|
4 | 4 | from aikido_zen.context import Context |
5 | 5 | from aikido_zen.errors import AikidoSQLInjection |
6 | 6 |
|
7 | | -kind = "sql_injection" |
8 | | -op = "pymysql.connections.query" |
9 | | - |
10 | 7 |
|
11 | 8 | class Context1(Context): |
12 | 9 | def __init__(self, body): |
@@ -62,3 +59,30 @@ def test_client_execute_unsafe(client, monkeypatch): |
62 | 59 |
|
63 | 60 | monkeypatch.setenv("AIKIDO_BLOCK", "0") |
64 | 61 | client.execute(sql) |
| 62 | + |
| 63 | + |
| 64 | +def test_cursor_execute_safe(): |
| 65 | + from clickhouse_driver import connect |
| 66 | + |
| 67 | + conn = connect("clickhouse://localhost:9000") |
| 68 | + reset_comms() |
| 69 | + dog_name = "Steve" |
| 70 | + sql = "INSERT INTO dogs (dog_name, isAdmin) VALUES ('{}' , 0)".format(dog_name) |
| 71 | + Context1({"dog_name": dog_name}).set_as_current_context() |
| 72 | + conn.cursor().execute(sql) |
| 73 | + |
| 74 | + |
| 75 | +def test_cursor_execute_unsafe(monkeypatch): |
| 76 | + from clickhouse_driver import connect |
| 77 | + |
| 78 | + conn = connect("clickhouse://localhost:9000") |
| 79 | + reset_comms() |
| 80 | + dog_name = "Malicious dog', 1); -- " |
| 81 | + sql = "INSERT INTO dogs (dog_name, isAdmin) VALUES ('{}' , 0)".format(dog_name) |
| 82 | + Context1({"dog_name": dog_name}).set_as_current_context() |
| 83 | + |
| 84 | + with pytest.raises(AikidoSQLInjection): |
| 85 | + conn.cursor().execute(sql) |
| 86 | + |
| 87 | + monkeypatch.setenv("AIKIDO_BLOCK", "0") |
| 88 | + conn.cursor().execute(sql) |
0 commit comments