From bdd0d98d4164d7d04ef524f503bee10156567904 Mon Sep 17 00:00:00 2001
From: Roly Rudy Gutierrez Pinto <gproly@gmail.com>
Date: Mon, 21 Oct 2019 11:19:03 -0400
Subject: [PATCH] PMC-1048 Unit test for mysql_free_result inside executeQuery

---
 .../classes/PmFunctions/ExecuteQueryTest.php  | 346 ++++++++++++++++++
 1 file changed, 346 insertions(+)
 create mode 100644 tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php

diff --git a/tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php b/tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php
new file mode 100644
index 000000000..9ba50cdbb
--- /dev/null
+++ b/tests/unit/workflow/engine/classes/PmFunctions/ExecuteQueryTest.php
@@ -0,0 +1,346 @@
+<?php
+
+namespace Tests\unit\workflow\engine\classes\PmFunctions;
+
+use Faker\Factory;
+use G;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use ProcessMaker\Model\DbSource;
+use ProcessMaker\Model\ProcessCategory;
+use ProcessMaker\Model\User;
+use SQLException;
+use Tests\TestCase;
+
+/**
+ * Test the executeQuery() function
+ *
+ * @link https://wiki.processmaker.com/3.1/ProcessMaker_Functions#executeQuery.28.29
+ */
+class ExecuteQueryTest extends TestCase
+{
+    // todo: Please do not use "DatabaseTransactions", the executeQuery method opens another connection.
+    use DatabaseTransactions;
+
+    protected $nameSystemTables = "system-tables.ini";
+    protected $contentSystemTables = "tables =  'APPLICATION|APP_SEQUENCE|APP_DELEGATION|APP_DOCUMENT|APP_MESSAGE|APP_OWNER|CONFIGURATION|CONTENT|DEPARTMENT|DYNAFORM|GROUPWF|GROUP_USER|HOLIDAY|INPUT_DOCUMENT|ISO_COUNTRY|ISO_LOCATION|ISO_SUBDIVISION|LANGUAGE|LEXICO|OUTPUT_DOCUMENT|PROCESS|PROCESS_OWNER|REPORT_TABLE|REPORT_VAR|ROUTE|STEP|STEP_TRIGGER|SWIMLANES_ELEMENTS|TASK|TASK_USER|TRANSLATION|TRIGGERS|USERS|APP_THREAD|APP_DELAY|PROCESS_USER|SESSION|DB_SOURCE|STEP_SUPERVISOR|OBJECT_PERMISSION|CASE_TRACKER|CASE_TRACKER_OBJECT|CASE_CONSOLIDATED|STAGE|SUB_PROCESS|SUB_APPLICATION|LOGIN_LOG|USERS_PROPERTIES|ADDITIONAL_TABLES|FIELDS|SHADOW_TABLE|EVENT|GATEWAY|APP_EVENT|APP_CACHE_VIEW|DIM_TIME_DELEGATE|DIM_TIME_COMPLETE|APP_HISTORY|APP_FOLDER|FIELD_CONDITION|LOG_CASES_SCHEDULER|CASE_SCHEDULER|CALENDAR_DEFINITION|CALENDAR_BUSINESS_HOURS|CALENDAR_HOLIDAYS|CALENDAR_ASSIGNMENTS|PROCESS_CATEGORY|APP_NOTES|DASHLET|DASHLET_INSTANCE|APP_SOLR_QUEUE|SEQUENCES|SESSION_STORAGE|PROCESS_FILES|WEB_ENTRY|OAUTH_ACCESS_TOKENS|OAUTH_AUTHORIZATION_CODES|OAUTH_CLIENTS|OAUTH_REFRESH_TOKENS|OAUTH_SCOPES|PMOAUTH_USER_ACCESS_TOKENS|BPMN_PROJECT|BPMN_PROCESS|BPMN_ACTIVITY|BPMN_ARTIFACT|BPMN_DIAGRAM|BPMN_BOUND|BPMN_DATA|BPMN_EVENT|BPMN_FLOW|BPMN_GATEWAY|BPMN_LANESET|BPMN_LANE|BPMN_PARTICIPANT|BPMN_EXTENSION|BPMN_DOCUMENTATION|PROCESS_VARIABLES|APP_TIMEOUT_ACTION_EXECUTED|ADDONS_STORE|ADDONS_MANAGER|LICENSE_MANAGER|APP_ASSIGN_SELF_SERVICE_VALUE|APP_ASSIGN_SELF_SERVICE_VALUE_GROUP|LIST_INBOX|LIST