From ae8b21ce4c7acd0069ece853a24b8023712bfdf9 Mon Sep 17 00:00:00 2001 From: imertetsu Date: Tue, 1 Oct 2024 16:36:34 -0400 Subject: [PATCH 1/7] Add unit tests for BlindSQLInjectionVulnerability Level 1 --- .../BlindSQLInjectionVulnerabilityTest.java | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java new file mode 100644 index 00000000..9ce542ab --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java @@ -0,0 +1,84 @@ +package org.sasanlabs.service.vulnerability.sqlInjection; + +import static org.mockito.Mockito.*; +import static org.junit.jupiter.api.Assertions.*; + +import java.sql.ResultSet; +import java.sql.SQLException; +import java.util.HashMap; +import java.util.Map; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.MockitoAnnotations; +import org.springframework.http.HttpStatus; +import org.springframework.http.ResponseEntity; +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.jdbc.core.PreparedStatementCreator; +import org.springframework.jdbc.core.ResultSetExtractor; + +public class BlindSQLInjectionVulnerabilityTest { + + @Mock + private JdbcTemplate jdbcTemplate; + + @InjectMocks + private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; + + @BeforeEach + public void setUp() { + MockitoAnnotations.openMocks(this); + } + + @Test + public void testGetCarInformationLevel1_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // The query is simulated to have returned a result (i.e. there is a car with ID "1") + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // The query is simulated to have returned a result (i.e. there is no a car with ID "2") + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } +} From f71afc4d589ad816cf15f3e2103c8f2743f64a48 Mon Sep 17 00:00:00 2001 From: imertetsu Date: Tue, 1 Oct 2024 16:47:47 -0400 Subject: [PATCH 2/7] Add unit tests for BlindSQLInjectionVulnerability Level 2 --- .../BlindSQLInjectionVulnerabilityTest.java | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java index 9ce542ab..5138cb7e 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java @@ -43,7 +43,7 @@ public void testGetCarInformationLevel1_CarPresent() throws SQLException { ResultSet mockResultSet = mock(ResultSet.class); when(mockResultSet.next()).thenReturn(true); - // Mock the query method of JdbcTemplate + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { ResultSetExtractor> rse = invocation.getArgument(1); return rse.extractData(mockResultSet); @@ -81,4 +81,54 @@ public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { assertEquals(HttpStatus.OK, response.getStatusCode()); assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); } + + @Test + public void testGetCarInformationLevel2_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } } From 62c0eed2b3814542a964890e79aa886f2860cc1e Mon Sep 17 00:00:00 2001 From: imertetsu Date: Tue, 1 Oct 2024 17:29:06 -0400 Subject: [PATCH 3/7] Add unit tests for BlindSQLInjectionVulnerability Level 3 --- .../BlindSQLInjectionVulnerabilityTest.java | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java index 5138cb7e..9163d9d7 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java @@ -131,4 +131,54 @@ public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { assertEquals(HttpStatus.OK, response.getStatusCode()); assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); } + + @Test + public void testGetCarInformationLevel3_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } } From f4545524377cb8e64309068e34a14eede982fbf3 Mon Sep 17 00:00:00 2001 From: imertetsu Date: Wed, 2 Oct 2024 17:08:08 -0400 Subject: [PATCH 4/7] Apply google java format to the test file --- .../BlindSQLInjectionVulnerabilityTest.java | 345 ++++++++++-------- 1 file changed, 183 insertions(+), 162 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java index 9163d9d7..b8a0ec80 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java @@ -1,13 +1,12 @@ package org.sasanlabs.service.vulnerability.sqlInjection; -import static org.mockito.Mockito.*; import static org.junit.jupiter.api.Assertions.*; +import static org.mockito.Mockito.*; import java.sql.ResultSet; import java.sql.SQLException; import java.util.HashMap; import java.util.Map; - import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.InjectMocks; @@ -21,164 +20,186 @@ public class BlindSQLInjectionVulnerabilityTest { - @Mock - private JdbcTemplate jdbcTemplate; - - @InjectMocks - private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; - - @BeforeEach - public void setUp() { - MockitoAnnotations.openMocks(this); - } - - @Test - public void testGetCarInformationLevel1_CarPresent() throws SQLException { - // Arrange - String id = "1"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // The query is simulated to have returned a result (i.e. there is a car with ID "1") - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(true); - - // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals("{ \"isCarPresent\": true}", response.getBody()); - } - - @Test - public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { - // Arrange - String id = "2"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // The query is simulated to have returned a result (i.e. there is no a car with ID "2") - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(false); - - // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); - } - - @Test - public void testGetCarInformationLevel2_CarPresent() throws SQLException { - // Arrange - String id = "1"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // Mock the ResultSet behavior - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(true); - - // Mock the query method of JdbcTemplate - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals("{ \"isCarPresent\": true}", response.getBody()); - } - - @Test - public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { - // Arrange - String id = "2"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // Mock the ResultSet behavior - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(false); - - // Mock the query method of JdbcTemplate - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); - } - - @Test - public void testGetCarInformationLevel3_CarPresent() throws SQLException { - // Arrange - String id = "1"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // Mock the ResultSet behavior - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(true); - - // Mock the query method of JdbcTemplate - when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(2); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals("{ \"isCarPresent\": true}", response.getBody()); - } - - @Test - public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { - // Arrange - String id = "2"; - Map queryParams = new HashMap<>(); - queryParams.put("id", id); - - // Mock the ResultSet behavior - ResultSet mockResultSet = mock(ResultSet.class); - when(mockResultSet.next()).thenReturn(false); - - // Mock the query method of JdbcTemplate - when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { - ResultSetExtractor> rse = invocation.getArgument(2); - return rse.extractData(mockResultSet); - }); - - // Act - ResponseEntity response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); - - // Assert - assertEquals(HttpStatus.OK, response.getStatusCode()); - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); - } + @Mock private JdbcTemplate jdbcTemplate; + + @InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; + + @BeforeEach + public void setUp() { + MockitoAnnotations.openMocks(this); + } + + @Test + public void testGetCarInformationLevel1_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // The query is simulated to have returned a result (i.e. there is a car with ID "1") + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the + // data from the mockResultSet (which mocks the query result) + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // The query is simulated to have returned a result (i.e. there is no a car with ID "2") + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the + // data from the mockResultSet (which mocks the query result) + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals( + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } + + @Test + public void testGetCarInformationLevel2_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals( + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } + + @Test + public void testGetCarInformationLevel3_CarPresent() throws SQLException { + // Arrange + String id = "1"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(true); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals("{ \"isCarPresent\": true}", response.getBody()); + } + + @Test + public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { + // Arrange + String id = "2"; + Map queryParams = new HashMap<>(); + queryParams.put("id", id); + + // Mock the ResultSet behavior + ResultSet mockResultSet = mock(ResultSet.class); + when(mockResultSet.next()).thenReturn(false); + + // Mock the query method of JdbcTemplate + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); + + // Act + ResponseEntity response = + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + + // Assert + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertEquals( + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + } } From 33835a398418b3f44324f4deda600abf16989420 Mon Sep 17 00:00:00 2001 From: imertetsu Date: Wed, 2 Oct 2024 17:45:59 -0400 Subject: [PATCH 5/7] Apply google java format AOSP to the test file --- .../BlindSQLInjectionVulnerabilityTest.java | 80 +++++++++---------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java index b8a0ec80..fc7759a1 100644 --- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java +++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java @@ -43,16 +43,15 @@ public void testGetCarInformationLevel1_CarPresent() throws SQLException { // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the // data from the mockResultSet (which mocks the query result) when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); @@ -73,20 +72,20 @@ public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the // data from the mockResultSet (which mocks the query result) when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); assertEquals( - ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); } @Test @@ -102,15 +101,15 @@ public void testGetCarInformationLevel2_CarPresent() throws SQLException { // Mock the query method of JdbcTemplate when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); @@ -130,20 +129,20 @@ public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { // Mock the query method of JdbcTemplate when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(1); - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(1); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); assertEquals( - ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); } @Test @@ -159,15 +158,15 @@ public void testGetCarInformationLevel3_CarPresent() throws SQLException { // Mock the query method of JdbcTemplate when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(2); - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); @@ -187,19 +186,20 @@ public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { // Mock the query method of JdbcTemplate when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) - .thenAnswer( - invocation -> { - ResultSetExtractor> rse = invocation.getArgument(2); - return rse.extractData(mockResultSet); - }); + .thenAnswer( + invocation -> { + ResultSetExtractor> rse = invocation.getArgument(2); + return rse.extractData(mockResultSet); + }); // Act ResponseEntity response = - blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); // Assert assertEquals(HttpStatus.OK, response.getStatusCode()); assertEquals( - ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); } } + From 792a7c8763bc22340091af9fdad70dc639a701e9 Mon Sep 17 00:00:00 2001 From: imertetsu Date: Tue, 8 Oct 2024 17:10:39 -0400 Subject: [PATCH 6/7] Add secure implementation level 4 for BlindSQLInjectionVulneravility --- .../BlindSQLInjectionVulnerability.java | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java index 45bb82e4..47bf3b43 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java @@ -106,4 +106,32 @@ public ResponseEntity getCarInformationLevel3( ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE); }); } + + //Input Validation - Ensure that the input data is valid and of the expected type. + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_4, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel4( + @RequestParam Map queryParams) { + String id = queryParams.get(Constants.ID); + + // Validate numeric ID + if (!id.matches("\\d+")) { + return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Invalid ID format."); + } + + BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK); + bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE); + return applicationJdbcTemplate.query( + "select * from cars where id=" + id, + (rs) -> { + if (rs.next()) { + return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE); + } + return bodyBuilder.body( + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE); + }); + } + } From ca12393fdaf764d0cba02f2d92739fd4fd1821cf Mon Sep 17 00:00:00 2001 From: imertetsu Date: Thu, 31 Oct 2024 17:30:36 -0400 Subject: [PATCH 7/7] Add secure implementation level 5 for BlindSQLInjectionVulnerability --- .../BlindSQLInjectionVulnerability.java | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java index 47bf3b43..39e1fa10 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java @@ -1,6 +1,8 @@ package org.sasanlabs.service.vulnerability.sqlInjection; import java.util.Map; +import javax.persistence.EntityManager; +import javax.persistence.PersistenceContext; import org.sasanlabs.internal.utility.LevelConstants; import org.sasanlabs.internal.utility.Variant; import org.sasanlabs.internal.utility.annotations.AttackVector; @@ -29,6 +31,7 @@ value = "BlindSQLInjectionVulnerability") public class BlindSQLInjectionVulnerability { + @PersistenceContext private EntityManager entityManager; private JdbcTemplate applicationJdbcTemplate; static final String CAR_IS_PRESENT_RESPONSE = "{ \"isCarPresent\": true}"; @@ -107,7 +110,7 @@ public ResponseEntity getCarInformationLevel3( }); } - //Input Validation - Ensure that the input data is valid and of the expected type. + // Input Validation - Ensure that the input data is valid and of the expected type. @VulnerableAppRequestMapping( value = LevelConstants.LEVEL_4, variant = Variant.SECURE, @@ -134,4 +137,22 @@ public ResponseEntity getCarInformationLevel4( }); } + // Implementation Level 5 - Hibernate + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_5, + variant = Variant.SECURE, + htmlTemplate = "LEVEL_1/SQLInjection_Level1") + public ResponseEntity getCarInformationLevel5( + @RequestParam Map queryParams) { + int id = Integer.parseInt(queryParams.get(Constants.ID)); + + CarInformation car = entityManager.find(CarInformation.class, id); + + if (car != null) { + return ResponseEntity.ok(CAR_IS_PRESENT_RESPONSE); + } else { + return ResponseEntity.status(HttpStatus.NOT_FOUND) + .body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE); + } + } }