From 015b872675a9de522b285c820f021961ae8b8236 Mon Sep 17 00:00:00 2001 From: Carolyn Liu <81890935+cliu585@users.noreply.github.com> Date: Fri, 28 Jun 2024 10:45:54 -0400 Subject: [PATCH] [#12901] Check if the search service is active in account request search test (#13101) * added check for active search service in account request search test * moved account request search test to AccountRequestSearchIT and updated variables and asserts accordingly * Add caution note to instructor email copies and remove hyperlinks * updated account request test constructor to be consistent with latest commits * fixed style errors * fixed compiler errors * fixed assertion error and style * fixed linter errors * Revert "Add caution note to instructor email copies and remove hyperlinks" This reverts commit 232c75779c3c8a9f49a8648693210bec2dd28b8d. --------- Co-authored-by: Carolyn Liu Co-authored-by: Anna Zhang Co-authored-by: DS Co-authored-by: Wei Qing <48304907+weiquu@users.noreply.github.com> --- .../storage/sqlapi/AccountRequestsDbIT.java | 15 ------------- .../sqlsearch/AccountRequestSearchIT.java | 21 +++++++++++++++++++ 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java index 6807e43a9b4..10199b80415 100644 --- a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java @@ -237,19 +237,4 @@ public void testSqlInjectionInDeleteAccountRequest() throws Exception { assertEquals(accountRequest, actual); } - @Test - public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { - ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); - - AccountRequest accountRequest = - new AccountRequest("test@gmail.com", "name", "institute", AccountRequestStatus.PENDING, "comments"); - accountRequestDb.createAccountRequest(accountRequest); - - String searchInjection = "institute'; DROP TABLE account_requests; --"; - List actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection); - assertEquals(0, actualInjection.size()); - - AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getId()); - assertEquals(accountRequest, actual); - } } diff --git a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java index a9b196eafc8..84b69d46630 100644 --- a/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java +++ b/src/it/java/teammates/it/storage/sqlsearch/AccountRequestSearchIT.java @@ -6,6 +6,7 @@ import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; +import teammates.common.datatransfer.AccountRequestStatus; import teammates.common.datatransfer.SqlDataBundle; import teammates.common.exception.SearchServiceException; import teammates.common.util.HibernateUtil; @@ -162,6 +163,26 @@ public void testSearchAccountRequest_noSearchService_shouldThrowException() { () -> accountRequestsDb.searchAccountRequestsInWholeSystem("anything")); } + @Test + public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { + ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); + + if (!TestProperties.isSearchServiceActive()) { + return; + } + + AccountRequest accountRequest = + new AccountRequest("test@gmail.com", "name", "institute", AccountRequestStatus.PENDING, "comments"); + accountRequestsDb.createAccountRequest(accountRequest); + + String searchInjection = "institute'; DROP TABLE account_requests; --"; + List actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); + assertEquals(typicalBundle.accountRequests.size(), actualInjection.size()); + + AccountRequest actual = accountRequestsDb.getAccountRequest(accountRequest.getId()); + assertEquals(accountRequest, actual); + } + /** * Verifies that search results match with expected output. *