Loading...
Searching...
No Matches
#include <gtest/gtest.h>#include <memory>#include <string>#include <vector>#include "database/query_builder.h"#include "database/backends/sqlite_backend.h"#include "database/core/database_backend.h"
Include dependency graph for sql_injection_test.cpp:
Go to the source code of this file.
Classes | |
| class | SQLInjectionTest |
| Test fixture for SQL injection prevention tests. More... | |
Functions | |
| TEST_F (SQLInjectionTest, BasicInjectionAttempt) | |
| Tests that basic OR injection is properly escaped. | |
| TEST_F (SQLInjectionTest, CommentInjectionAttempt) | |
| Tests that comment-based injection is handled. | |
| TEST_F (SQLInjectionTest, BatchStatementInjectionAttempt) | |
| Tests that batch statement injection is prevented. | |
| TEST_F (SQLInjectionTest, UnionInjectionAttempt) | |
| Tests that UNION-based injection is prevented. | |
| TEST_F (SQLInjectionTest, ApostropheInValueSafe) | |
| Tests that apostrophes in values are properly handled. | |
| TEST_F (SQLInjectionTest, SpecialCharactersInValue) | |
| Tests handling of various special characters. | |
| TEST_F (SQLInjectionTest, NumericValueInjection) | |
| Tests that numeric value fields handle string injection. | |
| TEST_F (SQLInjectionTest, BooleanValueHandling) | |
| Tests that boolean values are handled safely. | |
| TEST_F (SQLInjectionTest, PreparedSelectReturnsCorrectResults) | |
| Tests that prepared SELECT queries bind parameters correctly. | |
| TEST_F (SQLInjectionTest, PreparedSelectBlocksInjection) | |
| Tests that prepared statements prevent SQL injection at wire level. | |
| TEST_F (SQLInjectionTest, PreparedExecuteWithTypedParams) | |
| Tests that execute_prepared handles typed parameters. | |
| TEST_F (SQLInjectionTest, PreparedBatchStatementInjectionBlocked) | |
| Tests that prepared statements block batch statement injection. | |
| TEST_F (SQLInjectionTest, PreparedNullParameterHandling) | |
| Tests that NULL parameters bind correctly in prepared statements. | |
| TEST_F (SQLInjectionTest, ResetPreventsDataLeakage) | |
| Tests that reset() properly clears all builder state. | |
| TEST_F (SQLInjectionTest, UnicodeBypassAttempt) | |
| Tests handling of Unicode characters that might bypass filters. | |
Function Documentation
◆ TEST_F() [1/15]
| TEST_F | ( | SQLInjectionTest | , |
| ApostropheInValueSafe | ) |
Tests that apostrophes in values are properly handled.
- Test
- ApostropheInValueSafe
Input: O'Brien (legitimate name) Expected: Query executes safely with escaped apostrophe
Definition at line 227 of file sql_injection_test.cpp.
227 {
228#ifdef USE_SQLITE
229 // Insert a user with apostrophe in name
230 auto insert_result = db_->execute_query(
231 "INSERT INTO users (id, name, email, password_hash) "
232 "VALUES (3, 'O''Brien', 'obrien@test.com', 'hash789')"
233 );
234 (void)insert_result;
235
237
238 query_builder builder(database_types::sqlite);
239 auto query = builder
240 .select({"*"})
241 .from("users")
242 .where("name", "=", safe_value)
243 .build();
244
245 // Check that apostrophe is escaped in built query
246 // Should contain either O''Brien (SQL standard) or O\'Brien (backslash-escaped)
247 bool properly_escaped =
248 (query.find("O''Brien") != std::string::npos) ||
249 (query.find("O\\'Brien") != std::string::npos) ||
250 (query.find("O'Brien") != std::string::npos); // May work if using prepared stmt
251
252 EXPECT_TRUE(properly_escaped)
253 << "Query should handle apostrophe safely. Built query: " << query;
254#else
255 GTEST_SKIP() << "SQLite not available";
256#endif
257}
Universal query builder that adapts to different database types.
Definition query_builder.h:105
std::variant< std::string, int64_t, double, bool, std::nullptr_t > database_value
Definition database_backend.h:39
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [2/15]
| TEST_F | ( | SQLInjectionTest | , |
| BasicInjectionAttempt | ) |
Tests that basic OR injection is properly escaped.
- Test
- BasicInjectionAttempt
Attack: ' OR '1'='1 Expected: Query treats input as literal string, returns 0 rows
Definition at line 81 of file sql_injection_test.cpp.
