add unit test for sql removal vars (#791)

clavedeluna · web-flow · commit 882788b313ab · 2024-08-16T14:42:30.000Z
diff --git a/tests/codemods/test_sql_parameterization.py b/tests/codemods/test_sql_parameterization.py
@@ -1,3 +1,5 @@
+import pytest
+
 from codemodder.codemods.test import BaseCodemodTest
 from core_codemods.sql_parameterization import SQLQueryParameterization
 
@@ -183,6 +185,56 @@ def test_simple_concatenated_strings(self, tmpdir):
         """
         self.run_and_assert(tmpdir, input_code, expected)
 
+    @pytest.mark.xfail(reason="https://github.com/pixee/codemodder-python/issues/441")
+    def test_donot_remove_variables(self, tmpdir):
+        input_code = """
+        def sql_lab(request):
+            if request.user.is_authenticated:
+                name=request.POST.get('name')
+                password=request.POST.get('pass')
+                if name:
+                    if login.objects.filter(user=name):
+                        sql_query = "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
+                        print(sql_query)
+                        try:
+                            val=login.objects.execute(sql_query)
+                        except:
+                            pass
+                        if val:
+                            user=val[0].user
+                            return render(request, 'Lab/SQL/sql_lab.html',{"user1":user})
+        @csrf_exempt
+        def xxe_parse(request):
+            text='hi'
+            p=comments.objects.filter(id=1).update(comment=text)
+            return render(request, 'Lab/XXE/xxe_lab.html')
+
+        """
+        expected = """
+        def sql_lab(request):
+            if request.user.is_authenticated:
+                name=request.POST.get('name')
+                password=request.POST.get('pass')
+                if name:
+                    if login.objects.filter(user=name):
+                        sql_query = "SELECT * FROM introduction_login WHERE user=?"+"AND password=?"
+                        print(sql_query)
+                        try:
+                            val=login.objects.execute(sql_query, (name, password, ))
+                        except:
+                            pass
+                        if val:
+                            user=val[0].user
+                            return render(request, 'Lab/SQL/sql_lab.html',{"user1":user})
+        @csrf_exempt
+        def xxe_parse(request):
+            text='hi'
+            p=comments.objects.filter(id=1).update(comment=text)
+            return render(request, 'Lab/XXE/xxe_lab.html')
+
+        """
+        self.run_and_assert(tmpdir, input_code, expected)
+
 
 class TestSQLQueryParameterizationFormattedString(BaseCodemodTest):
     codemod = SQLQueryParameterization
