|
5 | 5 |
|
6 | 6 | from __future__ import annotations |
7 | 7 |
|
8 | | -from test.csp_helpers import is_running_against_gcp |
9 | | - |
10 | 8 | import pytest |
11 | 9 |
|
12 | 10 | from snowflake.connector.errors import ProgrammingError |
@@ -48,23 +46,29 @@ async def test_binding_security(conn_cnx, db_parameters): |
48 | 46 |
|
49 | 47 | # SQL injection safe test |
50 | 48 | # Good Example |
51 | | - if not is_running_against_gcp(): |
52 | | - with pytest.raises(ProgrammingError): |
53 | | - r = await cnx.cursor().execute( |
54 | | - "SELECT * FROM {name} WHERE aa=%s".format( |
55 | | - name=db_parameters["name"] |
56 | | - ), |
57 | | - ("1 or aa>0",), |
58 | | - ) |
59 | | - await r.fetchall() |
60 | | - |
61 | | - with pytest.raises(ProgrammingError): |
62 | | - await cnx.cursor().execute( |
63 | | - "SELECT * FROM {name} WHERE aa=%(aa)s".format( |
64 | | - name=db_parameters["name"] |
65 | | - ), |
66 | | - {"aa": "1 or aa>0"}, |
67 | | - ) |
| 49 | + # server behavior change: this no longer raises an error, but returns an empty result set |
| 50 | + try: |
| 51 | + results = await cnx.cursor().execute( |
| 52 | + "SELECT * FROM {name} WHERE aa=%s".format( |
| 53 | + name=db_parameters["name"] |
| 54 | + ), |
| 55 | + ("1 or aa>0",), |
| 56 | + ) |
| 57 | + assert await results.fetchall() == [] |
| 58 | + except ProgrammingError: |
| 59 | + # old server behavior: OK |
| 60 | + pass |
| 61 | + try: |
| 62 | + results = await cnx.cursor().execute( |
| 63 | + "SELECT * FROM {name} WHERE aa=%(aa)s".format( |
| 64 | + name=db_parameters["name"] |
| 65 | + ), |
| 66 | + {"aa": "1 or aa>0"}, |
| 67 | + ) |
| 68 | + assert await results.fetchall() == [] |
| 69 | + except ProgrammingError: |
| 70 | + # old server behavior: OK |
| 71 | + pass |
68 | 72 |
|
69 | 73 | # Bad Example in application. DON'T DO THIS |
70 | 74 | c = cnx.cursor() |
|
0 commit comments