81 {
82#ifdef USE_SQLITE
83 std::string malicious_input = "' OR '1'='1";
84
85 query_builder builder(database_types::sqlite);
86 auto query = builder
87 .select({"*"})
88 .from("users")
89 .where("name", "=", malicious_input)
90 .build();
91
92 auto query_result = db_->select_query(query);
93
94 // If properly escaped, should return 0 rows (no user named "' OR '1'='1")
95 // If vulnerable, would return all rows
96 if (query_result.is_ok()) {
97 EXPECT_LE(query_result.value().size(), 1u)
98 << "Possible SQL injection vulnerability: query returned multiple rows";
99 }
100#else
101 GTEST_SKIP() << "SQLite not available";
102#endif
103}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [3/15]
| TEST_F | ( | SQLInjectionTest | , |
| BatchStatementInjectionAttempt | ) |
Tests that batch statement injection is prevented.
- Test
- BatchStatementInjectionAttempt
Attack: '; DROP TABLE users; – Expected: Table should still exist after query
Definition at line 141 of file sql_injection_test.cpp.
141 {
142#ifdef USE_SQLITE
143 std::string malicious_input = "'; DROP TABLE users; --";
144
145 query_builder builder(database_types::sqlite);
146 auto query = builder
147 .select({"*"})
148 .from("users")
149 .where("name", "=", malicious_input)
150 .build();
151
152 // Execute the query (may fail, but shouldn't drop table)
153 db_->select_query(query);
154
155 // Verify table still exists by querying it
156 auto check = db_->select_query("SELECT COUNT(*) as cnt FROM users");
157 EXPECT_TRUE(check.is_ok() && !check.value().empty())
158 << "CRITICAL: Table appears to have been dropped!";
159#else
160 GTEST_SKIP() << "SQLite not available";
161#endif
162}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [4/15]
| TEST_F | ( | SQLInjectionTest | , |
| BooleanValueHandling | ) |
Tests that boolean values are handled safely.
- Test
- BooleanValueHandling
Definition at line 330 of file sql_injection_test.cpp.
330 {
331#ifdef USE_SQLITE
333
334 query_builder builder(database_types::sqlite);
335 auto query = builder
336 .select({"*"})
337 .from("users")
338 .where("id", ">", bool_value)
339 .build();
340
341 // Should render as TRUE or 1, not as quoted string
342 EXPECT_TRUE(query.find("TRUE") != std::string::npos ||
343 query.find("1") != std::string::npos)
344 << "Boolean value handling issue. Query: " << query;
345#else
346 GTEST_SKIP() << "SQLite not available";
347#endif
348}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [5/15]
| TEST_F | ( | SQLInjectionTest | , |
| CommentInjectionAttempt | ) |
Tests that comment-based injection is handled.
- Test
- CommentInjectionAttempt
Attack: admin'– Expected: Query treats input as literal string
Definition at line 112 of file sql_injection_test.cpp.
112 {
113#ifdef USE_SQLITE
114 std::string malicious_input = "admin'--";
115
116 query_builder builder(database_types::sqlite);
117 auto query = builder
118 .select({"*"})
119 .from("users")
120 .where("name", "=", malicious_input)
121 .build();
122
123 auto query_result = db_->select_query(query);
124
125 // Should return 0 rows - no user named "admin'--"
126 if (query_result.is_ok()) {
127 EXPECT_EQ(query_result.value().size(), 0u);
128 }
129#else
130 GTEST_SKIP() << "SQLite not available";
131#endif
132}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [6/15]
| TEST_F | ( | SQLInjectionTest | , |
| NumericValueInjection | ) |
Tests that numeric value fields handle string injection.
- Test
- NumericValueInjection
Definition at line 305 of file sql_injection_test.cpp.
305 {
306#ifdef USE_SQLITE
307 // Attempting to inject via what should be a numeric field
309
310 query_builder builder(database_types::sqlite);
311 auto query = builder
312 .select({"*"})
313 .from("users")
314 .where("id", "=", numeric_value)
315 .build();
316
317 // Numeric values should be rendered without quotes
318 EXPECT_TRUE(query.find("id = 1") != std::string::npos ||
319 query.find("[id] = 1") != std::string::npos)
320 << "Numeric value should not be quoted. Query: " << query;
321#else
322 GTEST_SKIP() << "SQLite not available";
323#endif
324}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [7/15]
| TEST_F | ( | SQLInjectionTest | , |
| PreparedBatchStatementInjectionBlocked | ) |
Tests that prepared statements block batch statement injection.
- Test
- PreparedBatchStatementInjectionBlocked
Definition at line 428 of file sql_injection_test.cpp.
428 {
429#ifdef USE_SQLITE
430 std::string malicious = "'; DROP TABLE users; --";
431 std::vector<core::database_value> params = {malicious};
432 db_->select_prepared("SELECT * FROM users WHERE name = ?", params);
433
434 // Verify the table still exists
435 auto check = db_->select_query("SELECT COUNT(*) as cnt FROM users");
436 ASSERT_TRUE(check.is_ok());
437 EXPECT_FALSE(check.value().empty())
438 << "CRITICAL: Table dropped via prepared statement injection!";
439#else
440 GTEST_SKIP() << "SQLite not available";
441#endif
442}
References ASSERT_TRUE.
