081b17fbe8
* [security][fix] tighten criteria to prevent sql injection in search-fields * test cases
40 lines
1.4 KiB
Python
40 lines
1.4 KiB
Python
# Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
|
|
# MIT License. See license.txt
|
|
|
|
from __future__ import unicode_literals
|
|
import unittest
|
|
import frappe
|
|
from frappe.desk.search import search_link
|
|
|
|
|
|
class TestSearch(unittest.TestCase):
|
|
def test_search_field_sanitizer(self):
|
|
# pass
|
|
search_link('DocType', 'User', query=None, filters=None, page_length=20, searchfield='name')
|
|
result = frappe.response['results'][0]
|
|
self.assertTrue('User' in result['value'])
|
|
|
|
#raise exception on injection
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield='1=1')
|
|
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield='select * from tabSessions) --')
|
|
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield='name or (select * from tabSessions)')
|
|
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield='*')
|
|
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield=';')
|
|
|
|
self.assertRaises(frappe.DataError,
|
|
search_link, 'DocType', 'Customer', query=None, filters=None,
|
|
page_length=20, searchfield=';')
|