File size: 1,394 Bytes
a76607e |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
import pandas as pd
import pytest
from .sanitizer import parse_and_filter
@pytest.fixture
def df_products():
data = {
'product_id': [101, 102, 103, 104, 105, 106],
'category': ['Electronics', 'Books', 'Electronics', 'Home Goods', 'Books', 'Electronics'],
'price': [799.99, 19.99, 49.50, 120.00, 24.99, 150.00],
'stock': [15, 300, 50, 25, 150, 0]
}
return pd.DataFrame(data)
def test_exploit_fails(df_products):
with pytest.raises(ValueError) as e:
mask1 = parse_and_filter(df_products,
"""price < 50 and @os.system("/bin/echo password")""")
assert 'Invalid filter syntax' in str(e)
@pytest.mark.parametrize('expression,ids', [
("price < 50", [102, 103, 105]),
("product_id in [101, 102]", [101, 102]),
("price < 50 and category == 'Electronics'", [103]),
("stock < 100 or category == 'Home Goods'", [101, 103, 104, 106]),
("(price > 100 and stock < 20) or category == 'Books'", [101, 102, 105, 106]),
("not (price > 50 or stock > 100)", [103]),
("not price > 50", [102, 103, 105]),
("(price < 50) & (category == 'Electronics')", [103]),
("(stock < 100) | (category == 'Home Goods')", [101, 103, 104, 106]),
])
def test_operations(df_products, expression, ids):
mask1 = parse_and_filter(df_products, expression)
assert sorted(df_products[mask1].product_id) == sorted(ids)
|