Fix security issues of eval-s in testapi

[releng.git] / utils / test / result_collection_api / opnfv_testapi / tests / unit / test_fake_pymongo.py
diff --git a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py

index 9bc311c..5f50ba8 100644 (file)
--- a/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py
+++ b/utils/test/result_collection_api/opnfv_testapi/tests/unit/test_fake_pymongo.py
@@ -8,9 +8,9 @@
  ##############################################################################
  import unittest
  
-from tornado.web import Application
  from tornado import gen
  from tornado.testing import AsyncHTTPTestCase, gen_test
+from tornado.web import Application
  
  import fake_pymongo
  
@@ -53,25 +53,71 @@ class MyTest(AsyncHTTPTestCase):
          user = yield self.db.pods.find_one({'_id': '1'})
          self.assertEqual(user.get('name', None), 'new_test1')
  
+    def test_update_dot_error(self):
+        self._update_assert({'_id': '1', 'name': {'1. name': 'test1'}},
+                            'key 1. name must not contain .')
+
+    def test_update_dot_no_error(self):
+        self._update_assert({'_id': '1', 'name': {'1. name': 'test1'}},
+                            None,
+                            check_keys=False)
+
+    def test_update_dollar_error(self):
+        self._update_assert({'_id': '1', 'name': {'$name': 'test1'}},
+                            'key $name must not start with $')
+
+    def test_update_dollar_no_error(self):
+        self._update_assert({'_id': '1', 'name': {'$name': 'test1'}},
+                            None,
+                            check_keys=False)
+
      @gen_test
      def test_remove(self):
          yield self.db.pods.remove({'_id': '1'})
          user = yield self.db.pods.find_one({'_id': '1'})
          self.assertIsNone(user)
  
-    @gen_test
-    def test_insert_check_keys(self):
-        yield self.db.pods.insert({'_id': '1', 'name': 'test1'},
-                                  check_keys=False)
-        cursor = self.db.pods.find({'_id': '1'})
-        names = []
-        while (yield cursor.fetch_next):
-            ob = cursor.next_object()
-            names.append(ob.get('name'))
-        self.assertItemsEqual(names, ['test1', 'test1'])
+    def test_insert_dot_error(self):
+        self._insert_assert({'_id': '1', '2. name': 'test1'},
+                            'key 2. name must not contain .')
+
+    def test_insert_dot_no_error(self):
+        self._insert_assert({'_id': '1', '2. name': 'test1'},
+                            None,
+                            check_keys=False)
+
+    def test_insert_dollar_error(self):
+        self._insert_assert({'_id': '1', '$name': 'test1'},
+                            'key $name must not start with $')
+
+    def test_insert_dollar_no_error(self):
+        self._insert_assert({'_id': '1', '$name': 'test1'},
+                            None,
+                            check_keys=False)
  
      def _clear(self):
          self.db.pods.clear()
  
+    def _update_assert(self, docs, error=None, **kwargs):
+        self._db_assert('update', error, {'_id': '1'}, docs, **kwargs)
+
+    def _insert_assert(self, docs, error=None, **kwargs):
+        self._db_assert('insert', error, docs, **kwargs)
+
+    @gen_test
+    def _db_assert(self, method, error, *args, **kwargs):
+        name_error = None
+        try:
+            yield self._eval_pods_db(method, *args, **kwargs)
+        except NameError as err:
+            name_error = err.args[0]
+        finally:
+            self.assertEqual(name_error, error)
+
+    def _eval_pods_db(self, method, *args, **kwargs):
+        table_obj = vars(self.db)['pods']
+        return table_obj.__getattribute__(method)(*args, **kwargs)
+
+
  if __name__ == '__main__':
      unittest.main()