2018-10-24 21:42:33 +08:00
|
|
|
'use strict';
|
|
|
|
|
2016-12-09 17:56:50 +08:00
|
|
|
require('../helper');
|
|
|
|
|
2019-10-04 00:24:39 +08:00
|
|
|
var server = require('../../lib/server')();
|
2016-12-09 17:56:50 +08:00
|
|
|
var assert = require('../support/assert');
|
|
|
|
var querystring = require('querystring');
|
|
|
|
|
|
|
|
|
|
|
|
describe('system-queries', function() {
|
|
|
|
|
|
|
|
var systemQueriesSuitesToTest = [
|
|
|
|
{
|
|
|
|
desc: 'pg_ queries work with api_key and fail otherwise',
|
|
|
|
queries: [
|
|
|
|
'SELECT * FROM pg_attribute',
|
|
|
|
'SELECT * FROM PG_attribute',
|
|
|
|
'SELECT * FROM "pg_attribute"',
|
|
|
|
'SELECT a.* FROM untitle_table_4 a,pg_attribute',
|
|
|
|
'SELECT * FROM geometry_columns'
|
|
|
|
],
|
|
|
|
api_key_works: true,
|
|
|
|
no_api_key_works: false
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: 'Possible false positive queries will work with api_key and without it',
|
|
|
|
queries: [
|
|
|
|
"SELECT 'pg_'",
|
|
|
|
'SELECT pg_attribute FROM ( select 1 as pg_attribute ) as f',
|
|
|
|
'SELECT * FROM cpg_test'
|
|
|
|
],
|
|
|
|
api_key_works: true,
|
|
|
|
no_api_key_works: true
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
systemQueriesSuitesToTest.forEach(function(suiteToTest) {
|
|
|
|
var apiKeyStatusErrorCode = !!suiteToTest.api_key_works ? 200 : 403;
|
|
|
|
testSystemQueries(suiteToTest.desc + ' with api_key', suiteToTest.queries, apiKeyStatusErrorCode, '1234');
|
|
|
|
var noApiKeyStatusErrorCode = !!suiteToTest.no_api_key_works ? 200 : 403;
|
|
|
|
testSystemQueries(suiteToTest.desc, suiteToTest.queries, noApiKeyStatusErrorCode);
|
|
|
|
});
|
|
|
|
|
|
|
|
function testSystemQueries(description, queries, statusErrorCode, apiKey) {
|
|
|
|
queries.forEach(function(query) {
|
|
|
|
it('[' + description + '] query: ' + query, function(done) {
|
|
|
|
var queryStringParams = {q: query};
|
|
|
|
if (!!apiKey) {
|
|
|
|
queryStringParams.api_key = apiKey;
|
|
|
|
}
|
|
|
|
var request = {
|
|
|
|
headers: {host: 'vizzuality.cartodb.com'},
|
|
|
|
method: 'GET',
|
|
|
|
url: '/api/v1/sql?' + querystring.stringify(queryStringParams)
|
|
|
|
};
|
|
|
|
assert.response(server, request, function(err, response) {
|
|
|
|
assert.equal(response.statusCode, statusErrorCode);
|
|
|
|
done();
|
|
|
|
});
|
|
|
|
});
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
});
|