tests: fix SecurityTest fatal TypeError — update searchTheses call to use array params

SecurityTest::Test1 was calling $db->searchTheses($string) with a plain string, but searchTheses() was refactored to require array $params when the tag M2M work landed. This caused an immediate PHP fatal TypeError before any SQL ever ran, killing the entire Security test suite with exit code 255 and masking all three tests. Fix: pass each malicious payload via ['query' => $string] which is the correct API and properly exercises the parameterised query path through validateSearchParams() + buildSearchConditions(). Added a clarifying comment explaining why the array form is required. All 4 test suites now pass: - Database (Unit): 7/7 - Rate Limit (Unit): 5/5 - Search (Integration): 6/6 - Security: 3/3
2026-05-06 19:19:19 +02:00 · 2026-03-26 18:54:20 +01:00
parent e4be230a04
commit b12ae73e91
5 changed files with 14 additions and 6 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -317,6 +317,10 @@ Goal: rename the tables and column to the canonical M2M pattern (`tags`, `thesis

 ---

+## Fixes
+
+- [x] Fix `tests/Security/SecurityTest.php`: update SQL injection test to call `searchTheses(['query' => $string])` instead of bare string — `searchTheses()` signature was updated to `array $params` but the test was never updated, causing a fatal `TypeError` that prevented the security suite from running at all
+
 ## Pending

 - [x] Add flake.nix for Nix-based PHP dev environment
--- a/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json
+++ b/src/cache/rate_limit/ad921d60486366258809553a3db49a4a.json
@@ -1 +1 @@
-[1770895832]
+[1774547615,1774547646]
--- a/src/cache/rate_limit/f528764d624db129b32c21fbca0cb8d6.json
+++ b/src/cache/rate_limit/f528764d624db129b32c21fbca0cb8d6.json
@@ -1 +0,0 @@
-[1774354709]
--- a/storage/test.db
+++ b/storage/test.db
--- a/tests/Security/SecurityTest.php
+++ b/tests/Security/SecurityTest.php
@@ -13,6 +13,10 @@ try {
    $db = Database::getInstance();

    // Test 1: SQL Injection in search
+    // searchTheses() takes an array of validated params; the 'query' key is the
+    // free-text search field that users control.  Each malicious string must
+    // be passed as ['query' => $string] to exercise the actual parameterised
+    // query path rather than triggering a PHP TypeError before any SQL runs.
    echo "Test 1: SQL Injection Protection (Search)\n";
    $maliciousQueries = [
        "' OR '1'='1",
@@ -23,11 +27,12 @@ try {

    foreach ($maliciousQueries as $query) {
        try {
-            $results = $db->searchTheses($query);
-            echo "  ✓ Blocked: " . substr($query, 0, 30) . "...\n";
+            $results = $db->searchTheses(['query' => $query]);
+            // Should return a (possibly empty) result set without throwing
+            echo "  ✓ Handled safely: " . substr($query, 0, 40) . "\n";
        } catch (Exception $e) {
-            // Exception is also acceptable (query blocked)
-            echo "  ✓ Exception: " . substr($query, 0, 30) . "...\n";
+            // A thrown exception is also acceptable (query rejected upstream)
+            echo "  ✓ Exception (safe): " . substr($query, 0, 40) . "\n";
        }
    }
    echo "✓ PASS: SQL injection attempts handled safely\n\n";