_PARTICIPATED_HISTORY|LIST_PARTICIPATED_LAST|LIST_COMPLETED|LIST_PAUSED|LIST_CANCELED|LIST_MY_INBOX|LIST_UNASSIGNED|LIST_UNASSIGNED_GROUP|MESSAGE_TYPE|MESSAGE_TYPE_VARIABLE|EMAIL_SERVER|WEB_ENTRY_EVENT|MESSAGE_EVENT_DEFINITION|MESSAGE_EVENT_RELATION|MESSAGE_APPLICATION|ELEMENT_TASK_RELATION|ABE_CONFIGURATION|ABE_REQUESTS|ABE_RESPONSES|USR_REPORTING|PRO_REPORTING|DASHBOARD|DASHBOARD_INDICATOR|DASHBOARD_DAS_IND|CATALOG|SCRIPT_TASK|TIMER_EVENT|EMAIL_EVENT|NOTIFICATION_DEVICE|GMAIL_RELABELING|NOTIFICATION_QUEUE|PLUGINS_REGISTRY|APP_DATA_CHANGE_LOG|JOBS_PENDING|JOBS_FAILED|RBAC_PERMISSIONS|RBAC_ROLES|RBAC_ROLES_PERMISSIONS|RBAC_SYSTEMS|RBAC_USERS|RBAC_USERS_ROLES|RBAC_AUTHENTICATION_SOURCE|'";
+    protected $oldContentSystemTables = "";
+
+    public function setUp()
+    {
+        parent::setUp();
+        ProcessCategory::truncate();
+        $this->oldContentSystemTables = "";
+        $path = PATH_CONFIG . $this->nameSystemTables;
+        if (file_exists($path)) {
+            $this->oldContentSystemTables = file_get_contents($path);
+        }
+        file_put_contents($path, $this->contentSystemTables);
+    }
+
+    public function tearDown()
+    {
+        parent::tearDown();
+        $path = PATH_CONFIG . $this->nameSystemTables;
+        file_put_contents($path, $this->oldContentSystemTables);
+    }
+
+    /**
+     * This tests if the "executeQuery" method is returning the data of a query.
+     * @test
+     */
+    public function it_must_return_the_result_of_execute_query_method()
+    {
+        $user = factory(User::class, 5)->create();
+
+        $user = $user->sortByDesc('USR_UID')->values()->map(function($item) {
+            $result = [
+                'USR_UID' => $item['USR_UID'],
+                'USR_USERNAME' => $item['USR_USERNAME'],
+                'USR_PASSWORD' => $item['USR_PASSWORD'],
+                'USR_FIRSTNAME' => $item['USR_FIRSTNAME'],
+                'USR_LASTNAME' => $item['USR_LASTNAME'],
+                'USR_EMAIL' => $item['USR_EMAIL'],
+            ];
+            return $result;
+        });
+        $expected = $user->toArray();
+
+        $sql = "SELECT "
+                . "USR_UID ,"
+                . "USR_USERNAME ,"
+                . "USR_PASSWORD ,"
+                . "USR_FIRSTNAME, "
+                . "USR_LASTNAME, "
+                . "USR_EMAIL "
+                . "FROM USERS "
+                . "WHERE "
+                . "USR_UID NOT IN ("
+                . "    '00000000000000000000000000000001',"
+                . "    '00000000000000000000000000000002'"
+                . ")"
+                . "ORDER BY USR_UID DESC";
+        $actual = executeQuery($sql);
+        $actual = array_values($actual);
+
+        $this->assertEquals($expected, $actual);
+    }
+
+    /**
+     * Insert a record in the category table using the execute query function.
