no more sql injection and better tests

john5223 · Dec 15, 2014 · 99cfbcc · 99cfbcc
1 parent b521c6e
commit 99cfbcc
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 11 deletions.
diff --git a/auth/controllers/group_controller.py b/auth/controllers/group_controller.py
@@ -32,9 +32,17 @@ def get_group(db, group_name):
     if not rows:
         return error(404, {'error': 'Not a valid group'})
 
-    userids = ["'%s'" % x['userid'] for x in rows if x['userid']]
-    users = db.query("SELECT * FROM users WHERE userid IN (%s) " % ','.join(userids))
-    ret = {group_name: list(users) }
+    userids = [x['userid'] for x in rows if x['userid']]
+    if not userids:
+        return {group_name: []}
+
+    params = {}
+    for i, userid in enumerate(userids,1):
+        params['userid_' + str(i)] = str(userid)
+    where_clause = 'userid IN(:' + ",:".join(params.keys()) + ')' # b/c sqlalchemy can't use a list!?
+    q = "SELECT * FROM users WHERE " + where_clause
+    users = db.executable.execute(q, params).fetchall()
+    ret = {group_name: [dict(x.items()) for x in users] }
     return ret
 
 

diff --git a/auth/controllers/user_controller.py b/auth/controllers/user_controller.py
@@ -38,7 +38,7 @@ def delete_user(db, userid):
 
 
 @route('/users/<userid>', method=['POST', 'PUT'])
-def create__update_user(db, userid):
+def create_update_user(db, userid):
     data = request.json
     data_keys = data.keys()
     required_fields = ['first_name', 'last_name', 'userid', 'groups']
@@ -71,10 +71,13 @@ def create__update_user(db, userid):
 
     if request.method == 'PUT':
         #get rid of any old groups for this user
-        q = '''DELETE FROM groups 
-                WHERE userid='{userid}'
-                            AND name not in ({group_names})
-              '''.format(userid=userid, group_names=','.join(["'%s'" % x for x in groups]))
-        db.query(q)
+        params = {}
+        for counter, group in enumerate(groups,1):
+            params["group_name" + str(counter)] = group
+            counter += 1
+        where_clause = 'name NOT IN(:' + ",:".join(params.keys()) + ')' # b/c sqlalchemy can't use a list!?
+        params['userid'] = userid
+        q = '''DELETE FROM groups WHERE userid=:userid AND ''' + where_clause
+        db.executable.execute(q, params)
 
     return {'status': 200, 'user': get_user(db, userid)}
diff --git a/tests/test_auth.py → tests/test_integration.py b/tests/test_auth.py → tests/test_integration.py
@@ -8,7 +8,7 @@
 
 app = TestApp(simpleauth.app)
 
-def test_users():
+def test_user_integration():
     headers = [('Content-type', 'application/json')]
     payload = { "first_name": "Joe",
 	    "last_name": "Smith",
@@ -55,7 +55,7 @@ def test_users():
     assert delete_user.status == '200 OK'
 
 
-def test_groups():
+def test_groups_integration():
     headers = [('Content-type', 'application/json')]
     payload = { "first_name": "Joe",
         "last_name": "Smith",

diff --git a/tests/test_units.py b/tests/test_units.py
@@ -0,0 +1,35 @@
+import logging
+logging.basicConfig(level=logging.DEBUG)
+import json
+
+from webtest import TestApp #Docs: http://webtest.pythonpaste.org/en/latest/
+from auth import simpleauth
+
+
+app = TestApp(simpleauth.app)
+
+def test_sql_injection():
+
+	pass
+
+
+def test_create_user():
+	pass
+
+def test_update_user():
+	pass
+
+def test_delete_user():
+	pass
+
+
+
+def test_create_group():
+	pass
+
+def test_update_group():
+	pass
+
+def test_delete_group():
+	pass
+