Skip to content

Commit 4e77ab2

Browse files
jeongsoolee09jeongsoolee09
committed
Bring back test cases with entries 
1 parent 3b073eb commit 4e77ab2

File tree

1 file changed

+257
-0
lines changed
  • javascript/frameworks/cap/test/queries/cqlinjection/srv

1 file changed

+257
-0
lines changed

javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js

Lines changed: 257 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,21 @@ module.exports = class Service1 extends cds.ApplicationService {
5353
cds.read("Entity1").where`ID=${id}`; // SAFE: tagged template expression
5454
});
5555

56+
this.on("send00131", async (req) => {
57+
const { id } = req.data;
58+
cds.create("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
59+
});
60+
61+
this.on("send00132", async (req) => {
62+
const { id } = req.data;
63+
cds.create("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
64+
});
65+
66+
this.on("send00133", async (req) => {
67+
const { id } = req.data;
68+
cds.create("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
69+
});
70+
5671
this.on("send00141", async (req) => {
5772
const { id, amount } = req.data;
5873
cds.update("Entity1").set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
@@ -73,6 +88,36 @@ module.exports = class Service1 extends cds.ApplicationService {
7388
cds.update("Entity1").set("col1 = col1" + amount).where`col1 = ${id}`; // UNSAFE: direct concatenation with `+`
7489
});
7590

91+
this.on("send00151", async (req) => {
92+
const { id } = req.data;
93+
cds.insert("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
94+
});
95+
96+
this.on("send00152", async (req) => {
97+
const { id } = req.data;
98+
cds.insert("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
99+
});
100+
101+
this.on("send00153", async (req) => {
102+
const { id } = req.data;
103+
cds.insert("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
104+
});
105+
106+
this.on("send00161", async (req) => {
107+
const { id } = req.data;
108+
cds.upsert("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
109+
});
110+
111+
this.on("send00162", async (req) => {
112+
const { id } = req.data;
113+
cds.upsert("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
114+
});
115+
116+
this.on("send00163", async (req) => {
117+
const { id } = req.data;
118+
cds.upsert("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
119+
});
120+
76121
this.on("send00171", async (req) => {
77122
const { id } = req.data;
78123
cds.delete("Entity1").where("ID =" + id); // UNSAFE: direct concatenation with `+`
@@ -118,6 +163,30 @@ module.exports = class Service1 extends cds.ApplicationService {
118163
await SELECT.from(Service1Entity).where`ID=${id}`; // SAFE: tagged template expression
119164
});
120165

166+
this.on("send00221", async (req) => {
167+
const { id } = req.data;
168+
const { Service1Entity } = this.entities;
169+
await INSERT.into(Service1Entity).entries("ID =" + id); // UNSAFE: direct concatenation with `+`
170+
});
171+
172+
this.on("send00222", async (req) => {
173+
const { id } = req.data;
174+
const { Service1Entity } = this.entities;
175+
await INSERT.into(Service1Entity).entries(`ID =` + id); // UNSAFE: direct concatenation with `+`
176+
});
177+
178+
this.on("send00223", async (req) => {
179+
const { id } = req.data;
180+
const { Service1Entity } = this.entities;
181+
await INSERT.into(Service1Entity).entries(`ID = ${id}`); // UNSAFE: direct interpolation in a template literal
182+
});
183+
184+
this.on("send00224", async (req) => {
185+
const { id } = req.data;
186+
const { Service1Entity } = this.entities;
187+
await INSERT.into(Service1Entity).entries`ID = ${id}`; // SAFE: tagged template expression
188+
});
189+
121190
this.on("send00231", async (req) => {
122191
const { id } = req.data;
123192
const { Service1Entity } = this.entities;
@@ -142,6 +211,24 @@ module.exports = class Service1 extends cds.ApplicationService {
142211
await UPDATE.entity(Service1Entity).set("col1 = col1 + " + id).where`ID = ${id}`; // UNSAFE: direct concatenation with `+`
143212
});
144213

