[#11878] Add SQLI tests (#13047)

TEAMMATES · Apr 17, 2024 · 2cc6ef8 · 2cc6ef8
1 parent 78e49b7
commit 2cc6ef8
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java
@@ -155,6 +155,21 @@ public void testSqlInjectionInCreateAccountRequestInstituteField() throws Except
         assertEquals(institute, actual.getInstitute());
     }
 
+    @Test
+    public void testSqlInjectionInCreateAccountRequestCommentsField() throws Exception {
+        ______TS("SQL Injection test in comments field");
+
+        // Attempt to use SQL commands in comments field
+        String comments = "comment'; DROP TABLE account_requests; --";
+        AccountRequest accountRequest =
+                new AccountRequest("test@gmail.com", "name", "institute", AccountRequestStatus.PENDING, comments);
+
+        // The system should treat the input as a plain text string
+        accountRequestDb.createAccountRequest(accountRequest);
+        AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getId());
+        assertEquals(comments, actual.getComments());
+    }
+
     @Test
     public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Exception {
         ______TS("SQL Injection test in getAccountRequestByRegistrationKey");
@@ -171,6 +186,22 @@ public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Except
         assertEquals(accountRequest, actual);
     }
 
+    @Test
+    public void testSqlInjectionInGetApprovedAccountRequestsForEmail() throws Exception {
+        ______TS("SQL Injection test in getApprovedAccountRequestsForEmail");
+
+        String email = "test@gmail.com";
+        AccountRequest accountRequest =
+                new AccountRequest(email, "name", "institute", AccountRequestStatus.APPROVED, "comments");
+        accountRequestDb.createAccountRequest(accountRequest);
+
+        // Attempt to use SQL commands in email field
+        String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com";
+        List<AccountRequest> actualInjection = accountRequestDb.getApprovedAccountRequestsForEmail(emailInjection);
+        // The system should treat the input as a plain text string
+        assertEquals(0, actualInjection.size());
+    }
+
     @Test
     public void testSqlInjectionInUpdateAccountRequest() throws Exception {
         ______TS("SQL Injection test in updateAccountRequest");