From 4c2d6a6c22cc79952f08e2d132d507d00ae5e8d1 Mon Sep 17 00:00:00 2001 From: "philipp.delmonego" Date: Thu, 2 Nov 2023 14:28:21 +0100 Subject: [PATCH 1/4] Add secured implementations for Union SQL Injection --- .../sqlInjection/CarInformation.java | 12 +++ .../CarInformationRepository.java | 10 +++ .../UnionBasedSQLInjectionVulnerability.java | 87 ++++++++++++++++++- ...ionBasedSQLInjectionVulnerabilityTest.java | 2 +- 4 files changed, 109 insertions(+), 2 deletions(-) create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java index 98de8e70..3c6fb647 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java @@ -1,9 +1,21 @@ package org.sasanlabs.service.vulnerability.sqlInjection; +import javax.persistence.*; + + /** @author preetkaran20@gmail.com KSASAN */ +@Access(AccessType.FIELD) +@Entity +@Table(name = "cars") +@NamedQuery( name="findById", query = "select c from CarInformation c where c.id=:id") public class CarInformation { + + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) private int id; private String name; + + @Column(name = "IMAGE") private String imagePath; public CarInformation() {} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java new file mode 100644 index 00000000..b4153ed0 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java @@ -0,0 +1,10 @@ +package org.sasanlabs.service.vulnerability.sqlInjection; + +import org.springframework.data.jpa.repository.JpaRepository; + +import java.util.Optional; + +public interface CarInformationRepository extends JpaRepository { + + Optional findById(Integer id); +} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java index b755b2c5..3f4e6268 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java @@ -3,6 +3,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.util.Map; +import java.util.Optional; + import org.sasanlabs.internal.utility.LevelConstants; import org.sasanlabs.internal.utility.Variant; import org.sasanlabs.internal.utility.annotations.AttackVector; @@ -13,8 +15,17 @@ import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; +import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; +import org.springframework.jdbc.core.namedparam.SqlParameterSource; import org.springframework.web.bind.annotation.RequestParam; +import javax.persistence.EntityManager; +import javax.persistence.TypedQuery; +import javax.persistence.criteria.CriteriaBuilder; +import javax.persistence.criteria.CriteriaQuery; +import javax.persistence.criteria.Root; + /** * Union Based SQL Injection is another dangerous way to extract data from the database by combining * results of multiple queries. This is the second way which is generally tried by the hackers after @@ -28,10 +39,16 @@ public class UnionBasedSQLInjectionVulnerability { private final JdbcTemplate applicationJdbcTemplate; + private final NamedParameterJdbcTemplate namedParameterJdbcTemplate; + private final CarInformationRepository carInformationRepository; + private final EntityManager em; public UnionBasedSQLInjectionVulnerability( - @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate) { + @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager em) { this.applicationJdbcTemplate = applicationJdbcTemplate; + this.namedParameterJdbcTemplate = namedParameterJdbcTemplate; + this.carInformationRepository = carInformationRepository; + this.em = em; } @AttackVector( @@ -92,6 +109,74 @@ public ResponseEntity getCarInformationLevel4( this::resultSetToResponse); } + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_5, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel5( + @RequestParam final Map queryParams) { + final String id = queryParams.get("id"); + SqlParameterSource namedParameters = new MapSqlParameterSource().addValue("id", id); + CarInformation s = namedParameterJdbcTemplate.queryForObject( + "select * from cars where id=:id", namedParameters, CarInformation.class); + return new ResponseEntity<>(s, HttpStatus.OK); + } + + + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_6, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel6( + @RequestParam final Map queryParams) { + final String id = queryParams.get("id"); + String jql = "from CarInformation where id = :id"; + TypedQuery q = em.createQuery(jql, CarInformation.class) + .setParameter("id", Integer.valueOf(id)); + return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); + } + + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_7, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel7( + @RequestParam