◆ TEST_F() [8/15]
| TEST_F | ( | SQLInjectionTest | , |
| PreparedExecuteWithTypedParams | ) |
Tests that execute_prepared handles typed parameters.
- Test
- PreparedExecuteWithTypedParams
Definition at line 399 of file sql_injection_test.cpp.
399 {
400#ifdef USE_SQLITE
401 std::vector<core::database_value> params = {
402 int64_t(10),
403 std::string("Charlie"),
404 std::string("charlie@test.com"),
405 std::string("hash_prep")
406 };
407 auto exec_result = db_->execute_prepared(
408 "INSERT INTO users (id, name, email, password_hash) VALUES (?, ?, ?, ?)",
409 params);
410 ASSERT_TRUE(exec_result.is_ok());
411
412 // Verify the row was inserted
413 std::vector<core::database_value> select_params = {int64_t(10)};
414 auto select_result = db_->select_prepared(
415 "SELECT name FROM users WHERE id = ?", select_params);
416 ASSERT_TRUE(select_result.is_ok());
417 ASSERT_EQ(select_result.value().size(), 1u);
418 EXPECT_EQ(std::get<std::string>(select_result.value()[0].at("name")), "Charlie");
419#else
420 GTEST_SKIP() << "SQLite not available";
421#endif
422}
#define ASSERT_EQ(expected, actual, message)
Definition test_connection_string_builder.cpp:38
References ASSERT_EQ, and ASSERT_TRUE.
◆ TEST_F() [9/15]
| TEST_F | ( | SQLInjectionTest | , |
| PreparedNullParameterHandling | ) |
Tests that NULL parameters bind correctly in prepared statements.
- Test
- PreparedNullParameterHandling
Definition at line 448 of file sql_injection_test.cpp.
448 {
449#ifdef USE_SQLITE
450 std::vector<core::database_value> params = {nullptr};
451 auto result = db_->select_prepared(
452 "SELECT * FROM users WHERE name = ?", params);
453
454 ASSERT_TRUE(result.is_ok());
455 EXPECT_EQ(result.value().size(), 0u)
456 << "NULL comparison should match no rows (NULL != NULL in SQL)";
457#else
458 GTEST_SKIP() << "SQLite not available";
459#endif
460}
References ASSERT_TRUE.
◆ TEST_F() [10/15]
| TEST_F | ( | SQLInjectionTest | , |
| PreparedSelectBlocksInjection | ) |
Tests that prepared statements prevent SQL injection at wire level.
- Test
- PreparedSelectBlocksInjection
Definition at line 380 of file sql_injection_test.cpp.
380 {
381#ifdef USE_SQLITE
382 std::string malicious = "' OR '1'='1";
383 std::vector<core::database_value> params = {malicious};
384 auto result = db_->select_prepared(
385 "SELECT * FROM users WHERE name = ?", params);
386
387 ASSERT_TRUE(result.is_ok());
388 EXPECT_EQ(result.value().size(), 0u)
389 << "Prepared statement should treat malicious input as literal string";
390#else
391 GTEST_SKIP() << "SQLite not available";
392#endif
393}
References ASSERT_TRUE.
◆ TEST_F() [11/15]
| TEST_F | ( | SQLInjectionTest | , |
| PreparedSelectReturnsCorrectResults | ) |
Tests that prepared SELECT queries bind parameters correctly.
- Test
- PreparedSelectReturnsCorrectResults
Definition at line 358 of file sql_injection_test.cpp.
358 {
359#ifdef USE_SQLITE
360 std::vector<core::database_value> params = {std::string("Alice")};
361 auto result = db_->select_prepared(
362 "SELECT * FROM users WHERE name = ?", params);
363
364 ASSERT_TRUE(result.is_ok());
365 ASSERT_EQ(result.value().size(), 1u);
366
367 const auto& row = result.value()[0];
368 auto it = row.find("email");
369 ASSERT_NE(it, row.end());
370 EXPECT_EQ(std::get<std::string>(it->second), "alice@test.com");
371#else
372 GTEST_SKIP() << "SQLite not available";
373#endif
374}
References ASSERT_EQ, and ASSERT_TRUE.
◆ TEST_F() [12/15]
| TEST_F | ( | SQLInjectionTest | , |
| ResetPreventsDataLeakage | ) |
Tests that reset() properly clears all builder state.
- Test
- ResetPreventsDataLeakage
Definition at line 470 of file sql_injection_test.cpp.
