add-new-tests-cases

OCA · Sep 8, 2021 · 3b238db · 3b238db
1 parent 0eb93ce
commit 3b238db
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/pylint_odoo/test/main.py b/pylint_odoo/test/main.py
@@ -56,7 +56,7 @@
     'print-used': 1,
     'redundant-modulename-xml': 1,
     'rst-syntax-error': 2,
-    'sql-injection': 17,
+    'sql-injection': 20,
     'str-format-used': 3,
     'translation-field': 2,
     'translation-required': 15,

diff --git a/pylint_odoo/test_repo/broken_module/models/broken_model.py b/pylint_odoo/test_repo/broken_module/models/broken_model.py
@@ -446,6 +446,9 @@ def sql_injection_format(self, ids, cr):
         values = (1, 2, 3)
         self._cr.execute(var.format(values))
 
+        self.cr.execute(
+            'SELECT name FROM account WHERE id IN {ids}'.format(ids=ids))
+
     def sql_injection_plus_operator(self, ids, cr):
         # Use of +: risky
         self.cr.execute(
@@ -475,6 +478,12 @@ def sql_injection_before(self, ids):
         var[1] = 'SELECT name FROM account WHERE id IN %s' % tuple(ids)
         self._cr.execute(var[1])
 
+        var = 'SELECT name FROM account WHERE id IN %(ids)s' % {'ids': tuple(ids)}
+        self._cr.execute(var)
+
+        var[1] = 'SELECT name FROM account WHERE id IN %s' % {'ids': tuple(ids)}
+        self._cr.execute(var[1])
+
     def sql_no_injection_private_attributes(self, _variable, variable):
         # Skip sql-injection using private attributes
         self._cr.execute(