kp was ich gemacht habe

2023-08-25 18:33:48 +02:00 · 2023-08-25 18:33:48 +02:00 · e91905089d
parent 2c81110987
commit e91905089d
4 changed files with 19 additions and 6 deletions
--- a/Website/init.py
+++ b/Website/init.py
@ -134,11 +134,6 @@ def create_app(test_config=None):
    def new_user():
        return render_template("adduser.html")

-    @app.route("/removeuser/confirmation", methods=['GET'])
-    def confirm_remove_user():
-        user_id = request.args.get("id")
-        return f'<p><a href="/list">user and tag list</a> | <a href="/documentation">Documentation</a></p> <p>Do your realy want to <a href="/removeuser?id={user_id}">remove the user</a></p>'
-
    @app.route("/removeuser", methods=['GET'])
    def remove_user():
        db = get_db()
--- a/Website/pycache/init.cpython-311.pyc
+++ b/Website/pycache/init.cpython-311.pyc
--- a/tests/pycache/test_website.cpython-311-pytest-7.4.0.pyc
+++ b/tests/pycache/test_website.cpython-311-pytest-7.4.0.pyc
--- a/tests/test_website.py
+++ b/tests/test_website.py
@ -148,4 +148,22 @@ def test_api_tagid_right_seconttag(app, client):
    assert data[0] == 1
    assert data[1] == "test"
    assert data[2] == -2
-    assert json.loads(response.data.decode('utf-8')) == {'balance': -2, 'mode': 'balance', 'username': 'test'}
+    assert json.loads(response.data.decode('utf-8')) == {'balance': -2, 'mode': 'balance', 'username': 'test'}
+
+#db
+def test_sqlinjektion_adduser(app, client):
+    injektion_list = ['"', "'--"]
+    count = 2
+    for i in injektion_list:
+        with app.app_context():
+            db = get_db()
+            assert db is get_db()
+        response = client.get('/adduser/user?username={i}')
+        c = db.cursor()
+        c.execute("SELECT * FROM users WHERE username = ?", [i])
+        data = c.fetchone()
+        assert data[0] == count
+        assert data[1] == i
+        assert data[2] == 0
+        assert "tag was sucsesfully added"  in response.data.decode('utf-8')
+        count += 1