(%r{\ASELECT "posts"\."id"}) do
         posts = Post.optimizer_hints("/*+ SeqScan(posts) */")
         posts = posts.select(:id).where(author_id: [0, 1])
-- 
cgit v1.2.3