def test_search_field_sanitizer(self):
# pass
search_link('DocType', 'User', query=None, filters=None, page_length=20, searchfield='name')
result = frappe.response['results'][0]
self.assertTrue('User' in result['value'])
#raise exception on injection
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='1=1')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='select * from tabSessions) --')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='name or (select * from tabSessions)')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='*')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield=';')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield=';')
def test_validate_and_sanitize_search_inputs(self):
# should raise error if searchfield is injectable
self.assertRaises(frappe.DataError,
get_data, *('User', 'Random', 'select * from tabSessions) --', '1', '10', dict()))
# page_len and start should be converted to int
self.assertListEqual(get_data('User', 'Random', 'email', 'name or (select * from tabSessions)', '10', dict()),
['User', 'Random', 'email', 0, 10, {}])
self.assertListEqual(get_data('User', 'Random', 'email', page_len='2', start='10', filters=dict()),
['User', 'Random', 'email', 10, 2, {}])
# DocType can be passed as None which should be accepted
self.assertListEqual(get_data(None, 'Random', 'email', '2', '10', dict()),
[None, 'Random', 'email', 2, 10, {}])
# return empty string if passed doctype is invalid
self.assertListEqual(get_data("Random DocType", 'Random', 'email', '2', '10', dict()), [])
# should not fail if function is called via frappe.call with extra arguments
args = ("Random DocType", 'Random', 'email', '2', '10', dict())
kwargs = {'as_dict': False}
self.assertListEqual(frappe.call('frappe.tests.test_search.get_data', *args, **kwargs), [])
# should not fail if query has @ symbol in it
search_link('User', 'user@random', searchfield='name')
self.assertListEqual(frappe.response['results'], [])
def test_search_field_sanitizer(self):
# pass
search_link('DocType', 'User', query=None, filters=None, page_length=20, searchfield='name')
result = frappe.response['results'][0]
self.assertTrue('User' in result['value'])
#raise exception on injection
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='1=1')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='select * from tabSessions) --')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='name or (select * from tabSessions)')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield='*')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield=';')
self.assertRaises(frappe.DataError,
search_link, 'DocType', 'Customer', query=None, filters=None,
page_length=20, searchfield=';')
def search_link_resolver(obj, info: GraphQLResolveInfo, **kwargs):
search_link(kwargs.get("doctype"),
kwargs.get("txt", ""),
filters=kwargs.get("filters"),
page_length=kwargs.get("page_length"),
searchfield=kwargs.get("searchfield"),
reference_doctype=kwargs.get("reference_doctype"))
return frappe.response['results']
def test_link_field_order(self):
# Making a request to the search_link with the tree doctype
search_link(doctype=self.tree_doctype_name,
txt='all',
query=None,
filters=None,
page_length=20,
searchfield=None)
result = frappe.response['results']
# Check whether the result is sorted or not
self.assertEquals(self.parent_doctype_name, result[0]['value'])
# Check whether searching for parent also list out children
self.assertEquals(len(result), len(self.child_doctypes_names) + 1)
def test_validate_and_sanitize_search_inputs(self):
# should raise error if searchfield is injectable
self.assertRaises(
frappe.DataError, get_data,
*("User", "Random", "select * from tabSessions) --", "1", "10",
dict()))
# page_len and start should be converted to int
self.assertListEqual(
get_data("User", "Random", "email",
"name or (select * from tabSessions)", "10", dict()),
["User", "Random", "email", 0, 10, {}],
)
self.assertListEqual(
get_data("User",
"Random",
"email",
page_len="2",
start="10",
filters=dict()),
["User", "Random", "email", 10, 2, {}],
)
# DocType can be passed as None which should be accepted
self.assertListEqual(
get_data(None, "Random", "email", "2", "10", dict()),
[None, "Random", "email", 2, 10, {}])
# return empty string if passed doctype is invalid
self.assertListEqual(
get_data("Random DocType", "Random", "email", "2", "10", dict()),
[])
# should not fail if function is called via frappe.call with extra arguments
args = ("Random DocType", "Random", "email", "2", "10", dict())
kwargs = {"as_dict": False}
self.assertListEqual(
frappe.call("frappe.tests.test_search.get_data", *args, **kwargs),
[])
# should not fail if query has @ symbol in it
search_link("User", "user@random", searchfield="name")
self.assertListEqual(frappe.response["results"], [])
def test_search_field_sanitizer(self):
# pass
search_link("DocType",
"User",
query=None,
filters=None,
page_length=20,
searchfield="name")
result = frappe.response["results"][0]
self.assertTrue("User" in result["value"])
# raise exception on injection
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield="1=1",
)
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield="select * from tabSessions) --",
)
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield="name or (select * from tabSessions)",
)
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield="*",
)
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield=";",
)
self.assertRaises(
frappe.DataError,
search_link,
"DocType",
"Customer",
query=None,
filters=None,
page_length=20,
searchfield=";",
)