From 173edfb1c02f0060156a409acaeafdcd62d91b29 Mon Sep 17 00:00:00 2001
From: sjaanus <sellinjaanus@gmail.com>
Date: Wed, 26 Jun 2024 22:40:54 +0300
Subject: [PATCH] poc: sql injection in large resources read model

---
 .../sizes/largest-resources-read-model.test.ts   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/lib/features/metrics/sizes/largest-resources-read-model.test.ts b/src/lib/features/metrics/sizes/largest-resources-read-model.test.ts
index c1623db5aa..979e137492 100644
--- a/src/lib/features/metrics/sizes/largest-resources-read-model.test.ts
+++ b/src/lib/features/metrics/sizes/largest-resources-read-model.test.ts
@@ -92,3 +92,19 @@ test('can calculate resource size', async () => {
     expect(project.size).toBe(feature1.size + feature2.size);
     expect(feature1.size).toBeGreaterThan(feature2.size);
 });
+
+test('should demonstrate SQL injection vulnerability', async () => {
+    const maliciousLimit = '1; DROP TABLE feature_strategies; --';
+    let errorOccurred = false;
+
+    try {
+        await largestResourcesReadModel.getLargestProjectEnvironments(
+            maliciousLimit,
+        );
+    } catch (error) {
+        errorOccurred = true;
+        console.log('SQL injection attempt caught:', error.message);
+    }
+
+    expect(errorOccurred).toBe(true);
+});