Resolve conflicts with main

Author: Harshit-Khasnis

tests/passed-tests.txt

@@ -212,15 +212,15 @@ TestNilPointerSlice
 TestNilPointerSlice2
 TestPrefixedPreloadDuplication
 TestPreloadManyToManyCallbacks
-#TestPreloadWithAssociations
-#TestNestedPreload
+TestPreloadWithAssociations
+TestNestedPreload
 TestNestedPreloadForSlice
 #TestPreloadWithConds
-#TestNestedPreloadWithConds
+TestNestedPreloadWithConds
 TestPreloadEmptyData
 TestPreloadGoroutine
-#TestPreloadWithDiffModel
-#TestNestedPreloadWithUnscoped
+TestPreloadWithDiffModel
+TestNestedPreloadWithUnscoped
 TestNestedPreloadWithNestedJoin
 #TestMergeNestedPreloadWithNestedJoin
 TestNestedPreloadWithPointerJoin
@@ -370,7 +370,7 @@ TestDistinctWithVaryingCase
 #TestDistinctWithAggregation
 TestUpsertWithSave
 TestFindOrInitialize
-#TestFindOrCreate
+TestFindOrCreate
 TestUpdateWithMissWhere
 BenchmarkCreate
 BenchmarkFind
@@ -379,4 +379,8 @@ BenchmarkScanSlice
 BenchmarkScanSlicePointer
 BenchmarkUpdate
 BenchmarkDelete
+TestRawQueryInjection
+TestWhereClauseInjection
+TestUpdateInjection
+TestFirstOrCreateInjection
 TesUserInsertScenarios

tests/preload_test.go

@@ -76,7 +76,7 @@ func TestPreloadWithAssociations(t *testing.T) {
 	CheckUser(t, user, user)
 
 	var user2 User
-	DB.Preload(clause.Associations).Find(&user2, "id = ?", user.ID)
+	DB.Preload(clause.Associations).Find(&user2, "\"id\" = ?", user.ID)
 	CheckUser(t, user2, user)
 
 	user3 := *GetUser("preload_with_associations_new", Config{
@@ -90,7 +90,7 @@ func TestPreloadWithAssociations(t *testing.T) {
 		Friends:   1,
 	})
 
-	DB.Preload(clause.Associations).Find(&user3, "id = ?", user.ID)
+	DB.Preload(clause.Associations).Find(&user3, "\"id\" = ?", user.ID)
 	CheckUser(t, user3, user)
 }
 
@@ -107,15 +107,15 @@ func TestNestedPreload(t *testing.T) {
 	}
 
 	var user2 User
-	DB.Preload("Pets.Toy").Find(&user2, "id = ?", user.ID)
+	DB.Preload("Pets.Toy").Find(&user2, "\"id\" = ?", user.ID)
 	CheckUser(t, user2, user)
 
 	var user3 User
-	DB.Preload(clause.Associations+"."+clause.Associations).Find(&user3, "id = ?", user.ID)
+	DB.Preload(clause.Associations+"."+clause.Associations).Find(&user3, "\"id\" = ?", user.ID)
 	CheckUser(t, user3, user)
 
 	var user4 *User
-	DB.Preload("Pets.Toy").Find(&user4, "id = ?", user.ID)
+	DB.Preload("Pets.Toy").Find(&user4, "\"id\" = ?", user.ID)
 	CheckUser(t, *user4, user)
 }
 
@@ -167,7 +167,7 @@ func TestPreloadWithConds(t *testing.T) {
 	}
 
 	var users2 []User
-	DB.Preload("Account", clause.Eq{Column: "number", Value: users[0].Account.AccountNumber}).Find(&users2, "id IN ?", userIDs)
+	DB.Preload("Account", clause.Eq{Column: "account_number", Value: users[0].Account.AccountNumber}).Find(&users2, "id IN ?", userIDs)
 	sort.Slice(users2, func(i, j int) bool {
 		return users2[i].ID < users2[j].ID
 	})
@@ -232,7 +232,7 @@ func TestNestedPreloadWithConds(t *testing.T) {
 	}
 
 	var users2 []User
-	DB.Preload("Pets.Toy", "name like ?", `%preload_3`).Find(&users2, "id IN ?", userIDs)
+	DB.Preload("Pets.Toy", "\"name\" like ?", `%preload_3`).Find(&users2, "\"id\" IN ?", userIDs)
 
 	for idx, user := range users2[0:2] {
 		for _, pet := range user.Pets {
@@ -312,8 +312,8 @@ func TestPreloadWithDiffModel(t *testing.T) {
 		User
 	}
 
