37 lines
1.0 KiB
Go
37 lines
1.0 KiB
Go
package sqlquery
|
|
|
|
import "testing"
|
|
|
|
func TestValidateReadOnlySQLAllowsSelectAndWith(t *testing.T) {
|
|
queries := []string{
|
|
"SELECT * FROM events LIMIT 10",
|
|
"select id, created_at from events where content = 'delete keyword in text' limit 5;",
|
|
"WITH recent AS (SELECT * FROM events LIMIT 10) SELECT * FROM recent",
|
|
}
|
|
for _, query := range queries {
|
|
if err := ValidateReadOnlySQL(query); err != nil {
|
|
t.Fatalf("ValidateReadOnlySQL(%q) returned error: %v", query, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidateReadOnlySQLRejectsUnsafeStatements(t *testing.T) {
|
|
queries := []string{
|
|
"",
|
|
"DELETE FROM events",
|
|
"UPDATE events SET content='x'",
|
|
"DROP TABLE events",
|
|
"SELECT * FROM events; DELETE FROM events",
|
|
"SELECT * INTO OUTFILE '/tmp/x' FROM events",
|
|
"SELECT SLEEP(10)",
|
|
"ATTACH DATABASE 'x' AS y",
|
|
"VACUUM",
|
|
"SELECT * FROM events -- comment",
|
|
}
|
|
for _, query := range queries {
|
|
if err := ValidateReadOnlySQL(query); err == nil {
|
|
t.Fatalf("ValidateReadOnlySQL(%q) returned nil, want error", query)
|
|
}
|
|
}
|
|
}
|