From 0329182109c29ed0a3bdf723c42b47b7e38d78e3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 15 May 2024 11:25:47 +0200 Subject: [PATCH] Bug 36520: Add tests Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Marcel de Rooy Signed-off-by: Lucas Gass --- t/db_dependent/Letters.t | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/t/db_dependent/Letters.t b/t/db_dependent/Letters.t index 95c7cd6fd0..cea7e77672 100755 --- a/t/db_dependent/Letters.t +++ b/t/db_dependent/Letters.t @@ -18,7 +18,7 @@ # along with Koha; if not, see . use Modern::Perl; -use Test::More tests => 94; +use Test::More tests => 95; use Test::MockModule; use Test::Warn; use Test::Exception; @@ -1262,3 +1262,41 @@ subtest 'Template toolkit syntax in parameters' => sub { 'Template toolkit syntax in parameter was not evaluated.' ); }; + +subtest 'Quote user params in GetPreparedLetter' => sub { + plan tests => 1; + + my $patron = $builder->build_object( { class => 'Koha::Patrons' } ); + my $biblio = $builder->build_sample_biblio; + my %loops = ( biblio => [ $biblio->biblionumber . ') AND (SELECT 1 FROM (SELECT(SLEEP(10)))x)-- -' ] ); + my %substitute = ( comment => 'some comment' ); + + Koha::Notice::Template->new( + { + module => 'catalogue', + code => 'CART', + branchcode => '', + message_transport_type => 'email', + content => + 'Hello [% borrower.firstname %], Some comments about those biblios [% FOR b IN biblios %][% biblio.title %][% END %]: [% comment %]', + } + )->store; + + my $t = time; + my $letter = C4::Letters::GetPreparedLetter( + module => 'catalogue', + letter_code => 'CART', + tables => { + borrowers => $patron->borrowernumber, + }, + message_transport_type => 'email', + loops => \%loops, + substitute => \%substitute, + ); + my $exec_time = time - $t; + ok( $exec_time < 10, "We should not exec the SLEEP" ) + or diag sprintf( + "Spent %ss to run GetPreparredLetter, SLEEP has certainly been executed which could lead to SQL injections", + $exec_time + ); +}; -- 2.39.5