Skip to content

Commit

Permalink
Merge pull request #34 from sip49/pixeebot/drip-2024-06-11-pixee-java…
Browse files Browse the repository at this point in the history
…/sql-parameterizer

Refactored to use parameterized SQL APIs
  • Loading branch information
sip49 authored Jul 23, 2024
2 parents 96f9f8e + 438c2a7 commit cf1b850
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 46 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;

import java.sql.*;
import java.sql.PreparedStatement;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
Expand Down Expand Up @@ -64,10 +65,10 @@ public AttackResult registerNewUser(

try (Connection connection = dataSource.getConnection()) {
String checkUserQuery =
"select userid from sql_challenge_users where userid = '" + username_reg + "'";
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(checkUserQuery);

"select userid from sql_challenge_users where userid = ?";
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);
ResultSet resultSet = statement.execute();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand All @@ -83,6 +84,7 @@ public AttackResult registerNewUser(
preparedStatement.execute();
attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
}

} catch (SQLException e) {
attackResult = failed(this).output("Something went wrong").build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.advanced;

import java.sql.*;
import java.sql.PreparedStatement;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
Expand Down Expand Up @@ -63,16 +64,16 @@ public AttackResult injectableQuery(String accountName) {
String query = "";
try (Connection connection = dataSource.getConnection()) {
boolean usedUnion = true;
query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
query = "SELECT * FROM user_data WHERE last_name = ?";
// Check if Union is used
if (!accountName.matches("(?i)(^[^-/*;)]*)(\\s*)UNION(.*$)")) {
usedUnion = false;
}
try (Statement statement =
connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
ResultSet results = statement.executeQuery(query);

try (PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY)) {
statement.setString(1, accountName);
ResultSet results = statement.execute();
if ((results != null) && results.first()) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
Expand Down Expand Up @@ -104,6 +105,7 @@ public AttackResult injectableQuery(String accountName) {
.output(YOUR_QUERY_WAS + query)
.build();
}

} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + YOUR_QUERY_WAS + query).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
Expand Down Expand Up @@ -61,15 +62,15 @@ public AttackResult completed(@RequestParam String action_string) {

protected AttackResult injectableQueryAvailability(String action) {
StringBuilder output = new StringBuilder();
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
String query = "SELECT * FROM access_log WHERE action LIKE ?";

try (Connection connection = dataSource.getConnection()) {
try {
Statement statement =
connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);

PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
statement.setString(1, "%" + action + "%");
ResultSet results = statement.execute();
if (results.getStatement() != null) {
results.first();
output.append(SqlInjectionLesson8.generateTable(results));
Expand All @@ -87,6 +88,7 @@ protected AttackResult injectableQueryAvailability(String action) {
return success(this).feedback("sql-injection.10.success").build();
}
}

} catch (SQLException e) {
if (tableExists(connection)) {
return failed(this)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.sqlinjection.introduction;

import java.sql.*;
import java.sql.PreparedStatement;
import org.owasp.webgoat.container.LessonDataSource;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
Expand Down Expand Up @@ -60,12 +61,12 @@ protected AttackResult injectableQuery(String accountName) {
String query = "";
try (Connection connection = dataSource.getConnection()) {
query =
"SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'";
try (Statement statement =
connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
ResultSet results = statement.executeQuery(query);

"SELECT * FROM user_data WHERE first_name = 'John' and last_name = ?";
try (PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
statement.setString(1, accountName);
ResultSet results = statement.execute();
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
Expand All @@ -89,6 +90,7 @@ protected AttackResult injectableQuery(String accountName) {
.output("Your query was: " + query)
.build();
}

} catch (SQLException sqle) {
return failed(this).output(sqle.getMessage() + "<br> Your query was: " + query).build();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.owasp.webgoat.lessons.sqlinjection.introduction;

import java.sql.PreparedStatement;
import static java.sql.ResultSet.CONCUR_UPDATABLE;
import static java.sql.ResultSet.TYPE_SCROLL_SENSITIVE;

Expand Down Expand Up @@ -63,20 +64,17 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
StringBuilder output = new StringBuilder();
String query =
"SELECT * FROM employees WHERE last_name = '"
+ name
+ "' AND auth_tan = '"
+ auth_tan
+ "'";
"SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";

try (Connection connection = dataSource.getConnection()) {
try {
Statement statement =
connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
PreparedStatement statement =
connection.prepareStatement(
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
log(connection, query);
ResultSet results = statement.executeQuery(query);

statement.setString(1, name);
statement.setString(2, auth_tan);
ResultSet results = statement.execute();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
Expand All @@ -100,6 +98,7 @@ protected AttackResult injectableQueryConfidentiality(String name, String auth_t
} else {
return failed(this).build();
}

} catch (SQLException e) {
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
Expand Down Expand Up @@ -148,15 +147,16 @@ public static void log(Connection connection, String action) {
action = action.replace('\'', '"');
Calendar cal = Calendar.getInstance();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
String time = sdf.format(cal.getTime());

String logQuery =
"INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')";
"INSERT INTO access_log (time, action) VALUES (?, ?)";

try {
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.executeUpdate(logQuery);
} catch (SQLException e) {
PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.setString(1, sdf.format(cal.getTime()));
statement.setString(2, action);
statement.execute();
} catch (SQLException e) {
System.err.println(e.getMessage());
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.owasp.webgoat.lessons.sqlinjection.introduction;

import java.sql.PreparedStatement;
import static org.hsqldb.jdbc.JDBCResultSet.CONCUR_UPDATABLE;
import static org.hsqldb.jdbc.JDBCResultSet.TYPE_SCROLL_SENSITIVE;

Expand Down Expand Up @@ -64,17 +65,14 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
StringBuilder output = new StringBuilder();
String query =
"SELECT * FROM employees WHERE last_name = '"
+ name
+ "' AND auth_tan = '"
+ auth_tan
+ "'";
"SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";
try (Connection connection = dataSource.getConnection()) {
try {
Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
PreparedStatement statement = connection.prepareStatement(query, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
SqlInjectionLesson8.log(connection, query);
ResultSet results = statement.executeQuery(query);
var test = results.getRow() != 0;
statement.setString(1, name);
statement.setString(2, auth_tan);
ResultSet results = statement.execute();
if (results.getStatement() != null) {
if (results.first()) {
output.append(SqlInjectionLesson8.generateTable(results));
Expand All @@ -83,7 +81,7 @@ protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
return failed(this).feedback("sql-injection.8.no.results").build();
}
}
} catch (SQLException e) {
} catch (SQLException e) {
System.err.println(e.getMessage());
return failed(this)
.output("<br><span class='feedback-negative'>" + e.getMessage() + "</span>")
Expand Down

0 comments on commit cf1b850

Please sign in to comment.