From e3bada67dd6bcabcdeb4c61304360aa78054abf7 Mon Sep 17 00:00:00 2001
From: Philippe <phil@lighthouse.com.br>
Date: Thu, 24 Jan 2019 23:35:44 -0200
Subject: [PATCH] BAEL-1381

---
 sql-injection-samples/.gitignore              |  25 +++
 sql-injection-samples/pom.xml                 |  61 +++++++
 .../examples/security/sql/AccountDAO.java     | 169 ++++++++++++++++++
 .../examples/security/sql/AccountDTO.java     |  16 ++
 .../sql/SqlInjectionSamplesApplication.java   |  14 ++
 .../src/main/resources/application.properties |   0
 .../resources/db/changelog/create-tables.xml  |  19 ++
 .../main/resources/db/master-changelog.xml    |   8 +
 ...qlInjectionSamplesApplicationUnitTest.java |  60 +++++++
 .../src/test/resources/application-test.yml   |   6 +
 .../src/test/resources/data.sql               |   4 +
 .../src/test/resources/schema.sql             |   6 +
 12 files changed, 388 insertions(+)
 create mode 100644 sql-injection-samples/.gitignore
 create mode 100644 sql-injection-samples/pom.xml
 create mode 100644 sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDAO.java
 create mode 100644 sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDTO.java
 create mode 100644 sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplication.java
 create mode 100644 sql-injection-samples/src/main/resources/application.properties
 create mode 100644 sql-injection-samples/src/main/resources/db/changelog/create-tables.xml
 create mode 100644 sql-injection-samples/src/main/resources/db/master-changelog.xml
 create mode 100644 sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
 create mode 100644 sql-injection-samples/src/test/resources/application-test.yml
 create mode 100644 sql-injection-samples/src/test/resources/data.sql
 create mode 100644 sql-injection-samples/src/test/resources/schema.sql

diff --git a/sql-injection-samples/.gitignore b/sql-injection-samples/.gitignore
new file mode 100644
index 0000000000..82eca336e3
--- /dev/null
+++ b/sql-injection-samples/.gitignore
@@ -0,0 +1,25 @@
+/target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/build/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
\ No newline at end of file
diff --git a/sql-injection-samples/pom.xml b/sql-injection-samples/pom.xml
new file mode 100644
index 0000000000..b6390ad387
--- /dev/null
+++ b/sql-injection-samples/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <artifactId>parent-boot-2</artifactId>
+        <groupId>com.baeldung</groupId>
+        <version>0.0.1-SNAPSHOT</version>
+        <relativePath>../parent-boot-2</relativePath>
+    </parent>
+	
+	<groupId>com.baeldung</groupId>
+	<artifactId>sql-injection-samples</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>sql-injection-samples</name>
+	<description>Sample SQL Injection tests</description>
+
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.derby</groupId>
+			<artifactId>derby</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-configuration-processor</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<scope>provided</scope>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>
diff --git a/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDAO.java b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDAO.java
new file mode 100644
index 0000000000..447dcc456d
--- /dev/null
+++ b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDAO.java
@@ -0,0 +1,169 @@
+/**
+ * 
+ */
+package com.baeldung.examples.security.sql;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import javax.sql.DataSource;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Philippe
+ *
+ */
+@Component
+public class AccountDAO {
+
+    private final DataSource dataSource;
+
+    public AccountDAO(DataSource dataSource) {
+        this.dataSource = dataSource;
+    }
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> unsafeFindAccountsByCustomerId(String customerId) {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = '" + customerId + "'";
+
+        try (Connection c = dataSource.getConnection();
+            ResultSet rs = c.createStatement()
+                .executeQuery(sql)) {
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customer_id"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> safeFindAccountsByCustomerId(String customerId) {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = ?";
+
+        try (Connection c = dataSource.getConnection(); PreparedStatement p = c.prepareStatement(sql)) {
+            p.setString(1, customerId);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    private static final Set<String> VALID_COLUMNS_FOR_ORDER_BY = Stream.of("acc_number", "branch_id", "balance")
+        .collect(Collectors.toCollection(HashSet::new));
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> safeFindAccountsByCustomerId(String customerId, String orderBy)  {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = ? ";
+
+        if (VALID_COLUMNS_FOR_ORDER_BY.contains(orderBy)) {
+            sql = sql + " order by " + orderBy;
+        }
+        else {
+            throw new IllegalArgumentException("Nice try!");
+        }
+
+        try (Connection c = dataSource.getConnection(); PreparedStatement p = c.prepareStatement(sql)) {
+
+            p.setString(1, customerId);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    /**
+     * Invalid placeholder usage example 
+     * 
+     * @param tableName 
+     * @return
+     */
+    public List<AccountDTO> wrongCountRecordsByTableName(String tableName) {
+
+        try (Connection c = dataSource.getConnection(); 
+             PreparedStatement p = c.prepareStatement("select count(*) from ?")) {
+            
+            p.setString(1, tableName);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+}
