From 93ac7c61f56f33a0e1e83f88b72e6c91d2d10497 Mon Sep 17 00:00:00 2001
From: Imer Coaguila <52182312+imertetsu@users.noreply.github.com>
Date: Sat, 9 Nov 2024 21:02:51 -0400
Subject: [PATCH] Add unit tests for Blind SQL Injection Vulnerability levels
 1, 2, and 3 (#474)

* Add unit tests for BlindSQLInjectionVulnerability Level 1

* Add unit tests for BlindSQLInjectionVulnerability Level 2

* Add unit tests for BlindSQLInjectionVulnerability Level 3
---
 .../BlindSQLInjectionVulnerabilityTest.java   | 215 ++++++++++++++++++
 1 file changed, 215 insertions(+)
 create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java

diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java
new file mode 100644
index 00000000..5883c6af
--- /dev/null
+++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java
@@ -0,0 +1,215 @@
+package org.sasanlabs.service.vulnerability.sqlInjection;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.Map;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.PreparedStatementCreator;
+import org.springframework.jdbc.core.ResultSetExtractor;
+
+public class BlindSQLInjectionVulnerabilityTest {
+
+    @Mock private JdbcTemplate jdbcTemplate;
+
+    @InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability;
+
+    @BeforeEach
+    public void setUp() {
+        MockitoAnnotations.openMocks(this);
+    }
+
+    @Test
+    public void testGetCarInformationLevel1_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // The query is simulated to have returned a result (i.e. there is a car with ID "1")
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
+        // data from the mockResultSet (which mocks the query result)
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel1_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // The query is simulated to have returned a result (i.e. there is no a car with ID "2")
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
+        // data from the mockResultSet (which mocks the query result)
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel2_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel2_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(1);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel3_CarPresent() throws SQLException {
+        // Arrange
+        String id = "1";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(true);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(
+                        (PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(2);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals("{ \"isCarPresent\": true}", response.getBody());
+    }
+
+    @Test
+    public void testGetCarInformationLevel3_CarNotPresent() throws SQLException {
+        // Arrange
+        String id = "2";
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("id", id);
+
+        // Mock the ResultSet behavior
+        ResultSet mockResultSet = mock(ResultSet.class);
+        when(mockResultSet.next()).thenReturn(false);
+
+        // Mock the query method of JdbcTemplate
+        when(jdbcTemplate.query(
+                        (PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
+                .thenAnswer(
+                        invocation -> {
+                            ResultSetExtractor<ResponseEntity<String>> rse =
+                                    invocation.getArgument(2);
+                            return rse.extractData(mockResultSet);
+                        });
+
+        // Act
+        ResponseEntity<String> response =
+                blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);
+
+        // Assert
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(
+                ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
+                response.getBody());
+    }
+}