Skip to content

Commit

Permalink
[#12048] SQL injection test for AccountRequestsDbIT (#12788)
Browse files Browse the repository at this point in the history
* sql injection test

* Update src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java

Co-authored-by: EuniceSim142 <[email protected]>

* change database name

* fix lint

* rewrite email sql

* fix lint

* add tests for other methods

---------

Co-authored-by: EuniceSim142 <[email protected]>
Co-authored-by: Kevin Foong <[email protected]>
  • Loading branch information
3 people authored Mar 4, 2024
1 parent 0f9d990 commit 648d606
Showing 1 changed file with 120 additions and 1 deletion.
121 changes: 120 additions & 1 deletion src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
import teammates.storage.sqlentity.AccountRequest;

/**
* SUT: {@link CoursesDb}.
* SUT: {@link AccountRequestsDb}.
*/
public class AccountRequestsDbIT extends BaseTestCaseWithSqlDatabaseAccess {

Expand Down Expand Up @@ -88,4 +88,123 @@ public void testUpdateAccountRequest() throws Exception {
accountRequest.getEmail(), accountRequest.getInstitute());
verifyEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInCreateAccountRequestEmailField() throws Exception {
______TS("SQL Injection test in email field");

// Attempt to use SQL commands in email field
String email = "email'/**/OR/**/1=1/**/@gmail.com";
AccountRequest accountRequest = new AccountRequest(email, "name", "institute");

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(email, actual.getEmail());
}

@Test
public void testSqlInjectionInCreateAccountRequestNameField() throws Exception {
______TS("SQL Injection test in name field");

// Attempt to use SQL commands in name field
String name = "name'; SELECT * FROM account_requests; --";
AccountRequest accountRequest = new AccountRequest("[email protected]", name, "institute");

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(name, actual.getName());
}

@Test
public void testSqlInjectionInCreateAccountRequestInstituteField() throws Exception {
______TS("SQL Injection test in institute field");

// Attempt to use SQL commands in institute field
String institute = "institute'; DROP TABLE account_requests; --";
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", institute);

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), institute);
assertEquals(institute, actual.getInstitute());
}

@Test
public void testSqlInjectionInGetAccountRequest() throws Exception {
______TS("SQL Injection test in getAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String instituteInjection = "institute'; DROP TABLE account_requests; --";
AccountRequest actualInjection = accountRequestDb.getAccountRequest(accountRequest.getEmail(), instituteInjection);
assertNull(actualInjection);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Exception {
______TS("SQL Injection test in getAccountRequestByRegistrationKey");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String regKeyInjection = "regKey'; DROP TABLE account_requests; --";
AccountRequest actualInjection = accountRequestDb.getAccountRequestByRegistrationKey(regKeyInjection);
assertNull(actualInjection);

AccountRequest actual = accountRequestDb.getAccountRequestByRegistrationKey(accountRequest.getRegistrationKey());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInUpdateAccountRequest() throws Exception {
______TS("SQL Injection test in updateAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String nameInjection = "newName'; DROP TABLE account_requests; --";
accountRequest.setName(nameInjection);
accountRequestDb.updateAccountRequest(accountRequest);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInDeleteAccountRequest() throws Exception {
______TS("SQL Injection test in deleteAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com";
String nameInjection = "name'; DROP TABLE account_requests; --";
String instituteInjection = "institute'; DROP TABLE account_requests; --";
AccountRequest accountRequestInjection = new AccountRequest(emailInjection, nameInjection, instituteInjection);
accountRequestDb.deleteAccountRequest(accountRequestInjection);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception {
______TS("SQL Injection test in searchAccountRequestsInWholeSystem");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String searchInjection = "institute'; DROP TABLE account_requests; --";
List<AccountRequest> actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection);
assertEquals(0, actualInjection.size());

AccountRequest actual = accountRequestDb.getAccountRequest("[email protected]", "institute");
assertEquals(accountRequest, actual);
}
}

0 comments on commit 648d606

Please sign in to comment.