final Map queryParams) { + final String id = queryParams.get("id"); + + CriteriaBuilder cb = em.getCriteriaBuilder(); + CriteriaQuery cq = cb.createQuery(CarInformation.class); + Root root = cq.from(CarInformation.class); + + cq.select(root).where(cb.equal(root.get("id"), id)); + + TypedQuery q = em.createQuery(cq); + return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); + } + + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_8, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel8( + @RequestParam final Map queryParams) { + final String id = queryParams.get("id"); + TypedQuery q = em.createNamedQuery("findById", CarInformation.class) + .setParameter("id", Integer.valueOf(id)); + return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); + } + + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_9, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel9( + @RequestParam final Map queryParams) { + final String id = queryParams.get("id"); + Optional carInformation = carInformationRepository.findById(Integer.valueOf(id)); + return carInformation.map(information -> new ResponseEntity<>(information, HttpStatus.OK)).orElseGet(() -> new ResponseEntity<>(HttpStatus.NOT_FOUND)); + } + private ResponseEntity resultSetToResponse(final ResultSet rs) throws SQLException { final CarInformation carInformation = new CarInformation(); diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java index 5d73d7a9..bd55a6c6 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java @@ -36,7 +36,7 @@ void setUp() throws IOException { (PreparedStatementSetter) any(), (ResultSetExtractor) any()); - unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template); + unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate); } @Test From 792f46fe02e4ec8e175971054f369917e327c0b9 Mon Sep 17 00:00:00 2001 From: Sebastian Klawin Date: Thu, 2 Nov 2023 15:09:19 +0100 Subject: [PATCH 2/4] fixes Typos, renames entityManager and implements getCarInformationLevel5-test --- .../UnionBasedSQLInjectionVulnerability.java | 14 +++--- ...ionBasedSQLInjectionVulnerabilityTest.java | 46 +++++++++++++++---- 2 files changed, 43 insertions(+), 17 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java index 3f4e6268..92fa9aa1 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java @@ -41,14 +41,14 @@ public class UnionBasedSQLInjectionVulnerability { private final JdbcTemplate applicationJdbcTemplate; private final NamedParameterJdbcTemplate namedParameterJdbcTemplate; private final CarInformationRepository carInformationRepository; - private final EntityManager em; + private final EntityManager entityManager; public UnionBasedSQLInjectionVulnerability( - @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager em) { + @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager entityManager) { this.applicationJdbcTemplate = applicationJdbcTemplate; this.namedParameterJdbcTemplate = namedParameterJdbcTemplate; this.carInformationRepository = carInformationRepository; - this.em = em; + this.entityManager = entityManager; } @AttackVector( @@ -131,7 +131,7 @@ public ResponseEntity getCarInformationLevel6( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); String jql = "from CarInformation where id = :id"; - TypedQuery q = em.createQuery(jql, CarInformation.class) + TypedQuery q = entityManager.createQuery(jql, CarInformation.class) .setParameter("id", Integer.valueOf(id)); return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); } @@ -144,13 +144,13 @@ public ResponseEntity getCarInformationLevel7( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); - CriteriaBuilder cb = em.getCriteriaBuilder(); + CriteriaBuilder cb = entityManager.getCriteriaBuilder(); CriteriaQuery cq = cb.createQuery(CarInformation.class); Root root = cq.from(CarInformation.class); cq.select(root).where(cb.equal(root.get("id"), id)); - TypedQuery q = em.createQuery(cq); + TypedQuery q = entityManager.createQuery(cq); return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); } @@ -161,7 +161,7 @@ public ResponseEntity getCarInformationLevel7( public ResponseEntity getCarInformationLevel8( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); - TypedQuery q = em.createNamedQuery("findById", CarInformation.class) + TypedQuery q = entityManager.createNamedQuery("findById", CarInformation.class) .setParameter("id", Integer.valueOf(id)); return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); } diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java index bd55a6c6..e2731a0a 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java @@ -1,29 +1,39 @@ package org.sasanlabs.service.vulnerability.sqlInjection; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.