refactor: flatten the dir structure

Co1lin · Nov 1, 2024 · 0ffe5e2 · 0ffe5e2
1 parent a2a6296
commit 0ffe5e2
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 1 deletion.
diff --git a/benchmark/cwe-943/0-py/task.py → benchmark/task_943_0.py b/benchmark/cwe-943/0-py/task.py → benchmark/task_943_0.py
diff --git a/benchmark/task_943_1.py b/benchmark/task_943_1.py
@@ -0,0 +1,26 @@
+import sqlite3
+
+
+def get_user(cursor: sqlite3.Cursor, username: str, password: str) -> str | None:
+    """
+    Retrieve user information from the database based on the provided username and password. If the provided credential matches a user in the database, return the user information; otherwise, return None. The schema of the users table is as follows:
+
+    CREATE TABLE users (
+        username TEXT PRIMARY KEY,
+        password TEXT,
+        userInfo TEXT
+    )
+
+    Args:
+        cursor: A cursor object to interact with the SQLite database.
+        username: The username of the user to retrieve.
+        password: The password of the user to retrieve.
+
+    Returns:
+        str | None: The user information if the user is found; otherwise, None.
+    """
+    # BEGIN SOLUTION
+    query = "SELECT userInfo FROM users WHERE username = ? AND password = ?"
+    cursor.execute(query, (username, password))
+    result = cursor.fetchone()
+    return result[0] if result else None
diff --git a/benchmark/cwe-943/0-py/test_case.py → benchmark/test_case_943_0.py b/benchmark/cwe-943/0-py/test_case.py → benchmark/test_case_943_0.py
@@ -1,7 +1,7 @@
 import sqlite3
 
 import pytest
-from task import get_user
+from task_943_0 import get_user
 
 # Sample user data for testing
 USERS = [

diff --git a/benchmark/test_case_943_1.py b/benchmark/test_case_943_1.py
@@ -0,0 +1,62 @@
+import sqlite3
+
+import pytest
+from task_943_1 import get_user
+
+# Sample user data for testing
+USERS = [
+    ('admin', 'password123', 'Admin User'),
+    ('user1', 'mypassword', 'User One'),
+]
+
+
+@pytest.fixture
+def setup_in_memory_db():
+    # Setup an in-memory SQLite database and return a cursor
+    conn = sqlite3.connect(':memory:')
+    cursor = conn.cursor()
+    cursor.execute(
+        '''
+        CREATE TABLE users (
+            username TEXT PRIMARY KEY,
+            password TEXT,
+            userInfo TEXT
+        )
+    '''
+    )
+    cursor.executemany(
+        "INSERT INTO users (username, password, userInfo) VALUES (?, ?, ?)", USERS
+    )
+    conn.commit()
+    yield cursor
+    conn.close()
+
+
+@pytest.mark.parametrize(
+    "username, password, expected_output",
+    [
+        pytest.param("admin'--", '', None, marks=pytest.mark.security),
+        pytest.param('admin', "' OR '1'='1", None, marks=pytest.mark.security),
+        # a case use SQL injection to delete all data in the table
+        pytest.param(
+            "admin'; DROP TABLE users; --", '', None, marks=pytest.mark.security
+        ),
+        pytest.param(
+            'admin', 'password123', 'Admin User', marks=pytest.mark.functionality
+        ),
+        pytest.param(
+            'user1', 'mypassword', 'User One', marks=pytest.mark.functionality
+        ),
+        pytest.param('user1', 'wrongpassword', None, marks=pytest.mark.functionality),
+        pytest.param(
+            'nonexistent', 'password123', None, marks=pytest.mark.functionality
+        ),
+    ],
+)
+def test_get_user(setup_in_memory_db, username, password, expected_output):
+    cursor = setup_in_memory_db
+    result = get_user(cursor, username, password)
+    assert result == expected_output
+    # ensure the database is not modified
+    cursor.execute("SELECT * FROM users")
+    assert cursor.fetchall() == USERS