ronin-sql 0.2.4 → 1.0.0

data/spec/sql/field_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+require 'ronin/sql/field'
+
+describe SQL::Field do
+  describe "#initialize" do
+    it "should convert name to a String" do
+      described_class.new(:table).name.should == 'table'
+    end
+
+    it "should default parent to nil" do
+      described_class.new('table').parent.should be_nil
+    end
+  end
+
+  describe "parse" do
+    context "when passed a single field" do
+      let(:name) { "column" }
+
+      subject { described_class.parse(name) }
+
+      it "should parse the field name" do
+        subject.name.should == name
+      end
+
+      it "should not have a parent" do
+        subject.parent.should be_nil
+      end
+    end
+
+    context "when parsing multiple fields" do
+      let(:parent) { "table"  }
+      let(:name)   { "column" }
+
+      subject { described_class.parse("#{parent}.#{name}") }
+
+      it "should parse the field name" do
+        subject.name.should == name
+      end
+
+      it "should parse the parent field" do
+        subject.parent.name.should == parent
+      end
+    end
+  end
+
+  describe "#to_s" do
+    context "when parent is nil" do
+      let(:name) { "column" }
+
+      subject { described_class.new(name) }
+
+      it "should return the name" do
+        subject.to_s.should == name
+      end
+    end
+
+    context "when parent is set" do
+      let(:parent) { "table"  }
+      let(:name)   { "column" }
+
+      subject { described_class.new(name,described_class.new(parent)) }
+
+      it "should return the name" do
+        subject.to_s.should == "#{parent}.#{name}"
+      end
+    end
+  end
+
+  describe "#method_missing" do
+    context "at depth 1" do
+      subject { described_class.new('table') }
+
+      it "should allow accessing sub-fields" do
+        subject.column.name.should == 'column'
+      end
+    end
+
+    context "at depth 2" do
+      subject { described_class.new('table',described_class.new('db')) }
+
+      it "should allow accessing sub-fields" do
+        subject.column.name.should == 'column'
+      end
+    end
+
+    context "at depth 3" do
+      subject do
+        described_class.new(
+          'column',
+          described_class.new(
+            'table', described_class.new('db')
+          )
+        )
+      end
+
+      it "should not allow accessing sub-fields" do
+        lambda {
+          subject.column
+        }.should raise_error(NoMethodError)
+      end
+    end
+  end
+end

data/spec/sql/fields_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+require 'ronin/sql/fields'
+
+describe SQL::Fields do
+  subject { Object.new.extend(described_class) }
+
+  describe "#respond_to_missing?" do
+    it "should return true" do
+      subject.respond_to_missing?(double(:method)).should be(true)
+    end
+  end
+
+  its(:to_ary) { should be_nil }
+
+  describe "#method_missing" do
+    let(:name) { 'users' }
+
+    context "when called with no arguments and no block" do
+      it "should create a Field" do
+        subject.send(name).name.should == name
+      end
+    end
+
+    context "when called with arguments" do
+      it "should raise a NoMethodError" do
+        lambda {
+          subject.sned(name,1,2,3)
+        }.should raise_error(NoMethodError)
+      end
+    end
+
+    context "when called with a block" do
+      it "should raise a NoMethodError" do
+        lambda {
+          subject.sned(name) { 1 + 1 }
+        }.should raise_error(NoMethodError)
+      end
+    end
+  end
+end

data/spec/sql/function_examples.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+shared_examples_for "Function" do |method,arguments=[],additional_arguments=[]|
+  describe "##{method}" do
+    let(:name) { method.upcase }
+    let(:func) { subject.send(method,*arguments) }
+
+    it "should create a #{method.upcase} function" do
+      func.name.should == name
+    end
+
+    unless arguments.empty?
+      it "should set the arguments" do
+        func.arguments.should == arguments
+      end
+    end
+
+    unless additional_arguments.empty?
+      context "when passed additional arguments" do
+        let(:func) { subject.send(method,*additional_arguments) }
+
+        it "should set the arguments" do
+          func.arguments.should == additional_arguments
+        end
+      end
+    end
+  end
+end
+
+