214+
this.on("send00241", async (req) => {
215+
const { id } = req.data;
216+
const { Service1Entity } = this.entities;
217+
await UPSERT.into(Service1Entity).entries({ id: "" + id }); // UNSAFE: direct concatenation with `+`
218+
});
219+
220+
this.on("send00242", async (req) => {
221+
const { id } = req.data;
222+
const { Service1Entity } = this.entities;
223+
await UPSERT.into(Service1Entity).entries({ id: `` + id }); // UNSAFE: direct concatenation with `+`
224+
});
225+
226+
this.on("send00243", async (req) => {
227+
const { id } = req.data;
228+
const { Service1Entity } = this.entities;
229+
await UPSERT.into(Service1Entity).entries({ id: `${id}` }); // UNSAFE: direct interpolation in a template literal
230+
});
231+
145232
this.on("send00251", async (req) => {
146233
const { id } = req.data;
147234
const { Service1Entity } = this.entities;
@@ -178,6 +265,26 @@ module.exports = class Service1 extends cds.ApplicationService {
178265
this.read(`Service1Entity`).where("ID =" + id); // UNSAFE: direct concatenation with `+`
179266
});
180267

268+
this.on("send33", async (req) => {
269+
const { id } = req.data;
270+
this.create(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
271+
});
272+
273+
this.on("send34", async (req) => {
274+
const { id, amount } = req.data;
275+
this.update(`Service1Entity`).set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
276+
});
277+
278+
this.on("send35", async (req) => {
279+
const { id } = req.data;
280+
this.insert(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
281+
});
282+
283+
this.on("send36", async (req) => {
284+
const { id } = req.data;
285+
this.upsert(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
286+
});
287+
181288
this.on("send37", async (req) => {
182289
const { id } = req.data;
183290
this.delete(`Service1Entity`).where("ID =" + id); // UNSAFE: direct concatenation with `+`
@@ -197,12 +304,30 @@ module.exports = class Service1 extends cds.ApplicationService {
197304
Service2.read(`Service2Entity`).where("ID =" + id); // UNSAFE: direct concatenation with `+`
198305
});
199306

307+
this.on("send43", async (req) => {
308+
const { id } = req.data;
309+
const Service2 = await cds.connect.to("Service2");
310+
Service2.create(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
311+
});
312+
200313
this.on("send44", async (req) => {
201314
const { id, amount } = req.data;
202315
const Service2 = await cds.connect.to("Service2");
203316
Service2.update(`Service2Entity`).set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
204317
});
205318

319+
this.on("send45", async (req) => {
320+
const { id } = req.data;
321+
const Service2 = await cds.connect.to("Service2");
322+
Service2.insert(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
323+
});
324+
325+
this.on("send46", async (req) => {
326+
const { id } = req.data;
327+
const Service2 = await cds.connect.to("Service2");
328+
Service2.upsert(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
329+
});
330+
206331
this.on("send47", async (req) => {
207332
const { id } = req.data;
208333
const Service2 = await cds.connect.to("Service2");
@@ -328,6 +453,14 @@ module.exports = class Service1 extends cds.ApplicationService {
328453
});
329454
});
330455

456+
this.on("send93", async (req) => {
457+
const { id } = req.data;
458+
const Service2 = await cds.connect.to("Service2");
459+
Service2.tx(async (tx) => {
460+
tx.create(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
461+
});
462+
});
463+
331464
this.on("send94", async (req) => {
332465
const { id, amount } = req.data;
333466
const Service2 = await cds.connect.to("Service2");
@@ -336,6 +469,22 @@ module.exports = class Service1 extends cds.ApplicationService {
336469
});
337470
});
338471

472+
this.on("send95", async (req) => {
473+
const { id } = req.data;
474+
const Service2 = await cds.connect.to("Service2");
475+
Service2.tx(async (tx) => {
476+
tx.insert(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
477+
});
478+
});
479+
480+
this.on("send96", async (req) => {
481+
const { id } = req.data;
482+
const Service2 = await cds.connect.to("Service2");
483+
Service2.tx(async (tx) => {
484+
tx.upsert(`Service2Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
485+
});
486+
});
487+
339488
this.on("send97", async (req) => {
340489
const { id } = req.data;
341490
const Service2 = await cds.connect.to("Service2");
@@ -360,13 +509,34 @@ module.exports = class Service1 extends cds.ApplicationService {
360509
});
361510
});
362511

512+
this.on("send103", async (req) => {
513+
const { id } = req.data;
514+
this.tx(async (tx) => {
515+
tx.create(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
516+
});
517+
});
518+
363519
this.on("send104", async (req) => {
364520
const { id, amount } = req.data;
365521
this.tx(async (tx) => {
366522
tx.update(`Service1Entity`).set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
367523
});
368524
});
369525

526+
this.on("send105", async (req) => {
527+
const { id } = req.data;
528+
this.tx(async (tx) => {
529+
tx.insert(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
530+
});
531+
});
532+
533+
this.on("send106", async (req) => {
534+
const { id } = req.data;
535+
this.tx(async (tx) => {
536+
tx.upsert(`Service1Entity`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
537+
});
538+
});
539+
370540
this.on("send107", async (req) => {
371541
const { id } = req.data;
372542
this.tx(async (tx) => {
@@ -390,13 +560,34 @@ module.exports = class Service1 extends cds.ApplicationService {
390560
});
391561
});
392562

