MySqlWallTest.java

/*
 * Copyright 1999-2017 Alibaba Group Holding Ltd.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.alibaba.druid.bvt.filter.wall.mysql;

import junit.framework.TestCase;

import org.junit.Assert;

import com.alibaba.druid.wall.WallUtils;

public class MySqlWallTest extends TestCase {

    public void testWall() throws Exception {
        Assert.assertFalse(WallUtils.isValidateMySql("SELECT * FROM X where id=1 and 1!=1 union select 14,13,12,11,10,@@version_compile_os,8,7,6,5,4,3,2,1 FROM X"));
        Assert.assertTrue(WallUtils.isValidateMySql("select '@@version_compile_os' FROM X"));

        Assert.assertFalse(WallUtils.isValidateMySql("SELECT * FROM X where id=1 and 1!=1 union select hex(load_file(0x633A2F77696E646F77732F7265706169722F73616D))"));
        Assert.assertTrue(WallUtils.isValidateMySql("select hex(load_file(0x633A2F77696E646F77732F7265706169722F73616D))"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 'hex(load_file(0x633A2F77696E646F77732F7265706169722F73616D))'"));

        Assert.assertFalse(WallUtils.isValidateMySql("select * from t where fid = 1 union select 15,version() FROM X"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 15,version() FROM X"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 15,'version'"));

        Assert.assertFalse(WallUtils.isValidateMySql("SELECT *FROM T UNION select 1 from information_schema.columns"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 'information_schema.columns'"));

        Assert.assertFalse(WallUtils.isValidateMySql("SELECT *FROM T UNION select 1 from mysql.user"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 'mysql.user'"));

        Assert.assertFalse(WallUtils.isValidateMySql("select * FROM T WHERE id = 1 AND select 0x3C3F706870206576616C28245F504F53545B2763275D293F3E into outfile '\\www\\edu\\1.php'"));
        Assert.assertTrue(WallUtils.isValidateMySql("select 'outfile'"));

        //Assert.assertFalse(WallUtils.isValidateMySql("select f1, f2 from t where c1=1 union select 1, 2"));
        
        Assert.assertTrue(WallUtils.isValidateMySql("select c1 from t where 1=1 or id =1"));
        Assert.assertFalse(WallUtils.isValidateMySql("select c1 from t where id =1 or 1=1"));
        Assert.assertFalse(WallUtils.isValidateMySql("select c1 from t where id =1 || 1=1"));
        
        Assert.assertFalse(WallUtils.isValidateMySql("select * from person where id = '3'/**/union select v,b,a from (select 1,2,4/*! ,database() as b,user() as a,version() as v*/) a where '1'<>''"));
    }
}