From abdff7d8e68e8d88a406ce2b8a9f8d236a7769c1 Mon Sep 17 00:00:00 2001
From: mike12345567 <me@michaeldrury.co.uk>
Date: Tue, 19 Mar 2024 13:22:43 +0000
Subject: [PATCH] Adding test case.

---
 .../api/routes/tests/queries/query.seq.spec.ts    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/packages/server/src/api/routes/tests/queries/query.seq.spec.ts b/packages/server/src/api/routes/tests/queries/query.seq.spec.ts
index 4347ed9044..fc90ad4247 100644
--- a/packages/server/src/api/routes/tests/queries/query.seq.spec.ts
+++ b/packages/server/src/api/routes/tests/queries/query.seq.spec.ts
@@ -408,6 +408,21 @@ describe("/queries", () => {
         },
       })
     })
+
+    it("shouldn't allow handlebars to be passed as parameters", async () => {
+      const res = await request
+        .post(`/api/queries/${query._id}`)
+        .send({
+          parameters: {
+            a: "{{ 'test' }}",
+          },
+        })
+        .set(config.defaultHeaders())
+        .expect(400)
+      expect(res.body.message).toEqual(
+        "Parameter 'a' input contains a handlebars binding - this is not allowed."
+      )
+    })
   })
 
   describe("variables", () => {