Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 36520: Add tests

Browse source 
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Jonathan Druart 2024-05-15 11:25:47 +02:00 committed by Katrin Fischer
parent 897b4a2c15
commit 01690b554d
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
1 changed files with 40 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
t/db_dependent/Letters.t
View file

@ -19,7 +19,8 @@
use Modern::Perl;
use File::Basename qw(dirname);
use Test::More tests => 102;
use Test::More tests => 103;
use Test::MockModule;
use Test::Warn;
use Test::Exception;
@ -1542,3 +1543,41 @@ subtest 'Template toolkit syntax in parameters' => sub {
'Template toolkit syntax in parameter was not evaluated.'
);
};
subtest 'Quote user params in GetPreparedLetter' => sub {
plan tests => 1;
my $patron = $builder->build_object( { class => 'Koha::Patrons' } );
my $biblio = $builder->build_sample_biblio;
my %loops = ( biblio => [ $biblio->biblionumber . ') AND (SELECT 1 FROM (SELECT(SLEEP(10)))x)-- -' ] );
my %substitute = ( comment => 'some comment' );
Koha::Notice::Template->new(
{
module => 'catalogue',
code => 'CART',
branchcode => '',
message_transport_type => 'email',
content =>
'Hello [% borrower.firstname %], Some comments about those biblios [% FOR b IN biblios %][% biblio.title %][% END %]: [% comment %]',
}
)->store;
my $t = time;
my $letter = C4::Letters::GetPreparedLetter(
module => 'catalogue',
letter_code => 'CART',
tables => {
borrowers => $patron->borrowernumber,
},
message_transport_type => 'email',
loops => \%loops,
substitute => \%substitute,
);
my $exec_time = time - $t;
ok( $exec_time < 10, "We should not exec the SLEEP" )
or diag sprintf(
"Spent %ss to run GetPreparredLetter, SLEEP has certainly been executed which could lead to SQL injections",
$exec_time
);
};