database: Use argument binding in 'db-get-builds' queries.

That makes it safe from SQL injection.

* src/cuirass/database.scm (db-get-builds): Rewrite to use question
marks in SQL queries and binding through '%sqlite-exec'.
* tests/database.scm ("database")["db-get-builds"]: Exercise 'WHERE'
clauses.

1 files changed, 5 insertions, 0 deletions

diff --git a/tests/database.scm b/tests/database.scm
index 2382292..306068b 100644
--- a/tests/database.scm
+++ b/tests/database.scm
@@ -121,6 +121,8 @@ INSERT INTO Evaluations (specification, revision) VALUES (3, 3);")
   (test-equal "db-get-builds"
     #(((1 "/foo.drv") (2 "/bar.drv") (3 "/baz.drv")) ;ascending order
       ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;descending order
+      ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;ditto
+      ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;ditto
       ((3 "/baz.drv")))                              ;nr = 1
     (with-temporary-database db
       ;; Populate the 'Builds', 'Derivations', 'Evaluations', and
@@ -145,6 +147,9 @@ INSERT INTO Evaluations (specification, revision) VALUES (3, 3);")
                                (assq-ref alist #:derivation)))))
         (vector (map summarize (db-get-builds db '((nr 3) (order build-id))))
                 (map summarize (db-get-builds db '()))
+                (map summarize (db-get-builds db '((project "guix"))))
+                (map summarize (db-get-builds db '((project "guix")
+                                                   (jobset "master"))))
                 (map summarize (db-get-builds db '((nr 1))))))))
 
   (test-equal "db-update-build-status!"