From 361fa1316ade6ad0f2ce3e5c59b84d5b14a4f482 Mon Sep 17 00:00:00 2001
From: "$(pass /github/name)" <$(pass /github/email)>
Date: Fri, 20 Sep 2024 08:27:34 +0200
Subject: [PATCH] add sql injection test

---
 internal/controllers/SQLInjection_test.go | 71 +++++++++++++++++++++++
 internal/controllers/controllers_test.go  | 38 +++++++++++-
 2 files changed, 106 insertions(+), 3 deletions(-)
 create mode 100644 internal/controllers/SQLInjection_test.go

diff --git a/internal/controllers/SQLInjection_test.go b/internal/controllers/SQLInjection_test.go
new file mode 100644
index 0000000..bed1b36
--- /dev/null
+++ b/internal/controllers/SQLInjection_test.go
@@ -0,0 +1,71 @@
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+)
+
+type SQLInjectionTest struct {
+	name           string
+	email          string
+	password       string
+	expectedStatus int
+}
+
+func (sit *SQLInjectionTest) SetupContext() (*gin.Context, *httptest.ResponseRecorder, *gin.Engine) {
+	loginData := loginInput{
+		Email:    sit.email,
+		Password: sit.password,
+	}
+	jsonData, _ := json.Marshal(loginData)
+	return GetMockedJSONContext(jsonData, "/login")
+}
+
+func (sit *SQLInjectionTest) RunHandler(c *gin.Context, router *gin.Engine) {
+	router.POST("/login", Uc.LoginHandler)
+	router.ServeHTTP(c.Writer, c.Request)
+}
+
+func (sit *SQLInjectionTest) ValidateResponse(w *httptest.ResponseRecorder) error {
+	if sit.expectedStatus != w.Code {
+		responseBody, _ := io.ReadAll(w.Body)
+		return fmt.Errorf("SQL Injection Attempt: Didn't get the expected response code: got: %v; expected: %v. Context: %#v", w.Code, sit.expectedStatus, string(responseBody))
+	}
+	return nil
+}
+
+func (sit *SQLInjectionTest) ValidateResult() error {
+	// Add any additional validation if needed
+	return nil
+}
+
+func testSQLInjectionAttempt(t *testing.T) {
+	tests := []SQLInjectionTest{
+		{
+			name:           "SQL Injection Attempt in Email",
+			email:          "' OR '1'='1",
+			password:       "password123",
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:           "SQL Injection Attempt in Password",
+			email:          "user@example.com",
+			password:       "' OR '1'='1",
+			expectedStatus: http.StatusNotFound,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := runSingleTest(&tt); err != nil {
+				t.Errorf("Test failed: %v", err.Error())
+			}
+		})
+	}
+}
diff --git a/internal/controllers/controllers_test.go b/internal/controllers/controllers_test.go
index e324c85..8da8bfe 100644
--- a/internal/controllers/controllers_test.go
+++ b/internal/controllers/controllers_test.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"testing"
+	"time"
 
 	"log"
 
@@ -36,6 +37,11 @@ const (
 	Port int = 2525
 )
 
+type loginInput struct {
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
 var (
 	Uc *UserController
 	Mc *MembershipController
@@ -73,6 +79,9 @@ func TestSuite(t *testing.T) {
 	if err := os.Setenv("BASE_URL", "http://"+Host+":2525"); err != nil {
 		log.Fatalf("Error setting environment variable: %v", err)
 	}
+	if err := os.Setenv("DB_PATH", "test.db"); err != nil {
+		log.Fatalf("Error setting environment variable: %v", err)
+	}
 	config.LoadConfig()
 	if err := database.Open("test.db", config.Recipients.AdminEmail); err != nil {
 		log.Fatalf("Failed to create DB: %#v", err)
@@ -100,13 +109,14 @@ func TestSuite(t *testing.T) {
 		log.Fatalf("Failed to init Subscription plans: %#v", err)
 	}
 
-	// Run all tests
-	// code := m.Run()
-
 	t.Run("userController", func(t *testing.T) {
 		testUserController(t)
 	})
 
+	t.Run("SQL_Injection", func(t *testing.T) {
+		testSQLInjectionAttempt(t)
+	})
+
 	t.Run("contactController", func(t *testing.T) {
 		testContactController(t)
 	})
@@ -115,6 +125,10 @@ func TestSuite(t *testing.T) {
 		testMembershipController(t)
 	})
 
+	t.Run("XSSAttempt", func(t *testing.T) {
+		testXSSAttempt(t)
+	})
+
 	if err := utils.SMTPStop(); err != nil {
 		log.Fatalf("Failed to stop SMTP Mockup Server: %#v", err)
 	}
@@ -195,6 +209,24 @@ func GetMockedFormContext(formData url.Values, url string) (*gin.Context, *httpt
 	return c, w, router
 }
 
+func getBaseUser() models.User {
+	return models.User{
+		DateOfBirth:    time.Date(2000, time.January, 1, 0, 0, 0, 0, time.UTC),
+		FirstName:      "John",
+		LastName:       "Doe",
+		Email:          "john.doe@example.com",
+		Address:        "Pablo Escobar Str. 4",
+		ZipCode:        "25474",
+		City:           "Hasloh",
+		Phone:          "01738484993",
+		BankAccount:    models.BankAccount{IBAN: "DE89370400440532013000"},
+		Membership:     models.Membership{SubscriptionModel: models.SubscriptionModel{Name: "Basic"}},
+		ProfilePicture: "",
+		Password:       "password123",
+		Company:        "",
+	}
+}
+
 func deleteTestDB(dbPath string) error {
 	err := os.Remove(dbPath)
 	if err != nil {