[BAEL-1381] Add JPA Examples (#6369)

* BAEL-1381 * [BAEL-1381] * [BAEL-1381] New module name * [BAEL-1381] software-security module * [BAEL-1381] Add JPA examples
2019-02-18 02:39:25 -03:00
parent cf25075e22
commit 6c237aaf3a
11 changed files with 246 additions and 51 deletions
--- a/software-security/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
+++ b/software-security/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
@@ -40,6 +40,15 @@ public class SqlInjectionSamplesApplicationUnitTest {
        assertThat(accounts).hasSize(3);
    }

+    @Test
+    public void givenAVulnerableJpaMethod_whenHackedCustomerId_thenReturnAllAccounts() {
+
+        List<AccountDTO> accounts = target.unsafeJpaFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(3);
+    }
+    
    @Test
    public void givenASafeMethod_whenHackedCustomerId_thenReturnNoAccounts() {

@@ -48,13 +57,36 @@ public class SqlInjectionSamplesApplicationUnitTest {
        assertThat(accounts).isEmpty();
    }

+    @Test
+    public void givenASafeJpaMethod_whenHackedCustomerId_thenReturnNoAccounts() {
+
+        List<AccountDTO> accounts = target.safeJpaFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isEmpty();
+    }
+
+
+    @Test
+    public void givenASafeJpaCriteriaMethod_whenHackedCustomerId_thenReturnNoAccounts() {
+
+        List<AccountDTO> accounts = target.safeJpaCriteriaFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isEmpty();
+    }
+    
    @Test(expected = IllegalArgumentException.class)
    public void givenASafeMethod_whenInvalidOrderBy_thenThroweException() {
        target.safeFindAccountsByCustomerId("C1", "INVALID");
    }

-    @Test(expected = RuntimeException.class)
+    @Test(expected = Exception.class)
    public void givenWrongPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {        
        target.wrongCountRecordsByTableName("Accounts");
    }
+
+    @Test(expected = Exception.class)
+    public void givenWrongJpaPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {        
+        target.wrongJpaCountRecordsByTableName("Accounts");
+    }
+    
 }
--- a/software-security/sql-injection-samples/src/test/resources/application-test.yml
+++ b/software-security/sql-injection-samples/src/test/resources/application-test.yml
@@ -2,5 +2,17 @@
 # Test profile configuration
 #
 spring:
+  liquibase:
+    change-log: db/changelog/db.changelog-master.xml
+    
+  jpa:
+    hibernate:
+      ddl-auto: none
+      
  datasource:
-    initialization-mode: always
+    initialization-mode: embedded
+      
+logging:
+  level:
+    sql: DEBUG    
+    
--- a/software-security/sql-injection-samples/src/test/resources/schema.sql
+++ b/software-security/sql-injection-samples/src/test/resources/schema.sql
@@ -1,4 +1,5 @@
 create table Accounts (
+	id BIGINT NOT NULL GENERATED ALWAYS AS IDENTITY (START WITH 1, INCREMENT BY 1),
 	customer_id varchar(16) not null,
 	acc_number varchar(16) not null,
 	branch_id decimal(8,0),