+     * @test
+     */
+    public function it_should_insert_a_record_in_the_category_table_using_the_execute_query_method()
+    {
+        $database = env('DB_DATABASE');
+        $faker = Factory::create();
+        $uid = G::generateUniqueID();
+        $id = $faker->unique()->numberBetween(1, 10000000);
+        $name = str_replace("'", " ", $faker->name);
+        $sql = ""
+                . "INSERT INTO {$database}.PROCESS_CATEGORY("
+                . "    CATEGORY_UID,"
+                . "    CATEGORY_ID,"
+                . "    CATEGORY_PARENT,"
+                . "    CATEGORY_NAME,"
+                . "    CATEGORY_ICON"
+                . ") VALUES"
+                . "("
+                . "	'{$uid}',"
+                . "	'{$id}',"
+                . "	'0',"
+                . "	'{$name}',"
+                . "	''"
+                . ")";
+        executeQuery($sql);
+        $expected = [
+            [
+                'CATEGORY_UID' => $uid,
+                'CATEGORY_ID' => $id,
+                'CATEGORY_PARENT' => '0',
+                'CATEGORY_NAME' => $name,
+                'CATEGORY_ICON' => '',
+            ]
+        ];
+
+        $actual = ProcessCategory::get();
+
+        $this->assertEquals($expected, $actual->toArray());
+    }
+
+    /**
+     * Replace a record in the category table using the execute query function.
+     * @test
+     */
+    public function it_should_replace_a_record_in_the_category_table_using_the_execute_query_method()
+    {
+        $database = env('DB_DATABASE');
+        $faker = Factory::create();
+        $id = $faker->unique()->numberBetween(1, 10000000);
+        $newName = str_replace("'", " ", $faker->name);
+
+        $category = factory(ProcessCategory::class)->create([
+            'CATEGORY_ID' => $id
+        ]);
+        $expected = $category->toArray();
+        $expected['CATEGORY_NAME'] = $newName;
+        unset($expected['id']);
+
+        $sql = "REPLACE INTO {$database}.PROCESS_CATEGORY "
+                . "SET "
+                . "CATEGORY_UID='{$category->CATEGORY_UID}',"
+                . "CATEGORY_PARENT='{$category->CATEGORY_PARENT}', "
+                . "CATEGORY_NAME='{$newName}', "
+                . "CATEGORY_ICON='{$category->CATEGORY_ICON}', "
+                . "CATEGORY_ID='{$category->CATEGORY_ID}'"
+                . "";
+
+        executeQuery($sql);
+
+        $actual = ProcessCategory::where('CATEGORY_UID', '=', $category->CATEGORY_UID)
+                ->get()
+                ->first();
+
+        $this->assertEquals($expected, $actual->toArray());
+    }
+
+    /**
+     * Update a record in the category table using the execute query function.
+     * @test
+     */
+    public function it_should_update_a_record_in_the_category_table_using_the_execute_query_method()
+    {
+        $database = env('DB_DATABASE');
+        $faker = Factory::create();
+        $id = $faker->unique()->numberBetween(1, 10000000);
+        $newName = str_replace("'", " ", $faker->name);
+
+        $category = factory(ProcessCategory::class)->create([
+            'CATEGORY_ID' => $id
+        ]);
+        $expected = $category->toArray();
+        $expected['CATEGORY_NAME'] = $newName;
+        unset($expected['id']);
+
+        $sql = ""
+                . "UPDATE {$database}.PROCESS_CATEGORY SET "
+                . "CATEGORY_NAME='{$newName}' "
+                . "WHERE "
+                . "CATEGORY_UID='{$category->CATEGORY_UID}'";
+        executeQuery($sql);
+
+        $actual = ProcessCategory::where('CATEGORY_UID', '=', $category->CATEGORY_UID)
+                ->get()
+                ->first();
+
+        $this->assertEquals($expected, $actual->toArray());
+    }
+
+    /**
+     * Delete a record in the category table using the execute query function.
+     * @test
+     */
+    public function it_should_delete_a_record_in_the_category_table_using_the_execute_query_method()
+    {
+
+        $database = env('DB_DATABASE');
+        $category = factory(ProcessCategory::class)->create();
+
+        $sql = ""
+                . "DELETE FROM {$database}.PROCESS_CATEGORY "
+                . "WHERE "
+                . "CATEGORY_UID='{$category->CATEGORY_UID}'";
+        executeQuery($sql);
+
+        $actual = ProcessCategory::where('CATEGORY_UID', '=', $category->CATEGORY_UID)
+                ->get()
+                ->first();
+
+        $this->assertNull($actual);
+    }
+
+    /**
+     * This performs a test of connectivity to an external database using DBS_UID 
+     * in the executeQuery() method.
