Skip to content

Commit

Permalink
Java: more database update tests and stubs
Browse files Browse the repository at this point in the history
  • Loading branch information
Jami Cogswell authored and Jami Cogswell committed Dec 18, 2024
1 parent aaf20c5 commit 3d14e16
Show file tree
Hide file tree
Showing 4 changed files with 319 additions and 6 deletions.
117 changes: 112 additions & 5 deletions java/ql/test/query-tests/security/CWE-352/CsrfUnprotectedRequestTypeTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@
import org.kohsuke.stapler.QueryParameter;
import org.kohsuke.stapler.HttpRedirect;
import org.kohsuke.stapler.HttpResponses;
import org.apache.ibatis.jdbc.SqlRunner;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
import java.util.Map;

@Controller
public class CsrfUnprotectedRequestTypeTest {
Expand Down Expand Up @@ -142,29 +146,46 @@ public void bad6() { // $ hasCsrfUnprotectedRequestType
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `Statement.executeUpdate`
@RequestMapping("/")
public void badStatementExecuteUpdate() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
Statement statement = connection.createStatement();
String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
int count = statement.executeUpdate(query);
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
int count = statement.executeUpdate(sql);
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `Statement.executeLargeUpdate`
@RequestMapping("/")
public void badStatementExecuteLargeUpdate() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
Statement statement = connection.createStatement();
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
long count = statement.executeLargeUpdate(sql);
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `Statement.execute` with SQL UPDATE
@RequestMapping("/")
public void badStatementExecute() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
Statement statement = connection.createStatement();
String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
boolean bool = statement.execute(query);
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
boolean bool = statement.execute(sql);
} catch (SQLException e) { }
}

// GOOD: select not insert/update/delete
// GOOD: does not update a database, queries with SELECT
@RequestMapping("/")
public void goodStatementExecute() {
try {
Expand All @@ -176,6 +197,92 @@ public void goodStatementExecute() {
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `SqlRunner.insert`
@RequestMapping("/")
public void badSqlRunnerInsert() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
String sql = "INSERT PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
SqlRunner sqlRunner = new SqlRunner(connection);
sqlRunner.insert(sql);
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `SqlRunner.update`
@RequestMapping("/")
public void badSqlRunnerUpdate() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
SqlRunner sqlRunner = new SqlRunner(connection);
sqlRunner.update(sql);
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `SqlRunner.delete`
@RequestMapping("/")
public void badSqlRunnerDelete() { // $ hasCsrfUnprotectedRequestType
try {
String item = "item";
String price = "price";
String sql = "DELETE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
SqlRunner sqlRunner = new SqlRunner(connection);
sqlRunner.delete(sql);
} catch (SQLException e) { }
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `NamedParameterJdbcTemplate.update`
@RequestMapping("/")
public void badNamedParameterJdbcTemplateUpdate() { // $ hasCsrfUnprotectedRequestType
String item = "item";
String price = "price";
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
JdbcTemplate jdbcTemplate = new JdbcTemplate();
NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
nameParamjdbcTemplate.update(sql, null, null);
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `NamedParameterJdbcTemplate.batchUpdate`
@RequestMapping("/")
public void badNamedParameterJdbcTemplateBatchUpdate() { // $ hasCsrfUnprotectedRequestType
String item = "item";
String price = "price";
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
JdbcTemplate jdbcTemplate = new JdbcTemplate();
NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
nameParamjdbcTemplate.batchUpdate(sql, (Map<String,?>[]) null);
}

// BAD: allows request type not default-protected from CSRF when
// updating a database using `NamedParameterJdbcTemplate.execute`
@RequestMapping("/")
public void badNamedParameterJdbcTemplateExecute() { // $ hasCsrfUnprotectedRequestType
String item = "item";
String price = "price";
String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
JdbcTemplate jdbcTemplate = new JdbcTemplate();
NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
nameParamjdbcTemplate.execute(sql, null);
}

// GOOD: does not update a database, queries with SELECT
@RequestMapping("/")
public void goodNamedParameterJdbcTemplateExecute() {
String category = "category";
String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ category + "' ORDER BY PRICE";
JdbcTemplate jdbcTemplate = new JdbcTemplate();
NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
nameParamjdbcTemplate.execute(query, null);
}

@Autowired
private MyBatisService myBatisService;

Expand Down
2 changes: 1 addition & 1 deletion java/ql/test/query-tests/security/CWE-352/options
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8/:${testdir}/../../../stubs/org.mybatis-3.5.4/:${testdir}/../../../stubs/stapler-1.263/:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/jaxen-1.2.0
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8/:${testdir}/../../../stubs/org.mybatis-3.5.4/:${testdir}/../../../stubs/stapler-1.263/:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-logging-1.2/
37 changes: 37 additions & 0 deletions java/ql/test/stubs/org.mybatis-3.5.4/org/apache/ibatis/jdbc/SqlRunner.java
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

169 changes: 169 additions & 0 deletions ...gframework-5.3.8/org/springframework/jdbc/core/namedparam/NamedParameterJdbcTemplate.java
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 3d14e16

Please sign in to comment.