(test) SQL Injections to test database security vulnerabilities

[xiomara0]

Describe your changes

This request creates 7 tests to check for SQL injections. This will close #145.

• updated setup_fake_db.py to fix relative import issue (from tests.db_test) and to have main return the test db and test app to use in the sql test injections

• created 7 tests:

  • test_safe_injections: Test function for testing safe input handling or prevention of SQL injections.
  • test_unsafe_injections_return_all_rows: Test function for an unsafe input attempting to return all rows from the database.
  • test_unsafe_injections_alter_table: Test function for an unsafe input attempting to alter the database table structure.
  • test_line_comments_injection: Test function for testing prevention of line comments in SQL queries.
  • test_union_injection: Test function for testing prevention of Union-based SQL injections.
  • test_unsafe_error_based_injection: Test function for testing error-based SQL injections that find column names.
  • test_unsafe_boolean_based_blind_sql_injection: Test function for simulating an SQL injection attack using an IF statement.

Non-obvious technical information

Checklist before requesting a review

• [X] pre-commit run --all-files (run before pushing)
• [X] pytest if applicable
• [X] Link issue
• [X] Update relevant documentation if applicable: doc strings, readme, poetry.

[aaronhaefner]

Can you also update the tests/readme with a section on SQL injection testing?

[xiomara0]

Can you also update the tests/readme with a section on SQL injection testing?

Lmk if you want something more robust. I added a line to the db operation test and tests included sections -- unsure if you prefer a separate section for SQL injections.

[aaronhaefner]

@xiomara0 just need to merge in the main branch then I will approve this.

[xiomara0]

Updated - thanks for your patience! @aaronhaefner

[xiomara0]

[heart] Xiomara Salazar Flores reacted to your message:

---

From: Federico Domínguez Molina @.> Sent: Saturday, May 11, 2024 6:22:41 PM To: uchicago-capp-30320/new-arrivals-chi @.> Cc: Xiomara Salazar Flores @.>; Mention @.> Subject: Re: [uchicago-capp-30320/new-arrivals-chi] (test) SQL Injections to test database security vulnerabilities (PR #161)

Merged #161https://urldefense.com/v3/__https://github.com/uchicago-capp-30320/new-arrivals-chi/pull/161__;!!BpyFHLRN4TMTrA!4BaQYpeiqs2VgV2_n13Y2ogeJOSNkH_ILcPQfVJDj8hg1WFClnDYP0VyuSUMdArqaw12eU90djBxafbKU048jDR-KXo$ into main.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/uchicago-capp-30320/new-arrivals-chi/pull/161*event-12776979034__;Iw!!BpyFHLRN4TMTrA!4BaQYpeiqs2VgV2_n13Y2ogeJOSNkH_ILcPQfVJDj8hg1WFClnDYP0VyuSUMdArqaw12eU90djBxafbKU048_DPxk1g$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/A3MPHIZORPWIOXPMUKN2A23ZBZOXDAVCNFSM6AAAAABHPVLP3SVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJSG43TMOJXHEYDGNA__;!!BpyFHLRN4TMTrA!4BaQYpeiqs2VgV2_n13Y2ogeJOSNkH_ILcPQfVJDj8hg1WFClnDYP0VyuSUMdArqaw12eU90djBxafbKU048ChSuSC8$. You are receiving this because you were mentioned.Message ID: @.***>