*; import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.verify; -import java.io.IOException; import java.util.Collections; import java.util.Map; +import java.util.Objects; + import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.mockito.ArgumentMatcher; import org.mockito.Mockito; import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.PreparedStatementSetter; import org.springframework.jdbc.core.ResultSetExtractor; +import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; +import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; + +import javax.persistence.EntityManager; class UnionBasedSQLInjectionVulnerabilityTest { private UnionBasedSQLInjectionVulnerability unionBasedSQLInjectionVulnerability; private JdbcTemplate template; + private NamedParameterJdbcTemplate namedParameterJdbcTemplate; + private CarInformationRepository carInformationRepository; + private EntityManager entityManager; @BeforeEach - void setUp() throws IOException { + void setUp() { template = Mockito.mock(JdbcTemplate.class); + namedParameterJdbcTemplate = Mockito.mock(NamedParameterJdbcTemplate.class); + carInformationRepository = Mockito.mock(CarInformationRepository.class); + entityManager = Mockito.mock(EntityManager.class); // mock database doReturn(null) @@ -36,11 +46,11 @@ void setUp() throws IOException { (PreparedStatementSetter) any(), (ResultSetExtractor) any()); - unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate); + unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate, carInformationRepository, entityManager); } @Test - void getCarInformationLevel1_ExpectParamInjected() throws IOException { + void getCarInformationLevel1_ExpectParamInjected() { // Act final Map params = Collections.singletonMap("id", "1 UNION SELECT * FROM cars;"); @@ -54,7 +64,7 @@ void getCarInformationLevel1_ExpectParamInjected() throws IOException { } @Test - void getCarInformationLevel2_ExpectParamInjected() throws IOException { + void getCarInformationLevel2_ExpectParamInjected() { // Act final Map params = Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --"); @@ -68,7 +78,7 @@ void getCarInformationLevel2_ExpectParamInjected() throws IOException { } @Test - void getCarInformationLevel3_ExpectParamEscaped() throws IOException { + void getCarInformationLevel3_ExpectParamEscaped() { // Act final Map params = Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --"); @@ -82,7 +92,7 @@ void getCarInformationLevel3_ExpectParamEscaped() throws IOException { } @Test - void getCarInformationLevel4_ExpecParamEscaped() throws IOException { + void getCarInformationLevel4_ExpectParamEscaped() { // Act final Map params = Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --"); @@ -95,4 +105,20 @@ void getCarInformationLevel4_ExpecParamEscaped() throws IOException { (PreparedStatementSetter) any(), (ResultSetExtractor) any()); } + + @Test + void getCarInformationLevel5_ExpectParamEscaped() { + // Act + final Map params = + Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --"); + final String id = "1' UNION SELECT * FROM cars; --"; + unionBasedSQLInjectionVulnerability.getCarInformationLevel5(params); + // Assert + ArgumentMatcher argumentMatcher = sqlParameterSource -> Objects.requireNonNull(sqlParameterSource.getValue("id").equals(id)); + verify(namedParameterJdbcTemplate) + .queryForObject( + eq("select * from cars where id=:id"), + argThat(argumentMatcher), + eq(CarInformation.class)); + } } From df5207c189cd8e86cf4ec6059945d52e2c913153 Mon Sep 17 00:00:00 2001 From: "philipp.delmonego" Date: Tue, 14 Nov 2023 14:56:11 +0100 Subject: [PATCH 3/4] format files --- .../sqlInjection/CarInformation.java | 4 +- .../CarInformationRepository.java | 3 +- .../UnionBasedSQLInjectionVulnerability.java | 42 +++++++++++-------- ...ionBasedSQLInjectionVulnerabilityTest.java | 15 ++++--- 4 files changed, 38 insertions(+), 26 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java index 3c6fb647..8e8d564a 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java @@ -2,17 +2,17 @@ import javax.persistence.