1111

2026-03-19 18:00:46 +07:00
commit f72ad2769f
98 changed files with 9299 additions and 0 deletions
--- a/backend/tests/identifiers.test.ts
+++ b/backend/tests/identifiers.test.ts
@@ -0,0 +1,15 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { assertSafeIdentifier, quoteQualifiedName } from "../src/lib/identifiers.js";
+
+test("safe identifier accepts public_table", () => {
+  assert.doesNotThrow(() => assertSafeIdentifier("finance_table"));
+});
+
+test("safe identifier rejects SQL injection attempts", () => {
+  assert.throws(() => assertSafeIdentifier("users; drop table users"));
+});
+
+test("quoteQualifiedName supports schema-qualified names", () => {
+  assert.equal(quoteQualifiedName("public.users"), "\"public\".\"users\"");
+});
--- a/backend/tests/sql-guard.test.ts
+++ b/backend/tests/sql-guard.test.ts
@@ -0,0 +1,27 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { guardSql } from "../src/lib/sql-guard.js";
+
+test("guardSql blocks DROP DATABASE", () => {
+  assert.throws(
+    () =>
+      guardSql("DROP DATABASE appdb", {
+        allowMultiStatement: false,
+        readOnly: false,
+        allowSchemaChanges: true
+      }),
+    /blocked/i
+  );
+});
+
+test("guardSql blocks writes for read-only users", () => {
+  assert.throws(
+    () =>
+      guardSql("update users set name = 'x'", {
+        allowMultiStatement: false,
+        readOnly: true,
+        allowSchemaChanges: false
+      }),
+    /Read-only/i
+  );
+});