ronin-code-sql 2.0.0.beta1

data/spec/sql/function_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+require 'ronin/code/sql/function'
+
+describe Ronin::Code::SQL::Function do
+  describe "#initialize" do
+    context "with no arguments" do
+      subject { described_class.new(:f) }
+
+      it "should set arguments to []" do
+        expect(subject.arguments).to eq([])
+      end
+    end
+
+    context "with multiple arguments" do
+      let(:arguments) { [1,2,3] }
+
+      subject { described_class.new(:f,*arguments) }
+
+      it "should set arguments" do
+        expect(subject.arguments).to eq(arguments)
+      end
+    end
+  end
+end

data/spec/sql/functions_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+require 'sql/function_examples'
+require 'ronin/code/sql/functions'
+require 'ronin/code/sql/binary_expr'
+
+describe Ronin::Code::SQL::Functions do
+  subject { Object.new.extend(described_class) }
+
+  describe "#count" do
+    it "should create a COUNT function" do
+      expect(subject.count.name).to eq(:COUNT)
+    end
+
+    context "without arguments" do
+      it "should default arguments to *" do
+        expect(subject.count.arguments).to eq([:*])
+      end
+    end
+  end
+
+  include_examples "Function", :max, [:column]
+  include_examples "Function", :min, [:column]
+  include_examples "Function", :avg, [:column]
+  include_examples "Function", :sum, [:column]
+  include_examples "Function", :sqrt, [1]
+  include_examples "Function", :rand, [1]
+  include_examples "Function", :abs,  [-1]
+  include_examples "Function", :acos, [30]
+  include_examples "Function", :asin, [30]
+  include_examples "Function", :atan, [30]
+  include_examples "Function", :atan2, [30,60]
+  include_examples "Function", :bit_and, [0xff]
+  include_examples "Function", :bit_count, [0xff]
+  include_examples "Function", :bit_or, [0xff]
+  include_examples "Function", :ceil, [0.5]
+  include_examples "Function", :ceiling, [0.5]
+  include_examples "Function", :cos, [0.5]
+  include_examples "Function", :cot, [0.5]
+  include_examples "Function", :degrees, [0.5]
+  include_examples "Function", :exp, [0.5]
+  include_examples "Function", :floor, [0.5]
+  include_examples "Function", :format, [:date, 'YYYY-MM-DD']
+  include_examples "Function", :greatest, [1,2,3,4]
+  include_examples "Function", :interval, [1,2,3,4]
+  include_examples "Function", :least, [1,2,3,4]
+  include_examples "Function", :log, [2], [10,2]
+  include_examples "Function", :log10, [2]
+  include_examples "Function", :mod, [2,10]
+  include_examples "Function", :pi
+  include_examples "Function", :pow, [2,10]
+  include_examples "Function", :power, [2,10]
+  include_examples "Function", :radians, [30]
+  include_examples "Function", :random
+  include_examples "Function", :round, [15.79], [15.79, 1]
+  include_examples "Function", :sign, [10]
+  include_examples "Function", :sin, [30]
+  include_examples "Function", :sqrt, [100]
+  include_examples "Function", :std, [:column]
+  include_examples "Function", :stddev, [:column]
+  include_examples "Function", :tan, [30]
+  include_examples "Function", :truncate, [:price,2]
+  include_examples "Function", :ascii, ["hello"]
+  include_examples "Function", :bin, [12]
+  include_examples "Function", :bit_length, ["hello"]
+  include_examples "Function", :char, [104, 101, 108, 108, 111]
+  include_examples "Function", :char_length, ["hello"]
+  include_examples "Function", :character_length, ["hello"]
+  include_examples "Function", :concat, ["he", "ll", "o"]
+  include_examples "Function", :concat_ws, ["he", "ll", "o"]
+  include_examples "Function", :conv, ["ff", 16, 10]
+  include_examples "Function", :elt, ["ff", 16, 10]
+  include_examples "Function", :export_set, [5, 'Y', 'N']
+  include_examples "Function", :field, ["hello", "lo"]
+  include_examples "Function", :find_in_set, ['b', 'a,b,c,d']
+  include_examples "Function", :glob, [:name, '*foo*']
+  include_examples "Function", :hex, ["hello"]
+  include_examples "Function", :insert, ["hello",1,2,"foo"]
+  include_examples "Function", :instr, ["hello","lo"]
+  include_examples "Function", :lcase, ["HELLO"]
+  include_examples "Function", :left, ["hello", 10]
+  include_examples "Function", :length, ["hello"]
+  include_examples "Function", :like, [:name, '%foo%']
+  include_examples "Function", :load_file, ["path"]
+  include_examples "Function", :locate, ["o", "hello"]
+  include_examples "Function", :lower, ["HELLO"]
+  include_examples "Function", :lpad, ["hello", 10, ' ']
+  include_examples "Function", :ltrim, ["     hello"]
+  include_examples "Function", :make_set, [8|1, 'a', 'b', 'c', 'd']
+  include_examples "Function", :mid, ["hello",2,3]
+  include_examples "Function", :oct, ["55"]
+  include_examples "Function", :octet_length, ["55"]
+  include_examples "Function", :ord, ["55"]
+  include_examples "Function", :position, [
+    Ronin::Code::SQL::BinaryExpr.new('55',:IN,:name)
+  ]
+  include_examples "Function", :quote, ["hello"]
+  include_examples "Function", :repeat, ["A", 100]
+  include_examples "Function", :replace, ["foox", "foo", "bar"]
+  include_examples "Function", :reverse, ["hello"]
+  include_examples "Function", :right, ["hello", 10]
+  include_examples "Function", :rpad, ["hello", 10, ' ']
+  include_examples "Function", :rtrim, ["hello     "]
+  include_examples "Function", :soundex, ["smythe"]
+  include_examples "Function", :space, [10]
+  include_examples "Function", :strcmp, ['foo', 'foox']
+  include_examples "Function", :substring, ['hello', 2, 1]
+  include_examples "Function", :substring_index, ['foo-bar', '-', 1]
+  include_examples "Function", :trim, ['   foo    ']
+  include_examples "Function", :ucase, ['foo']
+  include_examples "Function", :unhex, ['4D7953514C']
+  include_examples "Function", :upper, ['hello']
+  include_examples "Function", :sleep, [5]
+end

