add-new-tests-cases

OCA · Sep 8, 2021 · 121608f · 121608f
1 parent 0eb93ce
commit 121608f
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/pylint_odoo/test/main.py b/pylint_odoo/test/main.py
@@ -56,7 +56,7 @@
     'print-used': 1,
     'redundant-modulename-xml': 1,
     'rst-syntax-error': 2,
-    'sql-injection': 17,
+    'sql-injection': 21,
     'str-format-used': 3,
     'translation-field': 2,
     'translation-required': 15,

diff --git a/pylint_odoo/test_repo/broken_module/models/broken_model.py b/pylint_odoo/test_repo/broken_module/models/broken_model.py
@@ -411,6 +411,9 @@ def sql_injection_ignored_cases(self, ids, cr2):
                 query=sql_query,
             ))
 
+        self._cr.execute(
+            'SELECT name FROM %(table)s' % {'table': self._table})
+
     # old api
     def sql_injection_modulo_operator(self, cr, uid, ids, context=None):
         # Use of % operator: risky
@@ -432,6 +435,9 @@ def sql_injection_modulo_operator(self, cr, uid, ids, context=None):
         values = ([1, 2, 3, ], )
         self._cr.execute(var % values)
 
+        self._cr.execute(
+            'SELECT name FROM account WHERE id IN %(ids)s' % {'ids': ids})
+
     def sql_injection_executemany(self, ids, cr, v1, v2):
         # Check executemany() as well
         self.cr.executemany(
@@ -446,6 +452,9 @@ def sql_injection_format(self, ids, cr):
         values = (1, 2, 3)
         self._cr.execute(var.format(values))
 
+        self.cr.execute(
+            'SELECT name FROM account WHERE id IN {ids}'.format(ids=ids))
+
     def sql_injection_plus_operator(self, ids, cr):
         # Use of +: risky
         self.cr.execute(
@@ -475,6 +484,12 @@ def sql_injection_before(self, ids):
         var[1] = 'SELECT name FROM account WHERE id IN %s' % tuple(ids)
         self._cr.execute(var[1])
 
+        var = 'SELECT name FROM account WHERE id IN %(ids)s' % {'ids': tuple(ids)}
+        self._cr.execute(var)
+
+        var[1] = 'SELECT name FROM account WHERE id IN %(ids)s' % {'ids': tuple(ids)}
+        self._cr.execute(var[1])
+
     def sql_no_injection_private_attributes(self, _variable, variable):
         # Skip sql-injection using private attributes
         self._cr.execute(