Skip to content

Tutorial 1. Write your first InternalFLuentTQL specification

Jump to bottom
Ranjith K edited this page Sep 4, 2020 · 23 revisions

Let's take a simple SQL-Injection example. The below example code contains the SQL-Injection.

public class SimpleSQLInjection {

    public static ResultSet getEmployeeInformationWithSanitizer() throws SQLException {
        Scanner mySC = new Scanner(System.in);

        // Soure: Method nextLine is a source that takes input from user.
        String employeeID = mySC.nextLine();

        mySC.close();

        PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder().toFactory();

        // Sanitizer: Method sanitize is a sanitizer that sanitizes the user input, therefore, the below line should be uncommented to avoid SQL-Injection.
        //employeeID = POLICY_DEFINITION.sanitize(employeeID);

        Connection myConnection = DriverManager.getConnection("jdbc:hsqldb:mem:EMPLOYEES", "test", "test");
        Statement myStatement = myConnection.createStatement();

        // Sink: Method executeQuery is a sink that performs the sensitive operation and leaks the data.
        ResultSet queryResult = myStatement.executeQuery("SELECT * FROM EMPLOYEE where EID = " + employeeID);

        return queryResult;

    }
}

For InternalFluentTQL specification, Class must implements the interface FluentTQLUserInterface.

import de.fraunhofer.iem.secucheck.InternalFluentTQL.fluentInterface.SpecificationInterface.FluentTQLUserInterface;

public class SimpleSQLInjectionSpec implements FluentTQLUserInterface {
...

All the methods(source, sanitizer, required propagators, and sink) has to be defined in InternalFluentTQL. The below example shows how to define the method.

Method sanitizer = new MethodConfigurator("org.owasp.html.PolicyFactory: java.lang.String sanitize(java.lang.String)")
            .in().param(0)
            .out().returnValue().configure();

The sensitive information that goes into the method is configured using the InputDeclaration (in()) and the sensitive information that comes out of the method is configured using OutputDeclaration (out()).

An example of the information that flows into the method: In the method sanitize, the first parameter is the user input that is sensitive information. To configure this in InternalFluentTQL, param() with the parameter id can be used. The first parameter is 0 in InternalFluentTQL specification.

An example of the information that comes out from the method: In the method sanitize, the return value is the sanitized user input. To configure this in InternalFluentTQL, returnValue() can be used.

Sometimes, we also need to configure that the sensitive information may flow through "this" object. For this, thisObject() can be used.

Clone this wiki locally