data/spec/sql/injection_expr_spec.rb

@@ -0,0 +1,98 @@
+require 'spec_helper'
+require 'ronin/code/sql/injection_expr'
+
+describe Ronin::Code::SQL::InjectionExpr do
+  let(:initial_value) { 1 }
+
+  subject { described_class.new(initial_value) }
+
+  describe "#and" do
+    context "on first call" do
+      before { subject.and { 1 } }
+
+      it "should create a 'AND' BinaryExpr" do
+        expect(subject.expression.operator).to eq(:AND)
+      end
+
+      it "should create an expression with the initial value" do
+        expect(subject.expression.left).to eq(initial_value)
+      end
+
+      it "should create an expression with the expression" do
+        expect(subject.expression.right).to eq(1)
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.and { 1 }.and { 2 } }
+
+      it "should create another 'AND' BinaryExpr" do
+        expect(subject.expression.operator).to eq(:AND)
+      end
+
+      it "should nest the expressions" do
+        expect(subject.expression.left.right).to eq(1)
+        expect(subject.expression.right).to eq(2)
+      end
+    end
+  end
+
+  describe "#or" do
+    context "on first call" do
+      before { subject.or { 1 } }
+
+      it "should create a 'OR' BinaryExpr" do
+        expect(subject.expression.operator).to eq(:OR)
+      end
+
+      it "should create an expression with the initial value" do
+        expect(subject.expression.left).to eq(initial_value)
+      end
+
+      it "should create an expression with the expression" do
+        expect(subject.expression.right).to eq(1)
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.or { 1 }.or { 2 } }
+
+      it "should create another 'OR' BinaryExpr" do
+        expect(subject.expression.operator).to eq(:OR)
+      end
+
+      it "should nest the expressions" do
+        expect(subject.expression.left.right).to eq(1)
+        expect(subject.expression.right).to eq(2)
+      end
+    end
+  end
+
+  describe "#to_sql" do
+    context "without additional expressions" do
+      subject { described_class.new(1) }
+
+      it "should still emit the initial value" do
+        expect(subject.to_sql).to eq('1')
+      end
+    end
+
+    context "with an additional expression" do
+      subject do
+        sqli = described_class.new(1)
+        sqli.or { 1 == 1 }
+        sqli
+      end
+
+      it "should emit the expression" do
+        expect(subject.to_sql).to eq('1 OR 1=1')
+      end
+
+      context "when given emitter options" do
+        it "should accept additional options" do
+          expect(subject.to_sql(case: :lower)).to eq('1 or 1=1')
+        end
+      end
+    end
+  end
+end