*; - /** @author preetkaran20@gmail.com KSASAN */ @Access(AccessType.FIELD) @Entity @Table(name = "cars") -@NamedQuery( name="findById", query = "select c from CarInformation c where c.id=:id") +@NamedQuery(name = "findById", query = "select c from CarInformation c where c.id=:id") public class CarInformation { @Id @GeneratedValue(strategy = GenerationType.IDENTITY) private int id; + private String name; @Column(name = "IMAGE") diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java index b4153ed0..6f7c0a17 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformationRepository.java @@ -1,8 +1,7 @@ package org.sasanlabs.service.vulnerability.sqlInjection; -import org.springframework.data.jpa.repository.JpaRepository; - import java.util.Optional; +import org.springframework.data.jpa.repository.JpaRepository; public interface CarInformationRepository extends JpaRepository { diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java index 92fa9aa1..f15f6adc 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java @@ -4,7 +4,11 @@ import java.sql.SQLException; import java.util.Map; import java.util.Optional; - +import javax.persistence.EntityManager; +import javax.persistence.TypedQuery; +import javax.persistence.criteria.CriteriaBuilder; +import javax.persistence.criteria.CriteriaQuery; +import javax.persistence.criteria.Root; import org.sasanlabs.internal.utility.LevelConstants; import org.sasanlabs.internal.utility.Variant; import org.sasanlabs.internal.utility.annotations.AttackVector; @@ -20,12 +24,6 @@ import org.springframework.jdbc.core.namedparam.SqlParameterSource; import org.springframework.web.bind.annotation.RequestParam; -import javax.persistence.EntityManager; -import javax.persistence.TypedQuery; -import javax.persistence.criteria.CriteriaBuilder; -import javax.persistence.criteria.CriteriaQuery; -import javax.persistence.criteria.Root; - /** * Union Based SQL Injection is another dangerous way to extract data from the database by combining * results of multiple queries. This is the second way which is generally tried by the hackers after @@ -44,7 +42,10 @@ public class UnionBasedSQLInjectionVulnerability { private final EntityManager entityManager; public UnionBasedSQLInjectionVulnerability( - @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager entityManager) { + @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, + NamedParameterJdbcTemplate namedParameterJdbcTemplate, + CarInformationRepository carInformationRepository, + EntityManager entityManager) { this.applicationJdbcTemplate = applicationJdbcTemplate; this.namedParameterJdbcTemplate = namedParameterJdbcTemplate; this.carInformationRepository = carInformationRepository; @@ -117,12 +118,12 @@ public ResponseEntity getCarInformationLevel5( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); SqlParameterSource namedParameters = new MapSqlParameterSource().addValue("id", id); - CarInformation s = namedParameterJdbcTemplate.queryForObject( - "select * from cars where id=:id", namedParameters, CarInformation.class); + CarInformation s = + namedParameterJdbcTemplate.queryForObject( + "select * from cars where id=:id", namedParameters, CarInformation.class); return new ResponseEntity<>(s, HttpStatus.OK); } - @VulnerableAppRequestMapping( value = LevelConstants.LEVEL_6, variant = Variant.SECURE, @@ -131,8 +132,10 @@ public ResponseEntity getCarInformationLevel6( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); String jql = "from CarInformation where id = :id"; - TypedQuery q = entityManager.createQuery(jql, CarInformation.class) - .setParameter("id", Integer.valueOf(id)); + TypedQuery q = + entityManager + .createQuery(jql, CarInformation.class) + .setParameter("id", Integer.valueOf(id)); return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); } @@ -161,8 +164,10 @@ public ResponseEntity getCarInformationLevel7( public ResponseEntity getCarInformationLevel8( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); - TypedQuery q = entityManager.createNamedQuery("findById", CarInformation.class) - .setParameter("id", Integer.valueOf(id)); + TypedQuery q = + entityManager + .createNamedQuery("findById", CarInformation.class) + .setParameter("id", Integer.valueOf(id)); return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK); } @@ -173,8 +178,11 @@ public ResponseEntity getCarInformationLevel8( public ResponseEntity getCarInformationLevel9( @RequestParam final Map queryParams) { final String id = queryParams.get("id"); - Optional carInformation = carInformationRepository.findById(Integer.valueOf(id)); - return carInformation.map(information -> new ResponseEntity<>(information, HttpStatus.OK)).orElseGet(() -> new ResponseEntity<>(HttpStatus.NOT_FOUND)); + Optional