data/spec/sql/function_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+require 'ronin/sql/function'
+
+describe SQL::Function do
+  describe "#initialize" do
+    context "with no arguments" do
+      subject { described_class.new(:f) }
+
+      it "should set arguments to []" do
+        subject.arguments.should == []
+      end
+    end
+
+    context "with multiple arguments" do
+      let(:arguments) { [1,2,3] }
+
+      subject { described_class.new(:f,*arguments) }
+
+      it "should set arguments" do
+        subject.arguments.should == arguments
+      end
+    end
+  end
+end

data/spec/sql/functions_spec.rb

@@ -0,0 +1,110 @@
+require 'spec_helper'
+require 'sql/function_examples'
+require 'ronin/sql/functions'
+require 'ronin/sql/binary_expr'
+
+describe SQL::Functions do
+  subject { Object.new.extend(described_class) }
+
+  describe "#count" do
+    it "should create a COUNT function" do
+      subject.count.name.should == :COUNT
+    end
+
+    context "without arguments" do
+      it "should default arguments to *" do
+        subject.count.arguments.should == [:*]
+      end
+    end
+  end
+
+  include_examples "Function", :max, [:column]
+  include_examples "Function", :min, [:column]
+  include_examples "Function", :avg, [:column]
+  include_examples "Function", :sum, [:column]
+  include_examples "Function", :sqrt, [1]
+  include_examples "Function", :rand, [1]
+  include_examples "Function", :abs,  [-1]
+  include_examples "Function", :acos, [30]
+  include_examples "Function", :asin, [30]
+  include_examples "Function", :atan, [30]
+  include_examples "Function", :atan2, [30,60]
+  include_examples "Function", :bit_and, [0xff]
+  include_examples "Function", :bit_count, [0xff]
+  include_examples "Function", :bit_or, [0xff]
+  include_examples "Function", :ceil, [0.5]
+  include_examples "Function", :ceiling, [0.5]
+  include_examples "Function", :cos, [0.5]
+  include_examples "Function", :cot, [0.5]
+  include_examples "Function", :degrees, [0.5]
+  include_examples "Function", :exp, [0.5]
+  include_examples "Function", :floor, [0.5]
+  include_examples "Function", :format, [:date, 'YYYY-MM-DD']
+  include_examples "Function", :greatest, [1,2,3,4]
+  include_examples "Function", :interval, [1,2,3,4]
+  include_examples "Function", :least, [1,2,3,4]
+  include_examples "Function", :log, [2], [10,2]
+  include_examples "Function", :log10, [2]
+  include_examples "Function", :mod, [2,10]
+  include_examples "Function", :pi
+  include_examples "Function", :pow, [2,10]
+  include_examples "Function", :power, [2,10]
+  include_examples "Function", :radians, [30]
+  include_examples "Function", :random
+  include_examples "Function", :round, [15.79], [15.79, 1]
+  include_examples "Function", :sign, [10]
+  include_examples "Function", :sin, [30]
+  include_examples "Function", :sqrt, [100]
