JAVA-13856 Create new security-modules (#12622)
This commit is contained in:
+92
@@ -0,0 +1,92 @@
|
||||
package com.baeldung.examples.security.sql;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.test.context.ActiveProfiles;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
|
||||
import com.baeldung.examples.security.sql.AccountDAO;
|
||||
import com.baeldung.examples.security.sql.AccountDTO;
|
||||
|
||||
@RunWith(SpringRunner.class)
|
||||
@SpringBootTest
|
||||
@ActiveProfiles({ "test" })
|
||||
public class SqlInjectionSamplesApplicationUnitTest {
|
||||
|
||||
@Autowired
|
||||
private AccountDAO target;
|
||||
|
||||
@Test
|
||||
public void givenAVulnerableMethod_whenValidCustomerId_thenReturnSingleAccount() {
|
||||
|
||||
List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isNotEmpty();
|
||||
assertThat(accounts).hasSize(1);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenAVulnerableMethod_whenHackedCustomerId_thenReturnAllAccounts() {
|
||||
|
||||
List<AccountDTO> accounts = target.unsafeFindAccountsByCustomerId("C1' or '1'='1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isNotEmpty();
|
||||
assertThat(accounts).hasSize(3);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenAVulnerableJpaMethod_whenHackedCustomerId_thenReturnAllAccounts() {
|
||||
|
||||
List<AccountDTO> accounts = target.unsafeJpaFindAccountsByCustomerId("C1' or '1'='1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isNotEmpty();
|
||||
assertThat(accounts).hasSize(3);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenASafeMethod_whenHackedCustomerId_thenReturnNoAccounts() {
|
||||
|
||||
List<AccountDTO> accounts = target.safeFindAccountsByCustomerId("C1' or '1'='1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void givenASafeJpaMethod_whenHackedCustomerId_thenReturnNoAccounts() {
|
||||
|
||||
List<AccountDTO> accounts = target.safeJpaFindAccountsByCustomerId("C1' or '1'='1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isEmpty();
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void givenASafeJpaCriteriaMethod_whenHackedCustomerId_thenReturnNoAccounts() {
|
||||
|
||||
List<AccountDTO> accounts = target.safeJpaCriteriaFindAccountsByCustomerId("C1' or '1'='1");
|
||||
assertThat(accounts).isNotNull();
|
||||
assertThat(accounts).isEmpty();
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void givenASafeMethod_whenInvalidOrderBy_thenThroweException() {
|
||||
target.safeFindAccountsByCustomerId("C1", "INVALID");
|
||||
}
|
||||
|
||||
@Test(expected = Exception.class)
|
||||
public void givenWrongPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {
|
||||
target.wrongCountRecordsByTableName("Accounts");
|
||||
}
|
||||
|
||||
@Test(expected = Exception.class)
|
||||
public void givenWrongJpaPlaceholderUsageMethod_whenNormalCall_thenThrowsException() {
|
||||
target.wrongJpaCountRecordsByTableName("Accounts");
|
||||
}
|
||||
|
||||
}
|
||||
@@ -0,0 +1,18 @@
|
||||
#
|
||||
# Test profile configuration
|
||||
#
|
||||
spring:
|
||||
liquibase:
|
||||
change-log: db/changelog/db.changelog-master.xml
|
||||
|
||||
jpa:
|
||||
hibernate:
|
||||
ddl-auto: none
|
||||
|
||||
datasource:
|
||||
initialization-mode: embedded
|
||||
|
||||
logging:
|
||||
level:
|
||||
sql: DEBUG
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C1','0001',1,1000.00);
|
||||
insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C2','0002',1,500.00);
|
||||
insert into Accounts(customer_id,acc_number,branch_id,balance) values ('C3','0003',1,501.00);
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<configuration scan="true" scanPeriod="15 seconds" debug="false">
|
||||
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
|
||||
<encoder>
|
||||
<pattern>[%d{ISO8601}]-[%thread] %-5level %logger - %msg%n</pattern>
|
||||
</encoder>
|
||||
</appender>
|
||||
|
||||
<root level="INFO">
|
||||
<appender-ref ref="STDOUT" />
|
||||
</root>
|
||||
</configuration>
|
||||
@@ -0,0 +1,7 @@
|
||||
create table Accounts (
|
||||
id BIGINT NOT NULL GENERATED ALWAYS AS IDENTITY (START WITH 1, INCREMENT BY 1),
|
||||
customer_id varchar(16) not null,
|
||||
acc_number varchar(16) not null,
|
||||
branch_id decimal(8,0),
|
||||
balance decimal(16,4)
|
||||
);
|
||||
Reference in New Issue
Block a user