Added tests for the UnionBasedSQLInjction

Added some tests and also cleaned up the controller a little bit by extracting result handling code to helper function.
SasanLabs · Sep 12, 2023 · d3b8f30 · d3b8f30
1 parent e436278
commit d3b8f30
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 53 deletions.
diff --git a/...org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/...org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java
@@ -1,5 +1,7 @@
 package org.sasanlabs.service.vulnerability.sqlInjection;
 
+import java.sql.ResultSet;
+import java.sql.SQLException;
 import java.util.Map;
 import org.sasanlabs.internal.utility.LevelConstants;
 import org.sasanlabs.internal.utility.Variant;
@@ -25,10 +27,10 @@
         value = "UnionBasedSQLInjectionVulnerability")
 public class UnionBasedSQLInjectionVulnerability {
 
-    private JdbcTemplate applicationJdbcTemplate;
+    private final JdbcTemplate applicationJdbcTemplate;
 
     public UnionBasedSQLInjectionVulnerability(
-            @Qualifier("applicationJdbcTemplate") JdbcTemplate applicationJdbcTemplate) {
+            @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate) {
         this.applicationJdbcTemplate = applicationJdbcTemplate;
     }
 
@@ -40,19 +42,11 @@ public UnionBasedSQLInjectionVulnerability(
             value = LevelConstants.LEVEL_1,
             htmlTemplate = "LEVEL_1/SQLInjection_Level1")
     public ResponseEntity<CarInformation> getCarInformationLevel1(
-            @RequestParam Map<String, String> queryParams) {
-        String id = queryParams.get("id");
+            @RequestParam final Map<String, String> queryParams) {
+        final String id = queryParams.get("id");
         return applicationJdbcTemplate.query(
                 "select * from cars where id=" + id,
-                (rs) -> {
-                    CarInformation carInformation = new CarInformation();
-                    if (rs.next()) {
-                        carInformation.setId(rs.getInt(1));
-                        carInformation.setName(rs.getString(2));
-                        carInformation.setImagePath(rs.getString(3));
-                    }
-                    return new ResponseEntity<CarInformation>(carInformation, HttpStatus.OK);
-                });
+                this::resultSetToResponse);
     }
 
     @AttackVector(
@@ -64,19 +58,11 @@ public ResponseEntity<CarInformation> getCarInformationLevel1(
             value = LevelConstants.LEVEL_2,
             htmlTemplate = "LEVEL_1/SQLInjection_Level1")
     public ResponseEntity<CarInformation> getCarInformationLevel2(
-            @RequestParam Map<String, String> queryParams) {
-        String id = queryParams.get("id");
-        CarInformation carInformation = new CarInformation();
+            @RequestParam final Map<String, String> queryParams) {
+        final String id = queryParams.get("id");
         return applicationJdbcTemplate.query(
                 "select * from cars where id='" + id + "'",
-                (rs) -> {
-                    if (rs.next()) {
-                        carInformation.setId(rs.getInt(1));
-                        carInformation.setName(rs.getString(2));
-                        carInformation.setImagePath(rs.getString(3));
-                    }
-                    return new ResponseEntity<CarInformation>(carInformation, HttpStatus.OK);
-                });
+                this::resultSetToResponse);
     }
 
     @AttackVector(
@@ -88,42 +74,34 @@ public ResponseEntity<CarInformation> getCarInformationLevel2(
             variant = Variant.SECURE,
             htmlTemplate = "LEVEL_1/SQLInjection_Level1")
     public ResponseEntity<CarInformation> getCarInformationLevel3(
-            @RequestParam Map<String, String> queryParams) {
-        String id = queryParams.get("id").replaceAll("'", "");
+            @RequestParam final Map<String, String> queryParams) {
+        final String id = queryParams.get("id").replaceAll("'", "");
         return applicationJdbcTemplate.query(
                 "select * from cars where id='" + id + "'",
-                (rs) -> {
-                    CarInformation carInformation = new CarInformation();
-                    if (rs.next()) {
-                        carInformation.setId(rs.getInt(1));
-                        carInformation.setName(rs.getString(2));
-                        carInformation.setImagePath(rs.getString(3));
-                    }
-                    return new ResponseEntity<CarInformation>(carInformation, HttpStatus.OK);
-                });
+                this::resultSetToResponse);
     }
 
