int read_file(const char* fname, int flags, int testtype) { int count = 0; FILE *fp = NULL; char linebuf[4096]; char g_actual[4096]; char* bufptr = NULL; sfilter sf; int ok = 1; int num_tokens; int issqli; int i; g_test[0] = '\0'; g_input[0] = '\0'; g_expected[0] = '\0'; fp = fopen(fname, "r"); while(fgets(linebuf, sizeof(linebuf), fp) != NULL) { if (count == 0 && strcmp(linebuf, "--TEST--\n") == 0) { bufptr = g_test; count = 1; } else if (count == 1 && strcmp(linebuf, "--INPUT--\n") == 0) { bufptr = g_input; count = 2; } else if (count == 2 && strcmp(linebuf, "--EXPECTED--\n") == 0) { bufptr = g_expected; count = 3; } else { strcat(bufptr, linebuf); } } fclose(fp); if (count != 3) { return 1; } g_expected[modp_rtrim(g_expected, strlen(g_expected))] = '\0'; g_input[modp_rtrim(g_input, strlen(g_input))] = '\0'; size_t slen = strlen(g_input); char* copy = (char* ) malloc(slen); memcpy(copy, g_input, slen); libinjection_sqli_init(&sf, copy, slen, flags); /* just here for code coverage and cppcheck */ libinjection_sqli_callback(&sf, NULL, NULL); slen = 0; g_actual[0] = '\0'; if (testtype == 1) { issqli = libinjection_is_sqli(&sf); if (issqli) { sprintf(g_actual, "%s", sf.fingerprint); } } else if (testtype == 2) { num_tokens = libinjection_sqli_fold(&sf); for (i = 0; i < num_tokens; ++i) { slen = print_token(g_actual, slen, &(sf.tokenvec[i])); } } else { while (libinjection_sqli_tokenize(&sf) == 1) { slen = print_token(g_actual, slen, sf.current); } } g_actual[modp_rtrim(g_actual, strlen(g_actual))] = '\0'; if (strcmp(g_expected, g_actual) != 0) { printf("INPUT: \n%s\n==\n", g_input); printf("EXPECTED: \n%s\n==\n", g_expected); printf("GOT: \n%s\n==\n", g_actual); ok = 0; } free(copy); return ok; }
void test_positive(FILE * fd, const char *fname, detect_mode_t mode, int flag_invert, int flag_true, int flag_quiet) { char linebuf[8192]; int issqli; int linenum = 0; size_t len; sfilter sf; while (fgets(linebuf, sizeof(linebuf), fd)) { linenum += 1; len = modp_rtrim(linebuf, strlen(linebuf)); if (len == 0) { continue; } if (linebuf[0] == '#') { continue; } len = modp_url_decode(linebuf, linebuf, len); issqli = 0; switch (mode) { case MODE_SQLI: { libinjection_sqli_init(&sf, linebuf, len, 0); issqli = libinjection_is_sqli(&sf); break; } case MODE_XSS: { issqli = libinjection_xss(linebuf, len); break; } default: assert(0); } if (issqli) { g_test_ok += 1; } else { g_test_fail += 1; } if (!flag_quiet) { if ((issqli && flag_true && ! flag_invert) || (!issqli && flag_true && flag_invert) || !flag_true) { modp_toprint(linebuf, len); switch (mode) { case MODE_SQLI: { /* * if we didn't find a SQLi and fingerprint from * sqlstats is is 'sns' or 'snsns' then redo using * plain context */ if (!issqli && (strcmp(sf.fingerprint, "sns") == 0 || strcmp(sf.fingerprint, "snsns") == 0)) { libinjection_sqli_fingerprint(&sf, 0); } fprintf(stdout, "%s\t%d\t%s\t%s\t%s\n", fname, linenum, (issqli ? "True" : "False"), sf.fingerprint, linebuf); break; } case MODE_XSS: { fprintf(stdout, "%s\t%d\t%s\t%s\n", fname, linenum, (issqli ? "True" : "False"), linebuf); break; } default: assert(0); } } } } }