From eb01f46987a583f0bce94de230d749b1d8f16b99 Mon Sep 17 00:00:00 2001
From: Danny Milosavljevic <dannym@scratchpost.org>
Date: Thu, 8 Feb 2018 11:39:45 +0100
Subject: database: Use 'sqlite-bind' to avoid SQL injection.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/cuirass/database.scm (%sqlite-exec): Remove.
(sqlite-exec): Turn back into a procedure.  Use 'sqlite-bind'.  Add
'normalize' procedure and use it.
(db-add-specification, db-add-derivation, db-get-derivation)
(db-add-evaluation, db-add-build, db-update-build-status!)
(db-get-build, db-get-stamp, db-add-stamp): Use question marks in SQL
queries.
* src/cuirass/base.scm (build-packages)[register]: Make #:log
non-false.
* tests/database.scm (make-dummy-job): Add #:job-name, #:system,
 #:nix-name, and #:eval-id.  This is necessary because 'sqlite-bind'
would now translate #f to a real NULL (before it would translate to the
string "#f"...), and would thus report violations of the non-NULL
constraint.

Co-authored-by: Ludovic Courtès <ludo@gnu.org>
---
 tests/database.scm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/database.scm b/tests/database.scm
index 217ddde..65a10a8 100644
--- a/tests/database.scm
+++ b/tests/database.scm
@@ -40,8 +40,12 @@
 
 (define* (make-dummy-job #:optional (name "foo"))
   `((#:name . ,name)
+    (#:job-name . "job")
+    (#:system . "x86_64-linux")
     (#:derivation . ,(string-append name ".drv"))
-    (#:specification 0)))
+    (#:nix-name . "foo")
+    (#:specification 0)
+    (#:eval-id . 42)))
 
 (define* (make-dummy-derivation drv #:optional (eval-id 0))
   `((#:derivation . ,drv)
-- 
cgit v1.2.3