+     * @test
+     */
+    public function this_connects_to_an_external_database_using_the_execute_query_method()
+    {
+        $dbName = env('DB_DATABASE');
+        $dbSource = factory(DbSource::class)->create([
+            'DBS_TYPE' => 'mysql',
+            'DBS_SERVER' => env('DB_HOST'),
+            'DBS_DATABASE_NAME' => $dbName,
+            'DBS_USERNAME' => env('DB_USERNAME'),
+            'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
+            'DBS_PORT' => '3306',
+        ]);
+
+        //this is important to get the connection
+        $_SESSION['PROCESS'] = $dbSource->PRO_UID;
+
+        $sql = "show tables";
+        $result = executeQuery($sql, $dbSource->DBS_UID);
+
+        $this->assertTrue(is_array($result));
+    }
+
+    /**
+     * This performs a test of connectivity to an external database using DBS_UID 
+     * in the executeQuery() method.
+     * @test
+     */
+    public function this_connects_to_an_external_oracle_database_using_the_execute_query_method()
+    {
+        $this->markTestIncomplete('This test has not been implemented yet.');
+
+        $dbName = "XE";
+        $dbSource = factory(DbSource::class)->create([
+            'DBS_TYPE' => 'oracle',
+            'DBS_CONNECTION_TYPE' => 'NORMAL',
+            'DBS_SERVER' => 'localhost',
+            'DBS_DATABASE_NAME' => $dbName,
+            'DBS_USERNAME' => env('DB_USERNAME'),
+            'DBS_PASSWORD' => G::encrypt(env('DB_PASSWORD'), $dbName) . "_2NnV3ujj3w",
+            'DBS_PORT' => '1521',
+        ]);
+
+        //this is important to get the connection
+        $_SESSION['PROCESS'] = $dbSource->PRO_UID;
+
+        $sql = "select username,account_status from dba_users";
+        $result = executeQuery($sql, $dbSource->DBS_UID);
+
+        $this->assertTrue(is_array($result));
+    }
+
+    /**
+     * This verifies the protection of the system tables.
+     * @test     
+     */
+    public function this_check_the_black_list()
+    {
+        $faker = Factory::create();
+        $uid = G::generateUniqueID();
+        $id = $faker->unique()->numberBetween(1, 10000000);
+        $name = str_replace("'", " ", $faker->name);
+        $sql = ""
+                . "INSERT INTO PROCESS_CATEGORY("
+                . "    CATEGORY_UID,"
+                . "    CATEGORY_ID,"
+                . "    CATEGORY_PARENT,"
+                . "    CATEGORY_NAME,"
+                . "    CATEGORY_ICON"
+                . ") VALUES"
+                . "("
+                . "	'{$uid}',"
+                . "	'{$id}',"
+                . "	'0',"
+                . "	'{$name}',"
+                . "	''"
+                . ")";
+
+        $this->expectException(SQLException::class);
+
+        /**
+         * The executeQuery() function is executing the standard error_log() 
+         * output, this test shows error information, but will not stop the 
+         * execution of the test.
+         * The error_log() method must stop being used.
+         */
+        executeQuery($sql);
+    }
+
+    /**
+     * This verifies the protection of the system tables.
+     * @test     
+     */
+    public function this_check_the_black_list_for_multiple_tables()
+    {
+        $faker = Factory::create();
+        $id = $faker->unique()->numberBetween(1, 10000000);
+        $newName = str_replace("'", " ", $faker->name);
+
+        $category = factory(ProcessCategory::class)->create([
+            'CATEGORY_ID' => $id
+        ]);
+        $expected = $category->toArray();
+        $expected['CATEGORY_NAME'] = $newName;
+        unset($expected['id']);
+
+        $sql = ""
+                . "UPDATE PROCESS_CATEGORY SET "
+                . "CATEGORY_NAME='{$newName}' "
+                . "WHERE "
+                . "CATEGORY_UID='{$category->CATEGORY_UID}'";
+
+        $this->expectException(SQLException::class);
+
+        /**
+         * The executeQuery() function is executing the standard error_log() 
+         * output, this test shows error information, but will not stop the 
+         * execution of the test.
+         * The error_log() method must stop being used.
+         */
+        executeQuery($sql);
+    }
+}