Permalink
Browse files

Add new SQLI tests (#142)

  • Loading branch information...
rnehra01 authored and afeena committed May 27, 2017
1 parent 7acfbc0 commit 19bfd57d73c74994533185e92f40d25428f3b31f
Showing with 76 additions and 6 deletions.
  1. +23 −6 tanner/tests/test_sqli.py
  2. +53 −0 tanner/tests/test_sqlite.py
View
@@ -10,18 +10,15 @@ class SqliTest(unittest.TestCase):
def setUp(self):
self.loop = asyncio.new_event_loop()
asyncio.set_event_loop(None)
filename = '/tmp/db/test.db'
os.makedirs(os.path.dirname(filename), exist_ok=True)
open('/tmp/db/test.db', 'a').close()
query_map = {
'users': [{'name':'id', 'type':'INTEGER'}, {'name':'login', 'type':'text'},
{'name':'email', 'type':'text'}, {'name':'username', 'type':'text'},
{'name':'password', 'type':'text'}, {'name':'pass', 'type':'text'},
{'name':'log', 'type':'text'}],
'comments': [{'name':'comment', 'type':'text'}]
}
self.handler = sqli.SqliEmulator('test.db', '/tmp/')
self.handler = sqli.SqliEmulator('test_db', '/tmp/')
self.handler.query_map = query_map
def test_map_query_id(self):
@@ -37,9 +34,29 @@ def test_map_query_comments(self):
self.assertEqual(assert_result, result)
def test_map_query_error(self):
query = [('foo', 'bar\'UNION SELECT 1,2')]
result = self.handler.map_query(query)
self.assertIsNone(result)
def test_get_sqli_result(self):
query = [('id', '1 UNION SELECT 1,2,3,4')]
async def mock_execute_query(query, db_name):
return [[1, 'name', 'email@mail.com', 'password'], [1, '2', '3', '4']]
self.handler.sqli_emulator = mock.Mock()
self.handler.sqli_emulator.execute_query = mock_execute_query
assert_result = dict(value="[1, 'name', 'email@mail.com', 'password'] [1, '2', '3', '4']",
page='/index.html'
)
result = self.loop.run_until_complete(self.handler.get_sqli_result(query, 'foo.db'))
self.assertEqual(assert_result, result)
def test_get_sqli_result_error(self):
query = [('foo', 'bar\'UNION SELECT 1,2')]
assert_result = 'You have an error in your SQL syntax; check the manual\
that corresponds to your MySQL server version for the\
right syntax to use near foo at line 1'
result = self.loop.run_until_complete(self.handler.get_sqli_result(query, 'foo.db'))
self.assertEqual(assert_result, result)
self.assertEqual(assert_result, result)
@@ -0,0 +1,53 @@
import asyncio
import os
import sqlite3
import unittest
from unittest import mock
from tanner.emulators import sqlite
class SqliteTest(unittest.TestCase):
def setUp(self):
self.loop = asyncio.new_event_loop()
asyncio.set_event_loop(None)
self.filename = '/tmp/db/test_db'
os.makedirs(os.path.dirname(self.filename), exist_ok=True)
open('/tmp/db/test_db', 'a').close()
# Insert some testing data
conn = sqlite3.connect(self.filename)
self.cursor = conn.cursor()
self.cursor.execute('CREATE TABLE test (id INTEGER PRIMARY KEY, username text);')
self.cursor.execute('INSERT INTO TEST VALUES(0, "test0")')
conn.commit()
self.handler = sqlite.SQLITEEmulator('test_db', '/tmp/')
def tearDown(self):
if os.path.exists(self.filename):
os.remove(self.filename)
def test_db_copy(self):
session = mock.Mock()
session.sess_uuid.hex = 'd877339ec415484987b279469167af3d'
self.loop.run_until_complete(self.handler.create_attacker_db(session))
self.assertTrue(os.path.exists('/tmp/db/attacker_d877339ec415484987b279469167af3d'))
def test_create_query_map(self):
result = self.handler.helper.create_query_map('/tmp/db', 'test_db')
assert_result = {'test': [{'name': 'id', 'type': 'INTEGER'}, {'name': 'username', 'type': 'text'}]}
self.assertEqual(result, assert_result)
def test_insert_dummy_data(self):
def mock_generate_dummy_data(data_tokens):
return [(1, 'test1'), (2, 'test2')], ['I', 'L']
self.handler.helper.generate_dummy_data = mock_generate_dummy_data
self.loop.run_until_complete(self.handler.helper.insert_dummy_data('test', 'I,L', self.cursor))
assert_result = [[0, 'test0'], [1, 'test1'], [2, 'test2']]
result = []
for row in self.cursor.execute('SELECT * FROM test;'):
result.append(list(row))
self.assertEqual(result, assert_result)

0 comments on commit 19bfd57

Please sign in to comment.