PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

tests: fix SecurityTest fatal TypeError — update searchTheses call to use array params

Browse Source 
SecurityTest::Test1 was calling $db->searchTheses($string) with a plain
string, but searchTheses() was refactored to require array $params when
the tag M2M work landed.  This caused an immediate PHP fatal TypeError
before any SQL ever ran, killing the entire Security test suite with
exit code 255 and masking all three tests.

Fix: pass each malicious payload via ['query' => $string] which is the
correct API and properly exercises the parameterised query path through
validateSearchParams() + buildSearchConditions().  Added a clarifying
comment explaining why the array form is required.

All 4 test suites now pass:
  - Database (Unit):   7/7
  - Rate Limit (Unit): 5/5
  - Search (Integration): 6/6
  - Security:          3/3
This commit is contained in:
Pontoporeia
2026-03-26 18:54:20 +01:00
parent e4be230a04
commit b12ae73e91
5 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
tests/Security/SecurityTest.php
View File

@@ -13,6 +13,10 @@ try {
$db = Database::getInstance();
// Test 1: SQL Injection in search
// searchTheses() takes an array of validated params; the 'query' key is the
// free-text search field that users control. Each malicious string must
// be passed as ['query' => $string] to exercise the actual parameterised
// query path rather than triggering a PHP TypeError before any SQL runs.
echo "Test 1: SQL Injection Protection (Search)\n";
$maliciousQueries = [
"' OR '1'='1",
@@ -23,11 +27,12 @@ try {
foreach ($maliciousQueries as $query) {
try {
$results = $db->searchTheses($query);
echo " ✓ Blocked: " . substr($query, 0, 30) . "...\n";
$results = $db->searchTheses(['query' => $query]);
// Should return a (possibly empty) result set without throwing
echo " ✓ Handled safely: " . substr($query, 0, 40) . "\n";
} catch (Exception $e) {
// Exception is also acceptable (query blocked)
echo " ✓ Exception: " . substr($query, 0, 30) . "...\n";
// A thrown exception is also acceptable (query rejected upstream)
echo " ✓ Exception (safe): " . substr($query, 0, 40) . "\n";
}
}
echo "✓ PASS: SQL injection attempts handled safely\n\n";