+  include_examples "Function", :std, [:column]
+  include_examples "Function", :stddev, [:column]
+  include_examples "Function", :tan, [30]
+  include_examples "Function", :truncate, [:price,2]
+  include_examples "Function", :ascii, ["hello"]
+  include_examples "Function", :bin, [12]
+  include_examples "Function", :bit_length, ["hello"]
+  include_examples "Function", :char, [104, 101, 108, 108, 111]
+  include_examples "Function", :char_length, ["hello"]
+  include_examples "Function", :character_length, ["hello"]
+  include_examples "Function", :concat, ["he", "ll", "o"]
+  include_examples "Function", :concat_ws, ["he", "ll", "o"]
+  include_examples "Function", :conv, ["ff", 16, 10]
+  include_examples "Function", :elt, ["ff", 16, 10]
+  include_examples "Function", :export_set, [5, 'Y', 'N']
+  include_examples "Function", :field, ["hello", "lo"]
+  include_examples "Function", :find_in_set, ['b', 'a,b,c,d']
+  include_examples "Function", :glob, [:name, '*foo*']
+  include_examples "Function", :hex, ["hello"]
+  include_examples "Function", :insert, ["hello",1,2,"foo"]
+  include_examples "Function", :instr, ["hello","lo"]
+  include_examples "Function", :lcase, ["HELLO"]
+  include_examples "Function", :left, ["hello", 10]
+  include_examples "Function", :length, ["hello"]
+  include_examples "Function", :like, [:name, '%foo%']
+  include_examples "Function", :load_file, ["path"]
+  include_examples "Function", :locate, ["o", "hello"]
+  include_examples "Function", :lower, ["HELLO"]
+  include_examples "Function", :lpad, ["hello", 10, ' ']
+  include_examples "Function", :ltrim, ["     hello"]
+  include_examples "Function", :make_set, [8|1, 'a', 'b', 'c', 'd']
+  include_examples "Function", :mid, ["hello",2,3]
+  include_examples "Function", :oct, ["55"]
+  include_examples "Function", :octet_length, ["55"]
+  include_examples "Function", :ord, ["55"]
+  include_examples "Function", :position, [SQL::BinaryExpr.new('55',:IN,:name)]
+  include_examples "Function", :quote, ["hello"]
+  include_examples "Function", :repeat, ["A", 100]
+  include_examples "Function", :replace, ["foox", "foo", "bar"]
+  include_examples "Function", :reverse, ["hello"]
+  include_examples "Function", :right, ["hello", 10]
+  include_examples "Function", :rpad, ["hello", 10, ' ']
+  include_examples "Function", :rtrim, ["hello     "]
+  include_examples "Function", :soundex, ["smythe"]
+  include_examples "Function", :space, [10]
+  include_examples "Function", :strcmp, ['foo', 'foox']
+  include_examples "Function", :substring, ['hello', 2, 1]
+  include_examples "Function", :substring_index, ['foo-bar', '-', 1]
+  include_examples "Function", :trim, ['   foo    ']
+  include_examples "Function", :ucase, ['foo']
+  include_examples "Function", :unhex, ['4D7953514C']
+  include_examples "Function", :upper, ['hello']
+end

