From b4e059f67d7e13d05f298972ecd628ffae1af927 Mon Sep 17 00:00:00 2001 From: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:06:04 +0800 Subject: [PATCH 1/4] add minimal sqli tests --- .../storage/sqlapi/FeedbackQuestionsDbIT.java | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java index bd6cbd45604..3e2dd9a8dcf 100644 --- a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java @@ -1,5 +1,6 @@ package teammates.it.storage.sqlapi; +import java.util.ArrayList; import java.util.List; import org.testng.annotations.BeforeClass; @@ -8,12 +9,14 @@ import teammates.common.datatransfer.FeedbackParticipantType; import teammates.common.datatransfer.SqlDataBundle; +import teammates.common.datatransfer.questions.FeedbackConstantSumQuestionDetails; import teammates.common.util.HibernateUtil; import teammates.it.test.BaseTestCaseWithSqlDatabaseAccess; import teammates.storage.sqlapi.FeedbackQuestionsDb; import teammates.storage.sqlentity.Course; import teammates.storage.sqlentity.FeedbackQuestion; import teammates.storage.sqlentity.FeedbackSession; +import teammates.storage.sqlentity.questions.FeedbackConstantSumQuestion; /** * SUT: {@link FeedbackQuestionsDb}. @@ -84,4 +87,47 @@ public void testHasFeedbackQuestionsForGiverType() { assertTrue(actual); } + + private FeedbackQuestion prepareSqlInjectionTests() { + FeedbackQuestion fq = typicalDataBundle.feedbackQuestions.get("qn1InSession1InCourse1"); + fqDb.createFeedbackQuestion(fq); + + // Ensure feedback_questions db has at least 1 entry / row. + assertNotNull(fqDb.getFeedbackQuestion(fq.getId())); + + return fq; + } + + @Test + public void testSqlInjectionInCreateFeedbackQuestion() { + prepareSqlInjectionTests(); + + ______TS(""); + FeedbackSession fs = typicalDataBundle.feedbackSessions.get("session1InCourse1"); + String maliciousDescription = "', '', '', 1, '', '', '', ''); DELETE FROM feedback_questions;--"; + + FeedbackQuestion fq = new FeedbackConstantSumQuestion( + fs, 1, maliciousDescription, FeedbackParticipantType.INSTRUCTORS, FeedbackParticipantType.STUDENTS, + 1, new ArrayList(), new ArrayList(), + new ArrayList(), new FeedbackConstantSumQuestionDetails("") + ); + + fqDb.createFeedbackQuestion(fq); + + // If SQLi is successful, feedback questions would have been deleted from db. So get will return null. + assertNotNull(fqDb.getFeedbackQuestion(fq.getId())); + } + + @Test + public void testSqlInjectionInHasFeedbackQuestionsForGiverType() throws Exception { + FeedbackQuestion fq = prepareSqlInjectionTests(); + + ______TS("SQL Injection test in getCourse"); + String sessionName = "'; DELETE FROM feedback_questions;--"; + fqDb.hasFeedbackQuestionsForGiverType(sessionName, fq.getCourseId(), FeedbackParticipantType.INSTRUCTORS); + + // If SQLi is successful, feedback questions would have been deleted from db. So get will return null. + assertNotNull(fqDb.getFeedbackQuestion(fq.getId())); + } + } From cb21e19d69f28cc0db42ef5ed2adf7a7dfe68339 Mon Sep 17 00:00:00 2001 From: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> Date: Tue, 27 Feb 2024 00:42:04 +0800 Subject: [PATCH 2/4] remove test descriptors --- .../java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java index 3e2dd9a8dcf..981409e3cf1 100644 --- a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java @@ -102,7 +102,6 @@ private FeedbackQuestion prepareSqlInjectionTests() { public void