Revision b08ec33d
Added by Dominic Cleal over 8 years ago
test/unit/host_test.rb | ||
---|---|---|
assert_equal ["num001.example.com"], hosts.map { |h| h.name }.sort
|
||
end
|
||
|
||
test "search by fact name is not vulnerable to SQL injection in name" do
|
||
host = FactoryGirl.create(:host, :with_facts, :fact_count => 1)
|
||
query = "facts.a'b = c or facts.#{host.facts.keys.first} = #{host.facts.values.first}"
|
||
assert_equal [host], Host::Managed.search_for(query)
|
||
end
|
||
|
||
test "search by fact name is not vulnerable to SQL injection in value" do
|
||
host = FactoryGirl.create(:host, :with_facts, :fact_count => 1)
|
||
query = "facts.a = \"a'b\" or facts.#{host.facts.keys.first} = #{host.facts.values.first}"
|
||
assert_equal [host], Host::Managed.search_for(query)
|
||
end
|
||
|
||
test "non-admin user with edit_hosts permission can update interface" do
|
||
@one = users(:one)
|
||
# add permission for user :one
|
Also available in: Unified diff
fixes #12458 - escape values in fact searches to prevent SQL injection