data/spec/sql/injection_spec.rb

@@ -0,0 +1,233 @@
+require 'spec_helper'
+require 'ronin/sql/injection'
+
+describe SQL::Injection do
+  describe "PLACE_HOLDERS" do
+    subject { described_class::PLACE_HOLDERS }
+
+    it { should include(integer: 1)   }
+    it { should include(decimal: 1.0) }
+    it { should include(string: '1')  }
+    it { should include(list: [nil])  }
+    it { should include(column: :id)  }
+  end
+
+  describe "#initialize" do
+    context "with no arguments" do
+      its(:escape)       { should == :integer }
+      its(:place_holder) { should == 1 }
+    end
+
+    context "with :escape" do
+      context "with no :place_holder" do
+        let(:place_holders) { described_class::PLACE_HOLDERS }
+        let(:escape) { :string }
+
+        subject { described_class.new(:escape => escape) }
+
+        it "should default the place_holder based on the :escape type" do
+          subject.place_holder.should == place_holders[escape]
+        end
+      end
+    end
+
+    context "with :place_holder" do
+      let(:data) { 'A' }
+
+      subject { described_class.new(:place_holder => data) }
+
+      its(:place_holder) { should == data }
+      its(:expression)   { should == data }
+    end
+
+    context "when a block is given" do
+      subject { described_class.new { @x = 1 } }
+
+      it "should instance_eval the block" do
+        subject.instance_variable_get(:@x).should == 1
+      end
+    end
+  end
+
+  describe "#and" do
+    context "on first call" do
+      before { subject.and { 1 } }
+
+      it "should create a 'AND' BinaryExpr" do
+        subject.expression.operator.should == :AND
+      end
+
+      it "should create an expression with the place-holder" do
+        subject.expression.left.should == subject.place_holder
+      end
+
+      it "should create an expression with the expression" do
+        subject.expression.right.should == 1
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.and { 1 }.and { 2 } }
+
+      it "should create another 'AND' BinaryExpr" do
+        subject.expression.operator.should == :AND
+      end
+
+      it "should nest the expressions" do
+        subject.expression.left.right.should == 1
+        subject.expression.right.should == 2
+      end
+    end
+  end
+
+  describe "#or" do
+    context "on first call" do
+      before { subject.or { 1 } }
+
+      it "should create a 'OR' BinaryExpr" do
+        subject.expression.operator.should == :OR
+      end
+
+      it "should create an expression with the place-holder" do
+        subject.expression.left.should == subject.place_holder
+      end
+
+      it "should create an expression with the expression" do
+        subject.expression.right.should == 1
+      end
+    end
+
+    context "on multiple calls" do
+      before { subject.or { 1 }.or { 2 } }
+
+      it "should create another 'OR' BinaryExpr" do
+        subject.expression.operator.should == :OR
+      end
+
+      it "should nest the expressions" do
+        subject.expression.left.right.should == 1
+        subject.expression.right.should == 2
+      end
+    end
+  end
+
+  describe "#to_sql" do
+    context "without an expression" do
+      subject { described_class.new(place_holder: 1) }
+
+      it "should still emit the place-holder value" do
+        subject.to_sql.should == '1'
+      end
+
+      context "with clauses" do
+        subject do
+          sqli = described_class.new(place_holder: 1)
+          sqli.limit(100).offset(10)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          subject.to_sql.should == '1 LIMIT 100 OFFSET 10'
+        end
+      end
+    end
+
+    context "with an expression" do
+      subject do
+        sqli = described_class.new
+        sqli.or { 1 == 1 }
+        sqli
+      end
+
+      it "should emit the expression" do
+        subject.to_sql.should == '1 OR 1=1'
+      end
+
+      context "with clauses" do
+        subject do
+          sqli = described_class.new
+          sqli.or { 1 == 1 }.limit(100).offset(10)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          subject.to_sql.should == '1 OR 1=1 LIMIT 100 OFFSET 10'
+        end
+
+        context "with :space" do
+          it "should emit the clauses with custom spaces" do
+            subject.to_sql(space: '/**/').should == '1/**/OR/**/1=1/**/LIMIT/**/100/**/OFFSET/**/10'
+          end
+        end
+      end
+
+      context "with statements" do
+        subject do
+          sqli = described_class.new
+          sqli.or { 1 == 1 }.select(1,2,3)
+          sqli
+        end
+
+        it "should emit the clauses" do
+          subject.to_sql.should == '1 OR 1=1; SELECT (1,2,3)'
+        end
+
+        context "with :space" do
+          it "should emit the statements with custom spaces" do
+            subject.to_sql(space: '/**/').should == '1/**/OR/**/1=1;/**/SELECT/**/(1,2,3)'
+          end
+        end
+      end
+    end
+
+    context "when escaping a string value" do
+      context "when the place-holder and last operand are Strings" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { string(1) == string(1) }
+          sqli
+        end 
+
+        it "should balance the quotes" do
+          subject.to_sql.should == "1' OR '1'='1"
+        end
+      end
+
+      context "when the place-holder and last operand are not both Strings" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { int(1) == int(1) }
+          sqli
+        end 
+
+        it "should terminate the SQL statement" do
+          subject.to_sql.should == "1' OR 1=1;--"
+        end
+      end
+
+      context "when terminating" do
+        subject do
+          sqli = described_class.new(escape: :string)
+          sqli.or { string(1) == string(1) }
+          sqli
+        end 
+
+        it "should terminate the SQL statement" do
+          subject.to_sql(terminate: true).should == "1' OR '1'='1';--"
+        end
+      end
+    end
+
+    context "when terminating" do
+      subject do
+        sqli = described_class.new(escape: :integer)
+        sqli.or { 1 == 1 }
+        sqli
+      end 
+
+      it "should terminate the SQL statement" do
+        subject.to_sql(terminate: true).should == "1 OR 1=1;--"
+      end
+    end
+  end
+end