Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and…

… 3 (#474) * Add unit tests for BlindSQLInjectionVulnerability Level 1 * Add unit tests for BlindSQLInjectionVulnerability Level 2 * Add unit tests for BlindSQLInjectionVulnerability Level 3
SasanLabs · Nov 10, 2024 · 93ac7c6 · 93ac7c6
1 parent 928f79f
commit 93ac7c6
Showing 1 changed file with 215 additions and 0 deletions.
diff --git a/.../org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/.../org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java
@@ -0,0 +1,215 @@
+package org.sasanlabs.service.vulnerability.sqlInjection;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.Map;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.PreparedStatementCreator;
+import org.springframework.jdbc.core.ResultSetExtractor;
+
+public class BlindSQLInjectionVulnerabilityTest {
+
+    @Mock private JdbcTemplate jdbcTemplate;
+
+    @InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability;
+
+    @BeforeEach
+    public void setUp() {
+        MockitoAnnotations.openMocks(this);
+    }
+
+    @Test
+    public void testGetCarInformationLevel1_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // The query is simulated to have returned a result (i.e. there is a car with ID "1")
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
+        // data from the mockResultSet (which mocks the query result)
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel1_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // The query is simulated to have returned a result (i.e. there is no a car with ID "2")
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
+        // data from the mockResultSet (which mocks the query result)
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel2_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel2_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel3_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(
+                        (PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(2);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel3_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(
+                        (PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(2);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+}