Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
add tests on pattern matching
  • Loading branch information
pblottiere committed Mar 1, 2017
1 parent bf45c28 commit 3807936
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions tests/src/python/test_qgsserver_security.py
Expand Up @@ -172,6 +172,38 @@ def test_wms_getfeatureinfo_filter_unicode(self):
d, h = self.handle_request_wms_getfeatureinfo(filter_sql)
self.assertTrue(self.check_service_exception_report(d))

def test_wms_getfeatureinfo_filter_patternmatching(self):
"""
The aim is to retrieve the table's name thanks to pattern matching.
If you remove the safety check, this is a valid injection.
"""

filter_sql = "point:\"name\" = 'b'"
injection_sql = "or ( select name from sqlite_master where type='table' and name like '{0}') != ''"
query = "{0} {1}".format(filter_sql, injection_sql)

# there's no table named as 'az%'
name = "az%"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'b'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

# a table named as 'ao%' exist
name = "ao%"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'a'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

# a table named as 'aoi' exist
name = "aoi"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'a'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

def test_wms_getfeatureinfo_filter_whitelist(self):
"""
The aim is to check that some tokens cannot pass the safety check
Expand Down

0 comments on commit 3807936

Please sign in to comment.