-	DB.Model(User{}).Preload("Account", clause.Eq{Column: "number", Value: user.Account.AccountNumber}).Select(
-		"users.*, 'yo' as something").First(&result, "name = ?", user.Name)
+	DB.Model(User{}).Preload("Account", clause.Eq{Column: "\"account_number\"", Value: user.Account.AccountNumber}).Select(
+		"\"users\".*, 'yo' as something").First(&result, "\"name\" = ?", user.Name)
 
 	CheckUser(t, user, result.User)
 }
@@ -330,29 +330,29 @@ func TestNestedPreloadWithUnscoped(t *testing.T) {
 	}
 
 	var user2 User
-	DB.Preload("Pets.Toy").Find(&user2, "id = ?", user.ID)
+	DB.Preload("Pets.Toy").Find(&user2, "\"id\" = ?", user.ID)
 	CheckUser(t, user2, user)
 
 	DB.Delete(&pet)
 
 	var user3 User
-	DB.Preload(clause.Associations+"."+clause.Associations).Find(&user3, "id = ?", user.ID)
+	DB.Preload(clause.Associations+"."+clause.Associations).Find(&user3, "\"id\" = ?", user.ID)
 	if len(user3.Pets) != 0 {
 		t.Fatalf("User.Pet[0] was deleted and should not exist.")
 	}
 
 	var user4 *User
-	DB.Preload("Pets.Toy").Find(&user4, "id = ?", user.ID)
+	DB.Preload("Pets.Toy").Find(&user4, "\"id\" = ?", user.ID)
 	if len(user4.Pets) != 0 {
 		t.Fatalf("User.Pet[0] was deleted and should not exist.")
 	}
 
 	var user5 User
-	DB.Unscoped().Preload(clause.Associations+"."+clause.Associations).Find(&user5, "id = ?", user.ID)
+	DB.Unscoped().Preload(clause.Associations+"."+clause.Associations).Find(&user5, "\"id\" = ?", user.ID)
 	CheckUserUnscoped(t, user5, user)
 
 	var user6 *User
-	DB.Unscoped().Preload("Pets.Toy").Find(&user6, "id = ?", user.ID)
+	DB.Unscoped().Preload("Pets.Toy").Find(&user6, "\"id\" = ?", user.ID)
 	CheckUserUnscoped(t, *user6, user)
 }
 

tests/run-tests.sh

@@ -40,7 +40,7 @@ echo "Processing tests from passed-tests.txt..."
 echo ""
 
 # Read the file line by line
-while IFS= read -r line; do
+while IFS= read -r line || [[ -n "$line" ]]; do
     # Skip empty lines - keep them as is
     if [[ -z "$line" ]]; then
         echo "$line" >> "$temp_file"

