Test unicode smuggling

google · Dec 24, 2023 · 18cb80e · 18cb80e
1 parent e145449
commit 18cb80e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/mug-guava/src/main/java/com/google/mu/safesql/SafeQuery.java b/mug-guava/src/main/java/com/google/mu/safesql/SafeQuery.java
@@ -1,6 +1,8 @@
 package com.google.mu.safesql;
 
+import static com.google.common.base.CharMatcher.anyOf;
 import static com.google.common.base.CharMatcher.ascii;
+import static com.google.common.base.CharMatcher.is;
 import static com.google.common.base.MoreObjects.firstNonNull;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
@@ -19,7 +21,6 @@
 import com.google.common.collect.Iterables;
 import com.google.errorprone.annotations.CompileTimeConstant;
 import com.google.errorprone.annotations.Immutable;
-import com.google.mu.util.CharPredicate;
 import com.google.mu.util.StringFormat;
 import com.google.mu.util.Substring;
 
@@ -233,7 +234,7 @@ private static String quotedBy(char quoteChar, Substring.Match placeholder, Obje
         quoteChar,
         placeholder,
         quoteChar);
-    return first(CharPredicate.is('\\').or(quoteChar).or('\n').or('\r').or(ascii().negate()::matches))
+    return first(anyOf("\\\n\r").or(is(quoteChar)).or(ascii().negate())::matches)
         .repeatedly()
         .replaceAllFrom(
             value.toString(),
@@ -257,7 +258,7 @@ private static String backquoted(Substring.Match placeholder, Object value) {
         "placeholder value for `%s` (%s) contains illegal character",
         placeholder,
         name);
-    return Substring.first(CharMatcher.ascii().negate()::matches)
+    return first(CharMatcher.ascii().negate()::matches)
         .repeatedly()
         .replaceAllFrom(name, uni -> toUnicodeHex(uni.charAt(0)));
   }

diff --git a/mug-guava/src/test/java/com/google/mu/safesql/SafeQueryTest.java b/mug-guava/src/test/java/com/google/mu/safesql/SafeQueryTest.java
@@ -537,15 +537,13 @@ public void trustedSqlStringShouldNotBeDoubleQuoted() {
 
   @Test
   public void unicodeSmugglingInStringLiteralNotEffective() {
-    String input = "ʻ OR TRUE OR ʼʼ=ʼ";
-    SafeQuery query = template("'{id}'").with(input);
+    SafeQuery query = template("'{id}'").with("ʻ OR TRUE OR ʼʼ=ʼ");
     assertThat(query.toString()).isEqualTo("'\\u02BB" + " OR TRUE OR \\u02BC\\u02BC=\\u02BC'");
   }
 
   @Test
   public void unicodeSmugglingInIdentifierNotEffective() {
-    String input = "ʻ OR TRUE OR ʼʼ=ʼ";
-    SafeQuery query = template("`{tbl}`").with(input);
+    SafeQuery query = template("`{tbl}`").with("ʻ OR TRUE OR ʼʼ=ʼ");
     assertThat(query.toString()).isEqualTo("`\\u02BB" + " OR TRUE OR \\u02BC\\u02BC=\\u02BC`");
   }