Add tests to ensure that injections fail #56

Author: timgws

phpunit.xml.dist

@@ -1,23 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:noNamespaceSchemaLocation="http://schema.phpunit.de/4.2/phpunit.xsd"
-         bootstrap="vendor/autoload.php"
-         backupGlobals="false"
-         verbose="true">
- <testsuites>
-  <testsuite name="MySQL">
-    <directory suffix="Test.php">tests</directory>
-  </testsuite>
-
-  <testsuite name="MongoDB">
-    <directory suffix="MongoDB.php">tests/mongodb</directory>
-  </testsuite>
- </testsuites>
-
-  <filter>
-    <whitelist processUncoveredFilesFromWhitelist="true">
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd" bootstrap="vendor/autoload.php" backupGlobals="false" verbose="true">
+  <coverage processUncoveredFiles="true">
+    <include>
       <directory suffix=".php">src</directory>
-    </whitelist>
-  </filter>
+    </include>
+  </coverage>
+  <testsuites>
+    <testsuite name="MySQL">
+      <directory suffix="Test.php">tests</directory>
+    </testsuite>
+    <testsuite name="MongoDB">
+      <directory suffix="MongoDB.php">tests/mongodb</directory>
+    </testsuite>
+  </testsuites>
 </phpunit>
-

tests/CommonQueryBuilderTests.php

@@ -12,6 +12,7 @@
 class CommonQueryBuilderTests extends TestCase
 {
     protected $simpleQuery = '{"condition":"AND","rules":[{"id":"price","field":"price","type":"double","operator":"less","value":"10.25"}]}';
+    protected $simpleQueryInjection = '{"condition":"ALSO","rules":[{"id":"price","field":"price","type":"double","operator":"less","value":"10.25"},{"id":"price","field":"price","type":"double","operator":"greater","value":"9.25"}]}';
     protected $json1 = '{
        "condition":"AND",
        "rules":[

tests/QueryBuilderParserTest.php

@@ -25,6 +25,19 @@ public function testSimpleQuery()
         $this->assertEquals('select * where `price` < ?', $builder->toSql());
     }
 
+    public function testSimpleQueryNoInjection()
+    {
+        $builder = $this->createQueryBuilder();
+        $qb = $this->getParserUnderTest();
+
+        $this->expectException('timgws\QBParseException');
+        $this->expectExceptionMessage("Condition can only be one of");
+
+        $test = $qb->parse($this->simpleQueryInjection, $builder);
+
+        $this->assertEquals('select * where `price` < ?', $builder->toSql());
+    }
+
     public function testMoreComplexQuery()
     {
         $builder = $this->createQueryBuilder();