From 8c7c93922bbe0513ff4c4ff3a6e554e3a72635b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Thu, 8 Feb 2018 18:45:03 +0100 Subject: database: Use argument binding in 'db-get-builds' queries. That makes it safe from SQL injection. * src/cuirass/database.scm (db-get-builds): Rewrite to use question marks in SQL queries and binding through '%sqlite-exec'. * tests/database.scm ("database")["db-get-builds"]: Exercise 'WHERE' clauses. --- tests/database.scm | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'tests') diff --git a/tests/database.scm b/tests/database.scm index 2382292..306068b 100644 --- a/tests/database.scm +++ b/tests/database.scm @@ -121,6 +121,8 @@ INSERT INTO Evaluations (specification, revision) VALUES (3, 3);") (test-equal "db-get-builds" #(((1 "/foo.drv") (2 "/bar.drv") (3 "/baz.drv")) ;ascending order ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;descending order + ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;ditto + ((3 "/baz.drv") (2 "/bar.drv") (1 "/foo.drv")) ;ditto ((3 "/baz.drv"))) ;nr = 1 (with-temporary-database db ;; Populate the 'Builds', 'Derivations', 'Evaluations', and @@ -145,6 +147,9 @@ INSERT INTO Evaluations (specification, revision) VALUES (3, 3);") (assq-ref alist #:derivation))))) (vector (map summarize (db-get-builds db '((nr 3) (order build-id)))) (map summarize (db-get-builds db '())) + (map summarize (db-get-builds db '((project "guix")))) + (map summarize (db-get-builds db '((project "guix") + (jobset "master")))) (map summarize (db-get-builds db '((nr 1)))))))) (test-equal "db-update-build-status!" -- cgit v1.2.3