(t *testing.T)
| 378 | } |
| 379 | |
| 380 | func TestValidateCondValue(t *testing.T) { |
| 381 | // Valid conditions that should pass. |
| 382 | valid := []string{ |
| 383 | ``, |
| 384 | `@if(eq(len(v), 0))`, |
| 385 | ` @if(eq(len(v), 0)) `, |
| 386 | `@if(eq(name, "Alice"))`, |
| 387 | `@if(le(len(c1), 100) AND lt(len(c2), 100))`, |
| 388 | `@if(not(eq(len(v), 0)))`, |
| 389 | `@if(eq(name, "has (parens) inside"))`, |
| 390 | `@filter(eq(len(v), 0))`, |
| 391 | // Spaces between directive and opening paren should be allowed (issue #9687). |
| 392 | `@if (eq(len(v), 0))`, |
| 393 | `@if (eq(len(v), 0))`, |
| 394 | `@filter (eq(len(v), 0))`, |
| 395 | ` @if ( NOT eq(len(RoutesId), 0) ) `, |
| 396 | } |
| 397 | for _, c := range valid { |
| 398 | require.NoError(t, validateCondValue(c), "expected valid: %q", c) |
| 399 | } |
| 400 | |
| 401 | // Invalid conditions that should be rejected. |
| 402 | invalid := []struct { |
| 403 | cond string |
| 404 | desc string |
| 405 | }{ |
| 406 | { |
| 407 | cond: "@if(eq(name, \"x\"))\n leak(func: has(dgraph.type)) { uid }", |
| 408 | desc: "DQL injection via newline and extra query block", |
| 409 | }, |
| 410 | { |
| 411 | cond: "@if(eq(name, \"x\")) } leak(func: uid(0x1)) { uid", |
| 412 | desc: "DQL injection closing brace then new block", |
| 413 | }, |
| 414 | { |
| 415 | cond: "eq(name, \"x\")", |
| 416 | desc: "missing @if/@filter prefix", |
| 417 | }, |
| 418 | { |
| 419 | cond: "@if(eq(name, \"x\")", |
| 420 | desc: "unbalanced parentheses", |
| 421 | }, |
| 422 | { |
| 423 | cond: "@if(eq(name, \"x\")) extra", |
| 424 | desc: "trailing content after condition", |
| 425 | }, |
| 426 | } |
| 427 | for _, tc := range invalid { |
| 428 | require.Error(t, validateCondValue(tc.cond), "expected invalid (%s): %q", tc.desc, tc.cond) |
| 429 | } |
| 430 | } |
| 431 | |
| 432 | func TestValidateValObjectId(t *testing.T) { |
| 433 | valid := []string{ |
nothing calls this directly
no test coverage detected