diff --git a/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDTO.java b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDTO.java
new file mode 100644
index 0000000000..2e6fa04af4
--- /dev/null
+++ b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDTO.java
@@ -0,0 +1,16 @@
+package com.baeldung.examples.security.sql;
+
+import java.math.BigDecimal;
+
+import lombok.Builder;
+import lombok.Data;
+
+@Data
+@Builder
+public class AccountDTO {
+    
+    private String customerId;
+    private String accNumber;
+    private String branchId;
+    private BigDecimal balance;
+}
diff --git a/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplication.java b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplication.java
new file mode 100644
index 0000000000..c1083ae3de
--- /dev/null
+++ b/sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplication.java
@@ -0,0 +1,14 @@
+package com.baeldung.examples.security.sql;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SqlInjectionSamplesApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SqlInjectionSamplesApplication.class, args);
+	}
+
+}
+
diff --git a/sql-injection-samples/src/main/resources/application.properties b/sql-injection-samples/src/main/resources/application.properties
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/sql-injection-samples/src/main/resources/db/changelog/create-tables.xml b/sql-injection-samples/src/main/resources/db/changelog/create-tables.xml
new file mode 100644
index 0000000000..a405c02049
--- /dev/null
+++ b/sql-injection-samples/src/main/resources/db/changelog/create-tables.xml
@@ -0,0 +1,19 @@
+<databaseChangeLog
+  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+         http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+
+	<changeSet id="create-tables" author="baeldung">
+		<createTable tableName="Accounts" >
+			<column name="id" autoIncrement="true" type="BIGINT" remarks="Internal account PK" >
+				<constraints primaryKey="true"/>				
+			</column>
+			<column name="customer_id" type="java.sql.Types.VARCHAR(32)" remarks="External Customer Id"></column> 
+			<column name="acc_number" type="java.sql.Types.VARCHAR(128)" remarks="External Account Number"></column> 
+			<column name="branch_id" type="java.sql.Types.VARCHAR(32)"></column>	
+			<column name="balance" type="CURRENCY"></column>
+			
+		</createTable>
+	</changeSet>
+</databaseChangeLog>
\ No newline at end of file
diff --git a/sql-injection-samples/src/main/resources/db/master-changelog.xml b/sql-injection-samples/src/main/resources/db/master-changelog.xml
new file mode 100644
index 0000000000..047ca2b314
--- /dev/null
+++ b/sql-injection-samples/src/main/resources/db/master-changelog.xml
@@ -0,0 +1,8 @@
+<databaseChangeLog
+  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+         http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+
+  <include file="changelog/create-tables.xml" relativeToChangelogFile="true"/>
+</databaseChangeLog>
\ No newline at end of file
diff --git a/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java b/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
new file mode 100644
index 0000000000..1f37ba04b6
--- /dev/null
+++ b/sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java
@@ -0,0 +1,60 @@
+package com.baeldung.examples.security.sql;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import com.baeldung.examples.security.sql.AccountDAO;
+import com.baeldung.examples.security.sql.AccountDTO;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+@ActiveProfiles({ "test" })
+public class SqlInjectionSamplesApplicationUnitTest {
+
+    @Autowired
+    private AccountDAO target;
+
+    @Test
+    public void givenAVulnerableMethod_whenValidCustomerId_thenReturnSingleAccount() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(1);
+    }
+
+    @Test
+    public void givenAVulnerableMethod_whenHackedCustomerId_thenReturnAllAccounts() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(3);
+    }
+
+    @Test
+    public void givenASafeMethod_whenHackedCustomerId_thenReturnNoAccounts() {
+
+        List<AccountDTO> accounts = target.safeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isEmpty();
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void givenASafeMethod_whenInvalidOrderBy_thenThroweException() {
+        target.safeFindAccountsByCustomerId("C1", "INVALID");
+    }
+
+    @Test(expected = RuntimeException.class)
+    public void givenWrongPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {        
+        target.wrongCountRecordsByTableName("Accounts");
+    }
+}
diff --git a/sql-injection-samples/src/test/resources/application-test.yml b/sql-injection-samples/src/test/resources/application-test.yml
new file mode 100644
index 0000000000..d07ee10aee
--- /dev/null
+++ b/sql-injection-samples/src/test/resources/application-test.yml
@@ -0,0 +1,6 @@
+#
+# Test profile configuration
+#
+spring:
+  datasource:
+    initialization-mode: always
diff --git a/sql-injection-samples/src/test/resources/data.sql b/sql-injection-samples/src/test/resources/data.sql
new file mode 100644
index 0000000000..586618a07f
--- /dev/null
+++ b/sql-injection-samples/src/test/resources/data.sql
@@ -0,0 +1,4 @@
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C1','0001',1,1000.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C2','0002',1,500.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C3','0003',1,501.00);
+
diff --git a/sql-injection-samples/src/test/resources/schema.sql b/sql-injection-samples/src/test/resources/schema.sql
new file mode 100644
index 0000000000..bfb0ae8059
--- /dev/null
+++ b/sql-injection-samples/src/test/resources/schema.sql
@@ -0,0 +1,6 @@
+create table Accounts (
+	customer_id varchar(16) not null,
+	acc_number varchar(16) not null,
+	branch_id decimal(8,0),
+	balance decimal(16,4)	
+);