SQLServerWallPermitSchemaTest.java

/*
 * Copyright 1999-2017 Alibaba Group Holding Ltd.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.alibaba.druid.bvt.filter.wall.sqlserver;

import junit.framework.TestCase;

import org.junit.Assert;

import com.alibaba.druid.wall.WallUtils;

/**
 * SQLServerWallPermitSchemaTest
 *
 * @author RaymondXiu
 * @version 1.0, 2012-3-18
 * @see
 */
public class SQLServerWallPermitSchemaTest extends TestCase {

    /**
     * @param name
     */
    public SQLServerWallPermitSchemaTest(String name) {
        super(name);
    }

    /* (non-Javadoc)
     * @see junit.framework.TestCase#setUp()
     */
    protected void setUp() throws Exception {
        super.setUp();
    }

    /* (non-Javadoc)
     * @see junit.framework.TestCase#tearDown()
     */
    protected void tearDown() throws Exception {
        super.tearDown();
    }


    public void test_master() throws Exception {
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name, password FROM master..sysxlogins"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’);"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’);"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE denylogin = 0;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE hasaccess = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE isntname = 0;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE isntgroup = 0;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE sysadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE securityadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE serveradmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE setupadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE processadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE diskadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE dbcreator = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE bulkadmin = 1;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins WHERE sysadmin = ’1′ "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..sysdatabases;"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC "));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name FROM master..syslogins"));
        Assert.assertFalse(WallUtils.isValidateSqlServer("SELECT *FROM T UNION SELECT name, password_hash FROM master.sys.sql_logins"));
    }
}