data/spec/sql/injection_spec.rb

@@ -0,0 +1,172 @@
+require 'spec_helper'
+require 'ronin/code/sql/injection'
+
+describe Ronin::Code::SQL::Injection do
+  describe "PLACE_HOLDERS" do
+    subject { described_class::PLACE_HOLDERS }
+
+    it { should include(integer: 1)   }
+    it { should include(decimal: 1.0) }
+    it { should include(string: '1')  }
+    it { should include(list: [nil])  }
+    it { should include(column: :id)  }
+  end
+
+  describe "#initialize" do
+    context "with no arguments" do
+      it { expect(subject.escape).to       eq(:integer) }
+      it { expect(subject.place_holder).to eq(1)        }
+    end
+
+    context "with :escape" do
+      context "with no :place_holder" do
+        let(:place_holders) { described_class::PLACE_HOLDERS }
+        let(:escape) { :string }
+
+        subject { described_class.new(escape: escape) }
+
+        it "should default the place_holder based on the :escape type" do
+          expect(subject.place_holder).to eq(place_holders[escape])
+        end
+      end
+    end
+
+    context "with :place_holder" do
+      let(:data) { 'A' }
+
+      subject { described_class.new(place_holder: data) }
+
+      it "should pass it to the InjectionExpr" do
+        expect(subject.expression.expression).to eq(data)
+      end
+    end
+
+    context "when a block is given" do
+      subject { described_class.new { @x = 1 } }
+
+      it "should instance_eval the block" do
+        expect(subject.instance_variable_get(:@x)).to eq(1)
+      end
+    end
+  end
+
+  describe "#to_sql" do
+    context "without an expression" do
+      subject { described_class.new(place_holder: 1) }
+
+      it "should still emit the place-holder value" do
+        expect(subject.to_sql).to eq('1')
+      end
+
+      context "with clauses" do
+        subject do
+          sqli = described_class.new(place_holder: 1)
+          sqli.limit(100).offset(10)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          expect(subject.to_sql).to eq('1 LIMIT 100 OFFSET 10')
+        end
+      end
+    end
+
+    context "with an expression" do
+      subject do
+        sqli = described_class.new
+        sqli.or { 1 == 1 }
+        sqli
+      end
+
+      it "should emit the expression" do
+        expect(subject.to_sql).to eq('1 OR 1=1')
+      end
+
+      context "with clauses" do
+        subject do
+          sqli = described_class.new
+          sqli.or { 1 == 1 }.limit(100).offset(10)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          expect(subject.to_sql).to eq('1 OR 1=1 LIMIT 100 OFFSET 10')
+        end
+
+        context "with :space" do
+          it "should emit the clauses with custom spaces" do
+            expect(subject.to_sql(space: '/**/')).to eq('1/**/OR/**/1=1/**/LIMIT/**/100/**/OFFSET/**/10')
+          end
+        end
+      end
+
+      context "with statements" do
+        subject do
+          sqli = described_class.new
+          sqli.or { 1 == 1 }.select(1,2,3)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          expect(subject.to_sql).to eq('1 OR 1=1; SELECT (1,2,3)')
+        end
+
+        context "with :space" do
+          it "should emit the statements with custom spaces" do
+            expect(subject.to_sql(space: '/**/')).to eq('1/**/OR/**/1=1;/**/SELECT/**/(1,2,3)')
+          end
+        end
+      end
+    end
+
+    context "when escaping a string value" do
+      context "when the place-holder and last operand are Strings" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { string(1) == string(1) }
+          sqli
+        end 
+
+        it "should balance the quotes" do
+          expect(subject.to_sql).to eq("1' OR '1'='1")
+        end
+      end
+
+      context "when the place-holder and last operand are not both Strings" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { int(1) == int(1) }
+          sqli
+        end 
+
+        it "should terminate the SQL statement" do
+          expect(subject.to_sql).to eq("1' OR 1=1;--")
+        end
+      end
+
+      context "when terminating" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { string(1) == string(1) }
+          sqli
+        end 
+
+        it "should terminate the SQL statement" do
+          expect(subject.to_sql(terminate: true)).to eq("1' OR '1'='1';--")
+        end
+      end
+    end
+
+    context "when terminating" do
+      subject do
+        sqli = described_class.new(escape: :integer)
+        sqli.or { 1 == 1 }
+        sqli
+      end 
+
+      it "should terminate the SQL statement" do
+        expect(subject.to_sql(terminate: true)).to eq("1 OR 1=1;--")
+      end
+    end
+  end
+end