tests/sql_injection_test.go

@@ -0,0 +1,202 @@
+/*
+** Copyright (c) 2025 Oracle and/or its affiliates.
+**
+** The Universal Permissive License (UPL), Version 1.0
+**
+** Subject to the condition set forth below, permission is hereby granted to any
+** person obtaining a copy of this software, associated documentation and/or data
+** (collectively the "Software"), free of charge and under any and all copyright
+** rights in the Software, and any and all patent rights owned or freely
+** licensable by each licensor hereunder covering either (i) the unmodified
+** Software as contributed to or provided by such licensor, or (ii) the Larger
+** Works (as defined below), to deal in both
+**
+** (a) the Software, and
+** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+** one is included with the Software (each a "Larger Work" to which the Software
+** is contributed by such licensors),
+**
+** without restriction, including without limitation the rights to copy, create
+** derivative works of, display, perform, and distribute the Software and make,
+** use, sell, offer for sale, import, export, have made, and have sold the
+** Software and the Larger Work(s), and to sublicense the foregoing rights on
+** either these or other terms.
+**
+** This license is subject to the following condition:
+** The above copyright notice and either this complete permission notice or at
+** a minimum a reference to the UPL must be included in all copies or
+** substantial portions of the Software.
+**
+** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+** SOFTWARE.
+ */
+
+package tests
+
+import (
+	"fmt"
+	"testing"
+)
+
+type TestUser struct {
+	ID       uint   `gorm:"primaryKey"`
+	Username string `gorm:"uniqueIndex"`
+	Email    string
+	Password string
+	Role     string
+}
+
+var sqlInjectionTestCases = []string{
+	"admin'; DROP TABLE \"test_users\"; --",
+	"admin' UNION SELECT 1,\"username\",\"password\",1,1 FROM \"test_users\" --",
+	"admin' AND 1=1 --",
+	"admin' OR '1'='1' --",
+	"admin' AND 1=2 --",
+	"admin' OR '1'='2' --",
+	"admin'; WAITFOR DELAY '00:00:05' --",
+	"admin' AND (SELECT COUNT(*) FROM user_tables) > 0 --",
+	"admin'; INSERT INTO \"test_users\" (\"username\",\"email\",\"role\") VALUES ('hacker','[email protected]','admin'); --",
+	"admin' --",
+	"admin\x00",                  // Null byte injection
+	"0x61646D696E",               // Hexadecimal representation of "admin"
+	"admin%27%20OR%201%3D1%20--", // URL-encoded injection "admin' OR 1=1 --"
+}
+
+func TestRawQueryInjection(t *testing.T) {
+	if err := DB.AutoMigrate(&TestUser{}); err != nil {
+		t.Errorf("failed to create test table: %v", err)
+	}
+
+	testUsers := []TestUser{
+		{Username: "admin", Email: "[email protected]", Password: "admin123", Role: "admin"},
+		{Username: "user1", Email: "[email protected]", Password: "user123", Role: "user"},
+	}
+	for _, user := range testUsers {
+		DB.FirstOrCreate(&user, TestUser{Username: user.Username})
+	}
+	for _, test := range sqlInjectionTestCases {
+		var testUser []TestUser
+		result := DB.Raw("SELECT * FROM \"test_users\" WHERE \"username\" = ?", test).Scan(&testUser)
+		if result.Error == nil && len(testUser) > 0 {
+			t.Errorf("Query should fail or returned no results: %v", result.Error)
+		}
+
+		if !DB.Migrator().HasTable(&TestUser{}) {
+			t.Errorf("Test table 'test_users' does not exist after migration")
+		}
+
+		var count int64
+		DB.Model(&TestUser{}).Where("\"username\" = ?", "hacker").Count(&count)
+		if count > 0 {
+			t.Errorf("Unexpected user 'hacker' was found!")
+		}
+
+		var rowCount int64
+		DB.Model(&TestUser{}).Count(&rowCount)
+		if rowCount != 2 {
+			t.Errorf("Expected user table to have 2 rows, but found %d", rowCount)
+		}
+	}
+	DB.Migrator().DropTable(&TestUser{})
+}
+