470 {
471 query_builder builder(database_types::sqlite);
472
473 // Build first query with sensitive filter
474 builder
475 .select({"*"})
476 .from("users")
477 .where("email", "=", std::string("admin@secret.com"));
478
479 // Reset and build new query
480 builder.reset();
481 auto query = builder
482 .select({"id"})
483 .from("public_data")
484 .build();
485
486 // Previous filter should not leak into new query
487 EXPECT_TRUE(query.find("admin@secret") == std::string::npos)
488 << "Previous query data leaked after reset! Query: " << query;
489 EXPECT_TRUE(query.find("users") == std::string::npos)
490 << "Previous table leaked after reset! Query: " << query;
491}
References database::query_builder::build(), database::query_builder::reset(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [13/15]
| TEST_F | ( | SQLInjectionTest | , |
| SpecialCharactersInValue | ) |
Tests handling of various special characters.
- Test
- SpecialCharactersInValue
Definition at line 263 of file sql_injection_test.cpp.
263 {
264#ifdef USE_SQLITE
265 std::vector<std::string> special_inputs = {
266 "test\\value", // Backslash
267 "test\"value", // Double quote
268 "test\nvalue", // Newline
269 "test\rvalue", // Carriage return
270 "test\tvalue", // Tab
271 "test%value", // Percent (LIKE wildcard)
272 "test_value", // Underscore (LIKE wildcard)
273 };
274
275 for (const auto& input : special_inputs) {
276 query_builder builder(database_types::sqlite);
277 auto query = builder
278 .select({"*"})
279 .from("users")
280 .where("name", "=", input)
281 .build();
282
283 // Query should build without throwing
284 EXPECT_FALSE(query.empty())
285 << "Failed to build query with special input: " << input;
286
287 // Query execution should not throw
288 EXPECT_NO_THROW({
289 db_->select_query(query);
290 }) << "Query execution failed with special input: " << input;
291 }
292#else
293 GTEST_SKIP() << "SQLite not available";
294#endif
295}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [14/15]
| TEST_F | ( | SQLInjectionTest | , |
| UnicodeBypassAttempt | ) |
Tests handling of Unicode characters that might bypass filters.
- Test
- UnicodeBypassAttempt
Definition at line 501 of file sql_injection_test.cpp.
501 {
502#ifdef USE_SQLITE
503 // Various Unicode representations that might bypass naive filters
504 std::vector<std::string> unicode_attacks = {
505 "\xc0\x27", // Overlong encoding of '
506 "\xe0\x80\xa7", // Another overlong encoding
507 "admin\xef\xbb\xbf", // With BOM
508 };
509
510 for (const auto& attack : unicode_attacks) {
511 query_builder builder(database_types::sqlite);
512 auto query = builder
513 .select({"*"})
514 .from("users")
515 .where("name", "=", attack)
516 .build();
517
518 // Should handle without crashing
519 EXPECT_NO_THROW({
520 db_->select_query(query);
521 }) << "Query failed with unicode attack: [binary data]";
522 }
523#else
524 GTEST_SKIP() << "SQLite not available";
525#endif
526}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
◆ TEST_F() [15/15]
| TEST_F | ( | SQLInjectionTest | , |
| UnionInjectionAttempt | ) |
Tests that UNION-based injection is prevented.
- Test
- UnionInjectionAttempt
Attack: ' UNION SELECT * FROM sensitive_data – Expected: Query should not execute UNION
Definition at line 175 of file sql_injection_test.cpp.
175 {
176#ifdef USE_SQLITE
177 // Create a sensitive table for the test
178 db_->execute_query(
179 "CREATE TABLE sensitive_data (secret TEXT)"
180 );
181 db_->execute_query(
182 "INSERT INTO sensitive_data VALUES ('top_secret_value')"
183 );
184
185 std::string malicious_input = "' UNION SELECT secret, secret, secret, secret FROM sensitive_data --";
186
187 query_builder builder(database_types::sqlite);
188 auto query = builder
189 .select({"*"})
190 .from("users")
191 .where("name", "=", malicious_input)
192 .build();
193
194 auto query_result = db_->select_query(query);
195
196 // Check that sensitive data was not leaked
197 bool found_secret = false;
198 if (query_result.is_ok()) {
199 for (const auto& row : query_result.value()) {
200 for (const auto& [key, value] : row) {
201 if (std::holds_alternative<std::string>(value)) {
202 if (std::get<std::string>(value).find("top_secret") != std::string::npos) {
203 found_secret = true;
204 }
205 }
206 }
207 }
208 }
209 EXPECT_FALSE(found_secret)
210 << "CRITICAL: Sensitive data leaked through UNION injection!";
211#else
212 GTEST_SKIP() << "SQLite not available";
213#endif
214}
References database::query_builder::build(), database::query_builder::select(), and database::query_builder::where().
Here is the call graph for this function:
