Skip to content

Commit aa3366d

Browse files
committed
Also add tests for cursor
1 parent 85dc2b1 commit aa3366d

1 file changed

Lines changed: 27 additions & 3 deletions

File tree

aikido_zen/sinks/tests/clickhouse_driver_test.py

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,6 @@
44
from aikido_zen.context import Context
55
from aikido_zen.errors import AikidoSQLInjection
66

7-
kind = "sql_injection"
8-
op = "pymysql.connections.query"
9-
107

118
class Context1(Context):
129
def __init__(self, body):
@@ -62,3 +59,30 @@ def test_client_execute_unsafe(client, monkeypatch):
6259

6360
monkeypatch.setenv("AIKIDO_BLOCK", "0")
6461
client.execute(sql)
62+
63+
64+
def test_cursor_execute_safe():
65+
from clickhouse_driver import connect
66+
67+
conn = connect("clickhouse://localhost:9000")
68+
reset_comms()
69+
dog_name = "Steve"
70+
sql = "INSERT INTO dogs (dog_name, isAdmin) VALUES ('{}' , 0)".format(dog_name)
71+
Context1({"dog_name": dog_name}).set_as_current_context()
72+
conn.cursor().execute(sql)
73+
74+
75+
def test_cursor_execute_unsafe(monkeypatch):
76+
from clickhouse_driver import connect
77+
78+
conn = connect("clickhouse://localhost:9000")
79+
reset_comms()
80+
dog_name = "Malicious dog', 1); -- "
81+
sql = "INSERT INTO dogs (dog_name, isAdmin) VALUES ('{}' , 0)".format(dog_name)
82+
Context1({"dog_name": dog_name}).set_as_current_context()
83+
84+
with pytest.raises(AikidoSQLInjection):
85+
conn.cursor().execute(sql)
86+
87+
monkeypatch.setenv("AIKIDO_BLOCK", "0")
88+
conn.cursor().execute(sql)

0 commit comments

Comments
 (0)