testSqlInjectionInCreateFeedbackQuestion() { prepareSqlInjectionTests(); - ______TS(""); FeedbackSession fs = typicalDataBundle.feedbackSessions.get("session1InCourse1"); String maliciousDescription = "', '', '', 1, '', '', '', ''); DELETE FROM feedback_questions;--"; @@ -122,7 +121,6 @@ public void testSqlInjectionInCreateFeedbackQuestion() { public void testSqlInjectionInHasFeedbackQuestionsForGiverType() throws Exception { FeedbackQuestion fq = prepareSqlInjectionTests(); - ______TS("SQL Injection test in getCourse"); String sessionName = "'; DELETE FROM feedback_questions;--"; fqDb.hasFeedbackQuestionsForGiverType(sessionName, fq.getCourseId(), FeedbackParticipantType.INSTRUCTORS); From 774cfa6e36094e5b36be90c583e8c42f31ef5bbf Mon Sep 17 00:00:00 2001 From: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> Date: Tue, 27 Feb 2024 19:52:09 +0800 Subject: [PATCH 3/4] fix create sqli --- .../teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java index 981409e3cf1..373c92e5eec 100644 --- a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java @@ -103,12 +103,12 @@ public void testSqlInjectionInCreateFeedbackQuestion() { prepareSqlInjectionTests(); FeedbackSession fs = typicalDataBundle.feedbackSessions.get("session1InCourse1"); - String maliciousDescription = "', '', '', 1, '', '', '', ''); DELETE FROM feedback_questions;--"; + String sqli = "', 'FeedbackTextQuestion', 329c23fd-10de-4c47-8128-115df68ba758)); DELETE FROM feedback_questions;--"; FeedbackQuestion fq = new FeedbackConstantSumQuestion( - fs, 1, maliciousDescription, FeedbackParticipantType.INSTRUCTORS, FeedbackParticipantType.STUDENTS, + fs, 1, "", FeedbackParticipantType.INSTRUCTORS, FeedbackParticipantType.STUDENTS, 1, new ArrayList(), new ArrayList(), - new ArrayList(), new FeedbackConstantSumQuestionDetails("") + new ArrayList(), new FeedbackConstantSumQuestionDetails(sqli) ); fqDb.createFeedbackQuestion(fq); From 58e5d06319635186f31cf4cbe0b7ff3ccad21cf0 Mon Sep 17 00:00:00 2001 From: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> Date: Thu, 7 Mar 2024 16:15:38 +0800 Subject: [PATCH 4/4] fix checkstyl.e --- .../it/storage/sqlapi/FeedbackQuestionsDbIT.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java index 373c92e5eec..aaaf2a22901 100644 --- a/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/FeedbackQuestionsDbIT.java @@ -106,9 +106,9 @@ public void testSqlInjectionInCreateFeedbackQuestion() { String sqli = "', 'FeedbackTextQuestion', 329c23fd-10de-4c47-8128-115df68ba758)); DELETE FROM feedback_questions;--"; FeedbackQuestion fq = new FeedbackConstantSumQuestion( - fs, 1, "", FeedbackParticipantType.INSTRUCTORS, FeedbackParticipantType.STUDENTS, - 1, new ArrayList(), new ArrayList(), - new ArrayList(), new FeedbackConstantSumQuestionDetails(sqli) + fs, 1, "", FeedbackParticipantType.INSTRUCTORS, FeedbackParticipantType.STUDENTS, + 1, new ArrayList(), new ArrayList(), + new ArrayList(), new FeedbackConstantSumQuestionDetails(sqli) ); fqDb.createFeedbackQuestion(fq); @@ -120,7 +120,7 @@ public void testSqlInjectionInCreateFeedbackQuestion() { @Test public void testSqlInjectionInHasFeedbackQuestionsForGiverType() throws Exception { FeedbackQuestion fq = prepareSqlInjectionTests(); - + String sessionName = "'; DELETE FROM feedback_questions;--"; fqDb.hasFeedbackQuestionsForGiverType(sessionName, fq.getCourseId(), FeedbackParticipantType.INSTRUCTORS);