Skip to content

Commit d7d34a6

Browse files
committed
Add unit test for Session.set_keyspace double-quote escaping
Test that Session.set_keyspace properly escapes double quotes in keyspace names (e.g. 'my"ks' -> USE "my""ks") to prevent CQL injection. Also verifies simple keyspace names are not unnecessarily quoted. Requested in review of PR #758.
1 parent 3281c9f commit d7d34a6

1 file changed

Lines changed: 27 additions & 0 deletions

File tree

tests/unit/test_cluster.py

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,33 @@ def test_default_serial_consistency_level_legacy(self, *_):
251251
assert f.message.serial_consistency_level == cl_override
252252

253253

254+
255+
@mock_session_pools
256+
def test_set_keyspace_escapes_quotes(self, *_):
257+
"""
258+
Test that Session.set_keyspace properly escapes double quotes in
259+
keyspace names to prevent CQL injection.
260+
Requested in review of PR #758.
261+
"""
262+
c = Cluster(protocol_version=4)
263+
s = Session(c, [Host("127.0.0.1", SimpleConvictionPolicy, host_id=uuid.uuid4())])
264+
c.connection_class.initialize_reactor()
265+
266+
s.execute = Mock()
267+
268+
s.set_keyspace('my"ks')
269+
query = s.execute.call_args[0][0]
270+
assert query == 'USE "my""ks"', (
271+
"Double quotes in keyspace name must be escaped as double-double quotes, "
272+
"got: %r" % query)
273+
274+
# Also verify a simple keyspace name doesn't get unnecessarily quoted
275+
s.execute.reset_mock()
276+
s.set_keyspace('simple_ks')
277+
query = s.execute.call_args[0][0]
278+
assert query == 'USE simple_ks', (
279+
"Simple keyspace names should not be quoted, got: %r" % query)
280+
254281
class ProtocolVersionTests(unittest.TestCase):
255282

256283
def test_protocol_downgrade_test(self):

0 commit comments

Comments
 (0)