+func TestWhereClauseInjection(t *testing.T) {
+	if err := DB.AutoMigrate(&TestUser{}); err != nil {
+		t.Errorf("failed to create test table: %v", err)
+	}
+
+	testUsers := []TestUser{
+		{Username: "admin", Email: "[email protected]", Password: "admin123", Role: "admin"},
+		{Username: "user1", Email: "[email protected]", Password: "user123", Role: "user"},
+	}
+	for _, user := range testUsers {
+		DB.FirstOrCreate(&user, TestUser{Username: user.Username})
+	}
+	for _, test := range sqlInjectionTestCases {
+		var testUser []TestUser
+		result := DB.Where("\"username\" = ?", test).Find(&testUsers)
+		if result.Error == nil && len(testUser) > 0 {
+			t.Errorf("Query should fail or returned no results: %v", result.Error)
+		}
+
+		if !DB.Migrator().HasTable(&TestUser{}) {
+			t.Errorf("Test table 'test_users' does not exist after migration")
+		}
+
+		var count int64
+		DB.Model(&TestUser{}).Where("\"username\" = ?", "hacker").Count(&count)
+		if count > 0 {
+			t.Errorf("Unexpected user 'hacker' was found!")
+		}
+
+		var rowCount int64
+		DB.Model(&TestUser{}).Count(&rowCount)
+		if rowCount != 2 {
+			t.Errorf("Expected user table to have 2 rows, but found %d", rowCount)
+		}
+	}
+	DB.Migrator().DropTable(&TestUser{})
+}
+
+func TestUpdateInjection(t *testing.T) {
+	if err := DB.AutoMigrate(&TestUser{}); err != nil {
+		t.Errorf("failed to create test table: %v", err)
+	}
+
+	testUser := TestUser{Username: "updatetest", Email: "[email protected]", Role: "user"}
+	DB.Create(&testUser)
+
+	for _, test := range sqlInjectionTestCases {
+		DB.Model(&testUser).Where("\"id\" = ?", testUser.ID).Update("email", test)
+		var user TestUser
+		result := DB.Where("username = ?", "updatetest").First(&user)
+		if result.Error == nil && user.Email != test {
+			t.Errorf("Expected email to be '%s', but got '%s'", test, user.Email)
+		}
+
+		if !DB.Migrator().HasTable(&TestUser{}) {
+			t.Errorf("Test table 'test_users' does not exist after migration")
+		}
+
+		var count int64
+		DB.Model(&TestUser{}).Where("\"username\" = ?", "hacker").Count(&count)
+		if count > 0 {
+			t.Errorf("Unexpected user 'hacker' was found!")
+		}
+
+		var rowCount int64
+		DB.Model(&TestUser{}).Count(&rowCount)
+		if rowCount != 1 {
+			t.Errorf("Expected user table to have 1 rows, but found %d", rowCount)
+		}
+	}
+	DB.Migrator().DropTable(&TestUser{})
+}
+
+func TestFirstOrCreateInjection(t *testing.T) {
+	if err := DB.AutoMigrate(&TestUser{}); err != nil {
+		t.Errorf("failed to create test table: %v", err)
+	}
+
+	for i, test := range sqlInjectionTestCases {
+		user := TestUser{
+			Username: test,
+			Email:    fmt.Sprintf("test%[email protected]", i),
+			Role:     "user",
+		}
+		DB.FirstOrCreate(&user, TestUser{Username: test})
+
+		var count int64
+		DB.Model(&TestUser{}).Where("\"username\" = ?", test).Count(&count)
+		if count != 1 {
+			t.Errorf("expected 1 record for input '%s', but found %d", test, count)
+		}
+	}
+
+	DB.Migrator().DropTable(&TestUser{})
+}

tests/upsert_test.go

@@ -344,11 +344,11 @@ func TestFindOrCreate(t *testing.T) {
 	}
 
 	DB.Where(&User{Name: "find or create embedded struct"}).Assign(User{Age: 44, Account: Account{AccountNumber: "1231231231"}, Pets: []*Pet{{Name: "first_or_create_pet1"}, {Name: "first_or_create_pet2"}}}).FirstOrCreate(&user8)
-	if err := DB.Where("name = ?", "first_or_create_pet1").First(&Pet{}).Error; err != nil {
+	if err := DB.Where("\"name\" = ?", "first_or_create_pet1").First(&Pet{}).Error; err != nil {
 		t.Errorf("has many association should be saved")
 	}
 
-	if err := DB.Where("number = ?", "1231231231").First(&Account{}).Error; err != nil {
+	if err := DB.Where("\"account_number\" = ?", "1231231231").First(&Account{}).Error; err != nil {
 		t.Errorf("belongs to association should be saved")
 	}
 }