-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
8
-
x86
-
os_x
ADDITIONAL SYSTEM INFORMATION :
S.O Catalina 10.15.3 and Java version 8 (build 1.8.0_251-b08) an Postgres lasted
A DESCRIPTION OF THE PROBLEM :
Following the documentation I was planning to use executeQuery to ensure that my system does not have SQL Injection, however when creating tests on JUNIT4, to validate the method. I identified that it accepts any type of SQL verb as <DELETE> with that, I cannot guarantee the security of my method
REGRESSION : Last worked in version 8
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It is necessary to create a table in your database, and place a record. With that you get her identifier and put it in the delete clause.
@Test()
public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
Class.forName("org.postgresql.Driver");
String query =
"delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
Connection connection = DriverManager.getConnection(host, user,null);
PreparedStatement ps = connection.prepareStatement(query);
ps.executeQuery();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
That generates a PSQLException and my record remains in the database.
ACTUAL -
org.postgresql.util.PSQLException: Nenhum resultado foi retornado pela consulta.
AND
deleted database record
---------- BEGIN SOURCE ----------
@Test()
public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
Class.forName("org.postgresql.Driver");
String query =
"delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
Connection connection = DriverManager.getConnection(host, user,null);
PreparedStatement ps = connection.prepareStatement(query);
ps.executeQuery();
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
private Object executeQuery(String query) throws Exception {
if (query.toUpperCase().contains("DELETE") || query.toUpperCase().contains("UPDATE")){
throw new InjectionSqlException("Query malicious detected. ");
} else {
return entityManager.createNativeQuery(query).getSingleResult();
}
}
FREQUENCY : always
S.O Catalina 10.15.3 and Java version 8 (build 1.8.0_251-b08) an Postgres lasted
A DESCRIPTION OF THE PROBLEM :
Following the documentation I was planning to use executeQuery to ensure that my system does not have SQL Injection, however when creating tests on JUNIT4, to validate the method. I identified that it accepts any type of SQL verb as <DELETE> with that, I cannot guarantee the security of my method
REGRESSION : Last worked in version 8
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It is necessary to create a table in your database, and place a record. With that you get her identifier and put it in the delete clause.
@Test()
public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
Class.forName("org.postgresql.Driver");
String query =
"delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
Connection connection = DriverManager.getConnection(host, user,null);
PreparedStatement ps = connection.prepareStatement(query);
ps.executeQuery();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
That generates a PSQLException and my record remains in the database.
ACTUAL -
org.postgresql.util.PSQLException: Nenhum resultado foi retornado pela consulta.
AND
deleted database record
---------- BEGIN SOURCE ----------
@Test()
public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
Class.forName("org.postgresql.Driver");
String query =
"delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
Connection connection = DriverManager.getConnection(host, user,null);
PreparedStatement ps = connection.prepareStatement(query);
ps.executeQuery();
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
private Object executeQuery(String query) throws Exception {
if (query.toUpperCase().contains("DELETE") || query.toUpperCase().contains("UPDATE")){
throw new InjectionSqlException("Query malicious detected. ");
} else {
return entityManager.createNativeQuery(query).getSingleResult();
}
}
FREQUENCY : always