[#12901] Added the check for search service and moved the method to the correct file #13021
Conversation
…search service is on and i moved the method to the AccountRequestSearchIT.java
|
Hi @traitsisgiorgos, thank you for your interest in contributing to TEAMMATES!
Please address the above before we proceed to review your PR. |
traitsisgiorgos
changed the title
|
Hi @traitsisgiorgos, thank you for your interest in contributing to TEAMMATES!
Please address the above before we proceed to review your PR. |
|
|
||
| String searchInjection = "institute'; DROP TABLE account_requests; --"; | ||
| List<AccountRequest> actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); | ||
| assertEquals(0, actualInjection.size()); |
There was a problem hiding this comment.
I think the component test is failing here where 0 is expected whereas actual is 11, maybe you could check why is it returning such a value.
There was a problem hiding this comment.
yes i am trying to fix it. Thanks for the feedback
There was a problem hiding this comment.
A few changes may be necessary. In addition, like @mingyuanc said, we may want to run lint and fix the errors. Also, let's fix the merge conflicts with the master branch.
|
|
||
| String searchInjection = "institute'; DROP TABLE account_requests; --"; | ||
| List<AccountRequest> actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); | ||
| assertEquals(typicalBundle.accountRequests.size(), actualInjection.size()); |
There was a problem hiding this comment.
Shouldn't the expected size still be zero though? I understand that it was changed because the assertion was failing. However, I feel like this search term should not result in some account request being returned, much less all of them. In other words, I feel like the assertion was failing because the actual value might be the one that is wrong, not the initial expected value of zero which seems correct to me.
Still, I am not very familiar with the search functionality. Perhaps another reviewer who is more familiar can chime in.
|
|
||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
These empty lines seem like they were not added intentionally. Similarly for the other added empty lines which can be found elsewhere. Can we have this removed?
| @@ -15,6 +15,7 @@ | |||
| import teammates.test.AssertHelper; | |||
| import teammates.test.TestProperties; | |||
|
|
|||
|
|
|||
| @@ -10,6 +10,7 @@ | |||
| import teammates.storage.sqlapi.AccountRequestsDb; | |||
| import teammates.storage.sqlentity.AccountRequest; | |||
|
|
|||
|
|
|||
| ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); | ||
|
|
||
| if (!TestProperties.isSearchServiceActive()) { | ||
| return; | ||
| } |
There was a problem hiding this comment.
We should probably have the test segment divider after the check. If the search service is not active, we would not want it to display the string when the test is not going to execute anyway.
Also, we should not have any trailing spaces.
| ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); | |
| if (!TestProperties.isSearchServiceActive()) { | |
| return; | |
| } | |
| if (!TestProperties.isSearchServiceActive()) { | |
| return; | |
| } | |
| ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); |
…searchAccountRequests method to escape special characters in the query string. Also expected value has been set to 0
| assertEquals(accountRequest, actual); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Let's ensure the files have trailing newlines. That means also for the AccountRequestSearchIT.java file.
| // Escape special characters in the query string | ||
| String escapedQueryString = ClientUtils.escapeQueryChars(queryString); | ||
|
|
||
| SolrQuery query = getBasicQuery(escapedQueryString); |
There was a problem hiding this comment.
This is an interesting solution. From what I know, the only special characters here are the two - characters at the end (the SQL comment), so it is weird that it does anything to escape them. Does this actually get the tests to pass? I cannot tell because the GitHub Actions do not seem to be running. I suspect this is because of the conflicting files. Let's update this branch to the latest commit on the master branch and handle the conflicting files.
Regardless, I am also not sure if this can be accepted. Wouldn't this prevent a user from using those special characters when using the search functionality? We may want to see if we can find an alternative way to solve this instead.
There was a problem hiding this comment.
you are right, it isn't passing the tests. if I update it all the changes will be lost
There was a problem hiding this comment.
Since the comment have been escaped, it shouldn't return 0 responses?
There was a problem hiding this comment.
if the response is an error the list size should be 0, but what if in our case we don't check it and it accepts the error as a response? That would cause a non-empty-list
There was a problem hiding this comment.
if I update it all the changes will be lost
We cannot merge this into the master branch unless this is updated and there are no more conflicts. If the changes are lost when it is updated, then the changes should be made again after updating. Please update your branch by merging the master branch (up to the most recent commit) into your branch.
I added the check to ensure the search service is on in the "testSqlInjectionSearchAccountRequestsInWholeSystem()" and i moved the method to the AccountRequestSearchIT.java.
fix for #12901