carInformation = + carInformationRepository.findById(Integer.valueOf(id)); + return carInformation + .map(information -> new ResponseEntity<>(information, HttpStatus.OK)) + .orElseGet(() -> new ResponseEntity<>(HttpStatus.NOT_FOUND)); } private ResponseEntity resultSetToResponse(final ResultSet rs) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java index e2731a0a..ae36c2ee 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java @@ -7,7 +7,7 @@ import java.util.Collections; import java.util.Map; import java.util.Objects; - +import javax.persistence.EntityManager; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.ArgumentMatcher; @@ -18,8 +18,6 @@ import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; -import javax.persistence.EntityManager; - class UnionBasedSQLInjectionVulnerabilityTest { private UnionBasedSQLInjectionVulnerability unionBasedSQLInjectionVulnerability; @@ -46,7 +44,12 @@ void setUp() { (PreparedStatementSetter) any(), (ResultSetExtractor) any()); - unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate, carInformationRepository, entityManager); + unionBasedSQLInjectionVulnerability = + new UnionBasedSQLInjectionVulnerability( + template, + namedParameterJdbcTemplate, + carInformationRepository, + entityManager); } @Test @@ -114,7 +117,9 @@ void getCarInformationLevel5_ExpectParamEscaped() { final String id = "1' UNION SELECT * FROM cars; --"; unionBasedSQLInjectionVulnerability.getCarInformationLevel5(params); // Assert - ArgumentMatcher argumentMatcher = sqlParameterSource -> Objects.requireNonNull(sqlParameterSource.getValue("id").equals(id)); + ArgumentMatcher argumentMatcher = + sqlParameterSource -> + Objects.requireNonNull(sqlParameterSource.getValue("id").equals(id)); verify(namedParameterJdbcTemplate) .queryForObject( eq("select * from cars where id=:id"), From d5ea6936e0c2e1cd39a57d6debe0228a59afba4c Mon Sep 17 00:00:00 2001 From: Karan Preet Singh Sasan Date: Sun, 17 Dec 2023 19:40:03 -0800 Subject: [PATCH 4/4] Fixing testcases and level5 --- .../vulnerability/sqlInjection/CarInformation.java | 6 +++++- .../UnionBasedSQLInjectionVulnerability.java | 5 ++++- .../UnionBasedSQLInjectionVulnerabilityTest.java | 9 ++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java index 8e8d564a..44636ed5 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/CarInformation.java @@ -15,7 +15,7 @@ public class CarInformation { private String name; - @Column(name = "IMAGE") + @Column(name = "image") private String imagePath; public CarInformation() {} @@ -50,4 +50,8 @@ public String getImagePath() { public void setImagePath(String imagePath) { this.imagePath = imagePath; } + + public void setImage(String imagePath) { + this.imagePath = imagePath; + } } diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java index f15f6adc..4d45411b 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java @@ -18,6 +18,7 @@ import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.jdbc.core.BeanPropertyRowMapper; import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; @@ -120,7 +121,9 @@ public ResponseEntity getCarInformationLevel5( SqlParameterSource namedParameters = new MapSqlParameterSource().addValue("id", id); CarInformation s = namedParameterJdbcTemplate.queryForObject( - "select * from cars where id=:id", namedParameters, CarInformation.class); + "select * from cars where id=:id", + namedParameters, + new BeanPropertyRowMapper<>(CarInformation.class)); return new ResponseEntity<>(s, HttpStatus.OK); } diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java index ae36c2ee..46ab7263 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java @@ -12,9 +12,11 @@ import org.junit.jupiter.api.Test; import org.mockito.ArgumentMatcher; import org.mockito.Mockito; +import org.springframework.jdbc.core.BeanPropertyRowMapper; import org.springframework.jdbc.core.JdbcTemplate; import org.springframework.jdbc.core.PreparedStatementSetter; import org.springframework.jdbc.core.ResultSetExtractor; +import org.springframework.jdbc.core.RowMapper; import org.springframework.jdbc.core.namedparam.MapSqlParameterSource; import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; @@ -124,6 +126,11 @@ void getCarInformationLevel5_ExpectParamEscaped() { .queryForObject( eq("select * from cars where id=:id"), argThat(argumentMatcher), - eq(CarInformation.class)); + (RowMapper) + argThat( + val -> + ((BeanPropertyRowMapper) val) + .getMappedClass() + .equals(CarInformation.class))); } }