UNPKG

waterline-adapter-tests

Version:

Integration tests for waterline adapters

github.com/balderdashy/waterline-adapter-tests

balderdashy/waterline-adapter-tests

101 lines (77 loc) 2.96 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
var assert = require('assert'); var _ = require('@sailshq/lodash'); describe('SQL Interface', function() { describe('.find()', function() { before(function(done) { // Insert 10 Users var users = []; for(var i=0; i<10; i++) { users.push({first_name: 'find_user' + i, type: 'find test', age: i*10 }); } users.push({first_name: 'blackbeard\'s ghost', type: 'find test', age: 999}); Sql.Userforsqlinterface.createEach(users, function(err, users) { if (err) { return done(err); } return done(); }); }); it('should escape attribute names to prevent SQL injection attacks', function(done) { Sql.Userforsqlinterface.find({ type: 'find_test', 'first_name`IS NULL OR 1=1 #': 'whatever' }, function(err, users) { assert(err, 'Should have escaped field name and prevented data from being returned (caused an error)'); assert(!users || !users.length, 'Should have escaped field name and prevented data from being returned'); return done(); }); }); it('should escape values when using startsWith modifier to prevent SQL injection attacks', function(done) { var part = '\\\\\\" OR 1=1; -- %_'; Sql.Userforsqlinterface.find({ first_name: { startsWith: part }}, function(err, users) { if (err) { return done(err); } assert(!users.length); return done(); }); }); it('should escape values when using endsWith modifier to prevent SQL injection attacks', function(done) { var part = '\\\\\\" OR 1=1; -- %_'; Sql.Userforsqlinterface.find({ first_name: { endsWith: part }}, function(err, users) { if (err) { return done(err); } assert(!users.length); return done(); }); }); it('should escape values when using contains modifier to prevent SQL injection attacks', function(done) { var part = '\\\\\\" OR 1=1; -- %_'; Sql.Userforsqlinterface.find({ first_name: { contains: part }}, function(err, users) { if (err) { return done(err); } assert(!users.length); return done(); }); }); it('should escape values when using like modifier to prevent SQL injection attacks', function(done) { var part = '\\\\\\" OR 1=1; -- %_'; Sql.Userforsqlinterface.find({ first_name: { like: part }}, function(err, users) { if (err) { return done(err); } assert(!users.length); return done(); }); }); it('should not unneccessarily escape values in criteria', function(done) { Sql.Userforsqlinterface.findOne({ first_name: 'blackbeard\'s ghost'}, function(err, user) { if (err) { return done(err); } assert(user); assert.equal(user.first_name, 'blackbeard\'s ghost'); return done(); }); }) }); });