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_4,
             variant = Variant.SECURE,
             htmlTemplate = "LEVEL_1/SQLInjection_Level1")
     public ResponseEntity<CarInformation> getCarInformationLevel4(
-            @RequestParam Map<String, String> queryParams) {
-        String id = queryParams.get("id");
+            @RequestParam final Map<String, String> queryParams) {
+        final String id = queryParams.get("id");
 
         return applicationJdbcTemplate.query(
                 "select * from cars where id=?",
-                (prepareStatement) -> {
-                    prepareStatement.setString(1, id);
-                },
-                (rs) -> {
-                    CarInformation carInformation = new CarInformation();
-                    if (rs.next()) {
-                        carInformation.setId(rs.getInt(1));
-                        carInformation.setName(rs.getString(2));
-                        carInformation.setImagePath(rs.getString(3));
-                    }
-                    return new ResponseEntity<CarInformation>(carInformation, HttpStatus.OK);
-                });
+                prepareStatement -> prepareStatement.setString(1, id),
+                this::resultSetToResponse);
+    }
+
+    private ResponseEntity<CarInformation> resultSetToResponse(final ResultSet rs) throws SQLException {
+        final CarInformation carInformation = new CarInformation();
+        if (rs.next()) {
+            carInformation.setId(rs.getInt(1));
+            carInformation.setName(rs.getString(2));
+            carInformation.setImagePath(rs.getString(3));
+        }
+        return new ResponseEntity<>(carInformation, HttpStatus.OK);
     }
 }
diff --git a/...sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/...sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java
@@ -5,6 +5,7 @@
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.PreparedStatementSetter;
 import org.springframework.jdbc.core.ResultSetExtractor;
 
 import java.io.IOException;
@@ -14,7 +15,7 @@
 import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.*;
 
-public class UnionBasedSQLInjectionVulnerabilityTest {
+class UnionBasedSQLInjectionVulnerabilityTest {
 
     private UnionBasedSQLInjectionVulnerability unionBasedSQLInjectionVulnerability;
     private JdbcTemplate template;
@@ -31,9 +32,9 @@ void setUp() throws IOException {
     }
 
     @Test
-    public void getCarInformationLevel1_ExpectParamInjected() throws IOException {
+    void getCarInformationLevel1_ExpectParamInjected() throws IOException {
         // Act
-        Map<String, String> params = new HashMap();
+        final Map<String, String> params = new HashMap<>();
         params.put("id", "1 UNION SELECT * FROM cars;");
         unionBasedSQLInjectionVulnerability.getCarInformationLevel1(params);
 
@@ -42,7 +43,7 @@ public void getCarInformationLevel1_ExpectParamInjected() throws IOException {
     }
 
     @Test
-    public void getCarInformationLevel2_ExpectParamInjected() throws IOException {
+    void getCarInformationLevel2_ExpectParamInjected() throws IOException {
         // Act
         Map<String, String> params = new HashMap();
         params.put("id", "1' UNION SELECT * FROM cars; --");
@@ -52,6 +53,39 @@ public void getCarInformationLevel2_ExpectParamInjected() throws IOException {
         verify(template).query(eq("select * from cars where id='1' UNION SELECT * FROM cars; --'"), (ResultSetExtractor<? extends Object>) any());
     }
 
+    @Test
+    void getCarInformationLevel3_ExpectParamEscaped() throws IOException {
+        // Act
+        Map<String, String> params = new HashMap();
+        params.put("id", "1' UNION SELECT * FROM cars; --");
+        unionBasedSQLInjectionVulnerability.getCarInformationLevel3(params);
+
+        // Assert
+        verify(template).query(eq("select * from cars where id='1 UNION SELECT * FROM cars; --'"), (ResultSetExtractor<? extends Object>) any());
+
+    }
+
+    @Test
+    void getCarInformationLevel4_ExpectParamEscaped() throws IOException {
+        // Setup
+        template = Mockito.spy(new JdbcTemplate());
+        PreparedStatementSetter setter = (ps) -> {};
+        doReturn(null)
+                .when(template)
+                .query(anyString(), (PreparedStatementSetter) any(), (ResultSetExtractor<? extends Object>) any());
+
+        unionBasedSQLInjectionVulnerability = Mockito.spy(new UnionBasedSQLInjectionVulnerability(template));
+
+        // Act
+        Map<String, String> params = new HashMap();
+        params.put("id", "1' UNION SELECT * FROM cars; --");
+        unionBasedSQLInjectionVulnerability.getCarInformationLevel4(params);
+
+        // Assert
+        verify(template).query(eq("select * from cars where id=?"), (PreparedStatementSetter) any(), (ResultSetExtractor<? extends Object>) any());
+
+    }
+
 //    private JdbcTemplate applicationJdbcTemplate;
 //
 //    public UnionBasedSQLInjectionVulnerabilityTest(