BAEL-1381

sql-injection-samples/.gitignore

@@ -0,0 +1,25 @@
+/target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/build/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/

sql-injection-samples/pom.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <artifactId>parent-boot-2</artifactId>
+        <groupId>com.baeldung</groupId>
+        <version>0.0.1-SNAPSHOT</version>
+        <relativePath>../parent-boot-2</relativePath>
+    </parent>
+	
+	<groupId>com.baeldung</groupId>
+	<artifactId>sql-injection-samples</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>sql-injection-samples</name>
+	<description>Sample SQL Injection tests</description>
+
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.derby</groupId>
+			<artifactId>derby</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-configuration-processor</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<scope>provided</scope>
+		</dependency>
+
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>

sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDAO.java

@@ -0,0 +1,169 @@
+/**
+ * 
+ */
+package com.baeldung.examples.security.sql;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import javax.sql.DataSource;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Philippe
+ *
+ */
+@Component
+public class AccountDAO {
+
+    private final DataSource dataSource;
+
+    public AccountDAO(DataSource dataSource) {
+        this.dataSource = dataSource;
+    }
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> unsafeFindAccountsByCustomerId(String customerId) {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = '" + customerId + "'";
+
+        try (Connection c = dataSource.getConnection();
+            ResultSet rs = c.createStatement()
+                .executeQuery(sql)) {
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customer_id"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> safeFindAccountsByCustomerId(String customerId) {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = ?";
+
+        try (Connection c = dataSource.getConnection(); PreparedStatement p = c.prepareStatement(sql)) {
+            p.setString(1, customerId);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    private static final Set<String> VALID_COLUMNS_FOR_ORDER_BY = Stream.of("acc_number", "branch_id", "balance")
+        .collect(Collectors.toCollection(HashSet::new));
+
+    /**
+     * Return all accounts owned by a given customer,given his/her external id
+     * 
+     * @param customerId
+     * @return
+     */
+    public List<AccountDTO> safeFindAccountsByCustomerId(String customerId, String orderBy)  {
+
+        String sql = "select " + "customer_id,acc_number,branch_id,balance from Accounts where customer_id = ? ";
+
+        if (VALID_COLUMNS_FOR_ORDER_BY.contains(orderBy)) {
+            sql = sql + " order by " + orderBy;
+        }
+        else {
+            throw new IllegalArgumentException("Nice try!");
+        }
+
+        try (Connection c = dataSource.getConnection(); PreparedStatement p = c.prepareStatement(sql)) {
+
+            p.setString(1, customerId);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+    /**
+     * Invalid placeholder usage example 
+     * 
+     * @param tableName 
+     * @return
+     */
+    public List<AccountDTO> wrongCountRecordsByTableName(String tableName) {
+
+        try (Connection c = dataSource.getConnection(); 
+             PreparedStatement p = c.prepareStatement("select count(*) from ?")) {
+            
+            p.setString(1, tableName);
+            ResultSet rs = p.executeQuery();
+            List<AccountDTO> accounts = new ArrayList<>();
+            while (rs.next()) {
+                AccountDTO acc = AccountDTO.builder()
+                    .customerId(rs.getString("customerId"))
+                    .branchId(rs.getString("branch_id"))
+                    .accNumber(rs.getString("acc_number"))
+                    .balance(rs.getBigDecimal("balance"))
+                    .build();
+
+                accounts.add(acc);
+            }
+
+            return accounts;
+        } catch (SQLException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+
+}

sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/AccountDTO.java

@@ -0,0 +1,16 @@
+package com.baeldung.examples.security.sql;
+
+import java.math.BigDecimal;
+
+import lombok.Builder;
+import lombok.Data;
+
+@Data
+@Builder
+public class AccountDTO {
+    
+    private String customerId;
+    private String accNumber;
+    private String branchId;
+    private BigDecimal balance;
+}

sql-injection-samples/src/main/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplication.java

@@ -0,0 +1,14 @@
+package com.baeldung.examples.security.sql;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SqlInjectionSamplesApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SqlInjectionSamplesApplication.class, args);
+	}
+
+}
+

sql-injection-samples/src/main/resources/db/changelog/create-tables.xml

@@ -0,0 +1,19 @@
+<databaseChangeLog
+  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+         http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+
+	<changeSet id="create-tables" author="baeldung">
+		<createTable tableName="Accounts" >
+			<column name="id" autoIncrement="true" type="BIGINT" remarks="Internal account PK" >
+				<constraints primaryKey="true"/>				
+			</column>
+			<column name="customer_id" type="java.sql.Types.VARCHAR(32)" remarks="External Customer Id"></column> 
+			<column name="acc_number" type="java.sql.Types.VARCHAR(128)" remarks="External Account Number"></column> 
+			<column name="branch_id" type="java.sql.Types.VARCHAR(32)"></column>	
+			<column name="balance" type="CURRENCY"></column>
+			
+		</createTable>
+	</changeSet>
+</databaseChangeLog>

sql-injection-samples/src/main/resources/db/master-changelog.xml

@@ -0,0 +1,8 @@
+<databaseChangeLog
+  xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+         http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
+
+  <include file="changelog/create-tables.xml" relativeToChangelogFile="true"/>
+</databaseChangeLog>

sql-injection-samples/src/test/java/com/baeldung/examples/security/sql/SqlInjectionSamplesApplicationUnitTest.java

@@ -0,0 +1,60 @@
+package com.baeldung.examples.security.sql;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.List;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import com.baeldung.examples.security.sql.AccountDAO;
+import com.baeldung.examples.security.sql.AccountDTO;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+@ActiveProfiles({ "test" })
+public class SqlInjectionSamplesApplicationUnitTest {
+
+    @Autowired
+    private AccountDAO target;
+
+    @Test
+    public void givenAVulnerableMethod_whenValidCustomerId_thenReturnSingleAccount() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(1);
+    }
+
+    @Test
+    public void givenAVulnerableMethod_whenHackedCustomerId_thenReturnAllAccounts() {
+
+        List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isNotEmpty();
+        assertThat(accounts).hasSize(3);
+    }
+
+    @Test
+    public void givenASafeMethod_whenHackedCustomerId_thenReturnNoAccounts() {
+
+        List<AccountDTO> accounts = target.safeFindAccountsByCustomerId("C1' or '1'='1");
+        assertThat(accounts).isNotNull();
+        assertThat(accounts).isEmpty();
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void givenASafeMethod_whenInvalidOrderBy_thenThroweException() {
+        target.safeFindAccountsByCustomerId("C1", "INVALID");
+    }
+
+    @Test(expected = RuntimeException.class)
+    public void givenWrongPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {        
+        target.wrongCountRecordsByTableName("Accounts");
+    }
+}

sql-injection-samples/src/test/resources/application-test.yml

@@ -0,0 +1,6 @@
+#
+# Test profile configuration
+#
+spring:
+  datasource:
+    initialization-mode: always

sql-injection-samples/src/test/resources/data.sql

@@ -0,0 +1,4 @@
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C1','0001',1,1000.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C2','0002',1,500.00);
+insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C3','0003',1,501.00);
+

sql-injection-samples/src/test/resources/schema.sql

@@ -0,0 +1,6 @@
+create table Accounts (
+	customer_id varchar(16) not null,
+	acc_number varchar(16) not null,
+	branch_id decimal(8,0),
+	balance decimal(16,4)	
+);