Code for BAEL-1381 (#6214)

* BAEL-1381 * [BAEL-1381] * [BAEL-1381] New module name * [BAEL-1381] software-security module
2019-01-31 00:16:26 -02:00
parent f1ea814185
commit 4d1c8634fa
13 changed files with 390 additions and 1 deletions
--- a/software-security/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
+++ b/software-security/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
@@ -0,0 +1,60 @@
+package com.baeldung.examples.security.sql;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import com.baeldung.examples.security.sql.AccountDAO;
+import com.baeldung.examples.security.sql.AccountDTO;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+@ActiveProfiles({ "test" })
+public class SqlInjectionSamplesApplicationUnitTest {
+
+    @Autowired
+    private AccountDAO target;
+
+    @Test
+    public void givenAVulnerableMethod_whenValidCustomerId_thenReturnSingleAccount() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(1);
+    }
+
+    @Test
+    public void givenAVulnerableMethod_whenHackedCustomerId_thenReturnAllAccounts() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(3);
+    }
+
+    @Test
+    public void givenASafeMethod_whenHackedCustomerId_thenReturnNoAccounts() {
+
+        List<AccountDTO> accounts = target.safeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isEmpty();
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void givenASafeMethod_whenInvalidOrderBy_thenThroweException() {
+        target.safeFindAccountsByCustomerId("C1", "INVALID");
+    }
+
+    @Test(expected = RuntimeException.class)
+    public void givenWrongPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {        
+        target.wrongCountRecordsByTableName("Accounts");
+    }
+}
--- a/software-security/sql-injection-samples/src/test/resources/application-test.yml
+++ b/software-security/sql-injection-samples/src/test/resources/application-test.yml
@@ -0,0 +1,6 @@
+#
+# Test profile configuration
+#
+spring:
+  datasource:
+    initialization-mode: always
--- a/software-security/sql-injection-samples/src/test/resources/data.sql
+++ b/software-security/sql-injection-samples/src/test/resources/data.sql
@@ -0,0 +1,4 @@
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C1','0001',1,1000.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C2','0002',1,500.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C3','0003',1,501.00);
+
--- a/software-security/sql-injection-samples/src/test/resources/schema.sql
+++ b/software-security/sql-injection-samples/src/test/resources/schema.sql
@@ -0,0 +1,6 @@
+create table Accounts (
+	customer_id varchar(16) not null,
+	acc_number varchar(16) not null,
+	branch_id decimal(8,0),
+	balance decimal(16,4)	
+);