-
Notifications
You must be signed in to change notification settings - Fork 0
/
integration_security_test.go
100 lines (78 loc) · 2.49 KB
/
integration_security_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package main
import (
"bytes"
"io"
"net/http"
"testing"
"github.com/stretchr/testify/assert"
)
func TestSecurityNegativeCases(t *testing.T) {
t.Run("Unauthorized", func(t *testing.T) {
t.Parallel()
tc := createTestContextWithHMACTokenAuth(t)
defer tc.CleanUp(t)
tc.authToken = "" // disable auth
client := tc.Client()
_, _, err := client.From("test").Select("id", "", false).Execute()
assert.Error(t, err)
assert.Contains(t, err.Error(), "Unauthorized")
})
t.Run("TableAccessRestricted", func(t *testing.T) {
t.Parallel()
tc := createTestContextWithHMACTokenAuth(t)
defer tc.CleanUp(t)
client := tc.Client()
_, _, err := client.From(tableNameMigrations).Select("id", "", false).Execute()
assert.Error(t, err)
assert.Contains(t, err.Error(), "Access Restricted")
})
}
func TestSecuritySQLInjection(t *testing.T) {
t.Run("Update", func(t *testing.T) {
t.Parallel()
tc := createTestContextWithHMACTokenAuth(t)
defer tc.CleanUp(t)
tc.ExecuteSQL(t, "CREATE TABLE test (id int)")
tc.ExecuteSQL(t, "insert into test values (1)")
p := bytes.NewBufferString(`{"id": 2}`)
req := tc.NewRequest(t, http.MethodPost, "test", p)
req.Header.Set("content-type", "application/json")
q := req.URL.Query()
q.Set("select", "1; drop table test;select *")
req.URL.RawQuery = q.Encode()
resp := tc.ExecuteRequest(t, req)
defer resp.Body.Close()
assert.Equal(t, http.StatusCreated, resp.StatusCode)
_, err := io.ReadAll(resp.Body)
assert.NoError(t, err)
client := tc.Client()
res, _, err := client.From("test").Select("*", "", false).Execute()
assert.NoError(t, err)
var rv []map[string]interface{}
tc.DecodeResult(t, res, &rv)
assert.Len(t, rv, 2)
})
t.Run("Select", func(t *testing.T) {
t.Parallel()
tc := createTestContextWithHMACTokenAuth(t)
defer tc.CleanUp(t)
tc.ExecuteSQL(t, "CREATE TABLE test (id int)")
tc.ExecuteSQL(t, "insert into test values (1)")
req := tc.NewRequest(t, http.MethodGet, "test", nil)
req.Header.Set("content-type", "application/json")
q := req.URL.Query()
q.Set("select", "1; drop table test;select *")
req.URL.RawQuery = q.Encode()
resp := tc.ExecuteRequest(t, req)
defer resp.Body.Close()
assert.Equal(t, http.StatusOK, resp.StatusCode)
_, err := io.ReadAll(resp.Body)
assert.NoError(t, err)
client := tc.Client()
res, _, err := client.From("test").Select("*", "", false).Execute()
assert.NoError(t, err)
var rv []map[string]interface{}
tc.DecodeResult(t, res, &rv)
assert.Len(t, rv, 1)
})
}