563+
this.on("send113", async (req) => {
564+
const { id } = req.data;
565+
cds.tx(async (tx) => {
566+
tx.create(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
567+
});
568+
});
569+
393570
this.on("send114", async (req) => {
394571
const { id, amount } = req.data;
395572
cds.tx(async (tx) => {
396573
tx.update(`Entity1`).set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
397574
});
398575
});
399576

577+
this.on("send115", async (req) => {
578+
const { id } = req.data;
579+
cds.tx(async (tx) => {
580+
tx.insert(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
581+
});
582+
});
583+
584+
this.on("send116", async (req) => {
585+
const { id } = req.data;
586+
cds.tx(async (tx) => {
587+
tx.upsert(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
588+
});
589+
});
590+
400591
this.on("send117", async (req) => {
401592
const { id } = req.data;
402593
cds.tx(async (tx) => {
@@ -420,13 +611,34 @@ module.exports = class Service1 extends cds.ApplicationService {
420611
});
421612
});
422613

614+
this.on("send123", async (req) => {
615+
const { id } = req.data;
616+
cds.db.tx(async (tx) => {
617+
tx.create(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
618+
});
619+
});
620+
423621
this.on("send124", async (req) => {
424622
const { id, amount } = req.data;
425623
cds.db.tx(async (tx) => {
426624
tx.update(`Entity1`).set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
427625
});
428626
});
429627

628+
this.on("send125", async (req) => {
629+
const { id } = req.data;
630+
cds.db.tx(async (tx) => {
631+
tx.insert(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
632+
});
633+
});
634+
635+
this.on("send126", async (req) => {
636+
const { id } = req.data;
637+
cds.db.tx(async (tx) => {
638+
tx.upsert(`Entity1`).entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
639+
});
640+
});
641+
430642
this.on("send127", async (req) => {
431643
const { id } = req.data;
432644
cds.db.tx(async (tx) => {
@@ -479,6 +691,21 @@ module.exports = class Service1 extends cds.ApplicationService {
479691
cds.db.read("Entity1").where`ID=${id}`; // SAFE: tagged template expression
480692
});
481693

694+
this.on("send001331", async (req) => {
695+
const { id } = req.data;
696+
cds.db.create("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
697+
});
698+
699+
this.on("send001332", async (req) => {
700+
const { id } = req.data;
701+
cds.db.create("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
702+
});
703+
704+
this.on("send001333", async (req) => {
705+
const { id } = req.data;
706+
cds.db.create("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
707+
});
708+
482709
this.on("send001341", async (req) => {
483710
const { id, amount } = req.data;
484711
cds.db.update("Entity1").set("col1 = col1" + amount).where("col1 = " + id); // UNSAFE: direct concatenation with `+`
@@ -499,6 +726,36 @@ module.exports = class Service1 extends cds.ApplicationService {
499726
cds.db.update("Entity1").set("col1 = col1" + amount).where`col1 = ${id}`; // UNSAFE: direct concatenation with `+`
500727
});
501728

729+
this.on("send001351", async (req) => {
730+
const { id } = req.data;
731+
cds.db.insert("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
732+
});
733+
734+
this.on("send001352", async (req) => {
735+
const { id } = req.data;
736+
cds.db.insert("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
737+
});
738+
739+
this.on("send001353", async (req) => {
740+
const { id } = req.data;
741+
cds.db.insert("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
742+
});
743+
744+
this.on("send001361", async (req) => {
745+
const { id } = req.data;
746+
cds.db.upsert("Entity1").entries({id: "" + id}); // UNSAFE: direct concatenation with `+`
747+
});
748+
749+
this.on("send001362", async (req) => {
750+
const { id } = req.data;
751+
cds.db.upsert("Entity1").entries({id: `` + id}); // UNSAFE: direct concatenation with `+`
752+
});
753+
754+
this.on("send001363", async (req) => {
755+
const { id } = req.data;
756+
cds.db.upsert("Entity1").entries({id: `${id}`}); // UNSAFE: direct interpolation in a template literal
757+
});
758+
502759
this.on("send001371", async (req) => {
503760
const { id } = req.data;
504761
cds.db.delete("Entity1").where("ID =" + id); // UNSAFE: direct concatenation with `+`

0 commit comments

Comments
 (0)