-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#12048] SQL injection test for FeedbackQuestionsDbIT #12847
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about the other methods? Like getFeedbackQuestionsForSession
, getFeedbackQuestionsForGiverType
, etc.
src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@EuniceSim142 shall we test for the getFeedbackQuestionsForGiverType
method as well? Just pass in a FeedbackSession
that has injection strings in name / email / etc. I think the other methods that use UUID
don't need to be tested. Do also fix the lint checks
I don't think this works as having the sqli string in name and email of feedback session won't inject it into the sql query: cq.select(root)
.where(cb.and(
cb.equal(fqJoin.get("id"), feedbackSession.getId()),
cb.equal(root.get("giverType"), giverType))); the query only uses giver type and id which are typed, and name and email which contain the sqli are not used in the where clause. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, in that case, I think it's fine then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@EuniceSim142 Let's get the checks to pass and resolve the merge conflict before we merge. |
Part of #12048. Test for SQL injections in FeedbackQuestions database methods.
Tests not created for the following db methods as they do not accept string params (so they're type-checked at compile time):
getFeedbackQuestion
getFeedbackQuestionsForSession
getFeedbackQuestionsForGiverType
(query uses feedbackSession's id which isUUID
and giverType which isFeedbackParticipantType
)deleteFeedbackQuestion