data/spec/sql/literal_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+require 'ronin/code/sql/literal'
+
+describe Ronin::Code::SQL::Literal do
+end

data/spec/sql/literals_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+require 'ronin/code/sql/literals'
+
+describe Ronin::Code::SQL::Literals do
+  subject { Object.new.extend(described_class) }
+
+  describe "#null" do
+    it "should return a Literal" do
+      expect(subject.null).to be_kind_of(Ronin::Code::SQL::Literal)
+    end
+
+    it "should have the value of :NULL" do
+      expect(subject.null.value).to eq(:NULL)
+    end
+  end
+
+  describe "#int" do
+    it "should return a Literal" do
+      expect(subject.int(5)).to be_kind_of(Ronin::Code::SQL::Literal)
+    end
+
+    it "should convert the value to an Integer" do
+      expect(subject.int('5').value).to eq(5)
+    end
+  end
+
+  describe "#float" do
+    it "should return a Literal" do
+      expect(subject.float(1.5)).to be_kind_of(Ronin::Code::SQL::Literal)
+    end
+
+    it "should convert the value to a Float" do
+      expect(subject.float('1.5').value).to eq(1.5)
+    end
+  end
+
+  describe "#float" do
+    it "should return a Literal" do
+      expect(subject.string('A')).to be_kind_of(Ronin::Code::SQL::Literal)
+    end
+
+    it "should convert the value to a String" do
+      expect(subject.string(42).value).to eq('42')
+    end
+  end
+end

data/spec/sql/operators_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+require 'ronin/code/sql/operators'
+require 'sql/binary_expr_examples'
+require 'sql/unary_expr_examples'
+
+describe Ronin::Code::SQL::Operators do
+  subject { Object.new.extend(described_class) }
+
+  let(:operand) { 1 }
+
+  include_examples "BinaryExpr", :*
+  include_examples "BinaryExpr", :/
+  include_examples "BinaryExpr", :%
+  include_examples "BinaryExpr", :+
+  include_examples "BinaryExpr", :-
+  include_examples "BinaryExpr", :<<
+  include_examples "BinaryExpr", :>>
+  include_examples "BinaryExpr", :&
+  include_examples "BinaryExpr", :|
+  include_examples "BinaryExpr", :<
+  include_examples "BinaryExpr", :<=
+  include_examples "BinaryExpr", :>
+  include_examples "BinaryExpr", :>=
+  include_examples "BinaryExpr", :==, :"="
+  include_examples "BinaryExpr", :!=
+  include_examples "BinaryExpr", :as, :AS
+  include_examples "BinaryExpr", :is, :IS
+  include_examples "BinaryExpr", :is_not, [:IS, :NOT]
+  include_examples "BinaryExpr", :like, :LIKE
+  include_examples "BinaryExpr", :glob, :GLOB
+  include_examples "BinaryExpr", :match, :MATCH
+  include_examples "BinaryExpr", :regexp, :REGEXP
+  include_examples "BinaryExpr", :in, :IN
+
+  include_examples "UnaryExpr", :-@, :-
+  include_examples "UnaryExpr", :+@, :+
+
+  include_examples "UnaryExpr", :~
+  include_examples "UnaryExpr", :!
+  include_examples "UnaryExpr", :not, :NOT
+
+  include_examples "BinaryExpr", :and, :AND
+  include_examples "BinaryExpr", :or, :OR
+end

