Skip to content
Permalink
Browse files

add tests on pattern matching

  • Loading branch information
pblottiere committed Mar 1, 2017
1 parent bf45c28 commit 38079361cb0c8e966c0f4f3c5beaa2b2b64ce0b4
Showing with 32 additions and 0 deletions.
  1. +32 −0 tests/src/python/test_qgsserver_security.py
@@ -172,6 +172,38 @@ def test_wms_getfeatureinfo_filter_unicode(self):
d, h = self.handle_request_wms_getfeatureinfo(filter_sql)
self.assertTrue(self.check_service_exception_report(d))

def test_wms_getfeatureinfo_filter_patternmatching(self):
"""
The aim is to retrieve the table's name thanks to pattern matching.
If you remove the safety check, this is a valid injection.
"""

filter_sql = "point:\"name\" = 'b'"
injection_sql = "or ( select name from sqlite_master where type='table' and name like '{0}') != ''"
query = "{0} {1}".format(filter_sql, injection_sql)

# there's no table named as 'az%'
name = "az%"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'b'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

# a table named as 'ao%' exist
name = "ao%"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'a'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

# a table named as 'aoi' exist
name = "aoi"
sql = query.format(name)
d, h = self.handle_request_wms_getfeatureinfo(sql)
# self.assertTrue(b"name = 'a'" in d) #true if sanity check deactivated
self.assertTrue(self.check_service_exception_report(d))

def test_wms_getfeatureinfo_filter_whitelist(self):
"""
The aim is to check that some tokens cannot pass the safety check

0 comments on commit 3807936

Please sign in to comment.
You can’t perform that action at this time.