data/spec/sql/statement_examples.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+shared_examples_for "Statement" do |method,keyword,argument=nil|
+  describe "##{method}" do
+    case argument
+    when Array
+      let(:arguments) { argument }
+
+      let(:statement) { subject.send(method,*arguments) }
+    when NilClass
+      let(:statement) { subject.send(method) }
+    else
+      let(:statement) { subject.send(method,argument) }
+    end
+
+    it "should add a #{keyword} clause" do
+      expect(statement.keyword).to eq(keyword)
+    end
+
+    case argument
+    when Proc
+      it "should accept a block" do
+        expect(statement.argument).not_to be_nil
+      end
+    when NilClass
+      it "should not have an argument" do
+        expect(statement.argument).to be_nil
+      end
+    when Array
+      it "should accept an argument" do
+        expect(statement.argument).to eq(arguments)
+      end
+    else
+      it "should accept an argument" do
+        expect(statement.argument).to eq(argument)
+      end
+    end
+  end
+end

data/spec/sql/statement_list_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+require 'ronin/code/sql/statement_list'
+
+describe Ronin::Code::SQL::StatementList do
+  describe "#initialize" do
+    context "when given a block" do
+      subject do
+        described_class.new { @x = 1 }
+      end
+
+      it "should instance_eval the block" do
+        expect(subject.instance_variable_get(:@x)).to eq(1)
+      end
+
+      context "that accepts an argument" do
+        it "should yield itself" do
+          yielded_statement_list = nil
+
+          described_class.new do |statement_list|
+            yielded_statement_list = statement_list
+          end
+
+          expect(yielded_statement_list).to be_kind_of(described_class)
+        end
+      end
+    end
+  end
+
+  describe "#<<" do
+    let(:keyword) { :SELECT }
+
+    before { subject << Ronin::Code::SQL::Statement.new(keyword) }
+
+    it "should append a new statement" do
+      expect(subject.statements.last.keyword).to eq(keyword)
+    end
+  end
+
+  describe "#statement" do
+    let(:keyword) { [:ALTER, :TABLE] }
+
+    before { subject.statement(keyword) }
+
+    it "should create and append a new Statement" do
+      expect(subject.statements.last.keyword).to eq(keyword)
+    end
+  end
+end

data/spec/sql/statement_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'ronin/code/sql/statement'
+
+describe Ronin::Code::SQL::Statement do
+  describe "#initialize" do
+    context "when given an argument" do
+      let(:argument) { 1 }
+
+      subject { described_class.new(:STATEMENT,argument) }
+
+      it "should set the argument" do
+        expect(subject.argument).to eq(argument)
+      end
+    end
+
+    context "when given a block" do
+      subject do
+        described_class.new(:STATEMENT) { @x = 1 }
+      end
+
+      it "should instance_eval the block" do
+        expect(subject.instance_variable_get(:@x)).to eq(1)
+      end
+
+      context "that accepts an argument" do
+        it "should yield itself" do
+          yielded_statement = nil
+
+          described_class.new(:STATEMENT) do |stmt|
+            yielded_statement = stmt
+          end
+
+          expect(yielded_statement).to be_kind_of(described_class)
+        end
+      end
+    end
+  end
+end

data/spec/sql/statements_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+require 'sql/statement_examples'
+require 'ronin/code/sql/statement'
+require 'ronin/code/sql/statements'
+
+describe Ronin::Code::SQL::Statements do
+  subject { Object.new.extend(described_class) }
+
+  describe "#statement" do
+    let(:keyword) { :EXEC }
+
+    it "should create an arbitrary statement" do
+      expect(subject.statement(keyword).keyword).to eq(keyword)
+    end
+  end
+
+  include_examples "Statement", :select, :SELECT, [1,2,3,:id]
+  include_examples "Statement", :insert, :INSERT
+  include_examples "Statement", :update, :UPDATE, :table
+  include_examples "Statement", :delete, [:DELETE, :FROM], :table
+  include_examples "Statement", :drop_table, [:DROP, :TABLE], :table
+end

data/spec/sql/unary_expr_examples.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+require 'ronin/code/sql/unary_expr'
+
+shared_examples_for "UnaryExpr" do |method,operator=method|
+  describe "##{method}" do
+    let(:expr) { subject.send(method) }
+
+    it "should be a UnaryExpr" do
+      expect(expr).to be_kind_of(Ronin::Code::SQL::UnaryExpr)
+    end
+
+    it "should set the operand" do
+      expect(expr.operand).to eq(subject)
+    end
+
+    it "should have a '#{operator}' operator" do
+      expect(expr.operator).to eq(operator)
+    end
+  end
+end

data/spec/sql/unary_expr_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+require 'ronin/code/sql/unary_expr'
+
+describe Ronin::Code::SQL::UnaryExpr do
+end