From 648d60670d32cb2aef7ad84a759a9e20255ecedb Mon Sep 17 00:00:00 2001 From: Wei Qing <48304907+weiquu@users.noreply.github.com> Date: Mon, 4 Mar 2024 14:20:16 +0900 Subject: [PATCH] [#12048] SQL injection test for AccountRequestsDbIT (#12788) * sql injection test * Update src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java Co-authored-by: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> * change database name * fix lint * rewrite email sql * fix lint * add tests for other methods --------- Co-authored-by: EuniceSim142 <77243938+EuniceSim142@users.noreply.github.com> Co-authored-by: Kevin Foong <55353265+kevin9foong@users.noreply.github.com> --- .../storage/sqlapi/AccountRequestsDbIT.java | 121 +++++++++++++++++- 1 file changed, 120 insertions(+), 1 deletion(-) diff --git a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java index 7214b6a08ac..8af4c8065df 100644 --- a/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java +++ b/src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java @@ -11,7 +11,7 @@ import teammates.storage.sqlentity.AccountRequest; /** - * SUT: {@link CoursesDb}. + * SUT: {@link AccountRequestsDb}. */ public class AccountRequestsDbIT extends BaseTestCaseWithSqlDatabaseAccess { @@ -88,4 +88,123 @@ public void testUpdateAccountRequest() throws Exception { accountRequest.getEmail(), accountRequest.getInstitute()); verifyEquals(accountRequest, actual); } + + @Test + public void testSqlInjectionInCreateAccountRequestEmailField() throws Exception { + ______TS("SQL Injection test in email field"); + + // Attempt to use SQL commands in email field + String email = "email'/**/OR/**/1=1/**/@gmail.com"; + AccountRequest accountRequest = new AccountRequest(email, "name", "institute"); + + // The system should treat the input as a plain text string + accountRequestDb.createAccountRequest(accountRequest); + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); + assertEquals(email, actual.getEmail()); + } + + @Test + public void testSqlInjectionInCreateAccountRequestNameField() throws Exception { + ______TS("SQL Injection test in name field"); + + // Attempt to use SQL commands in name field + String name = "name'; SELECT * FROM account_requests; --"; + AccountRequest accountRequest = new AccountRequest("test@gmail.com", name, "institute"); + + // The system should treat the input as a plain text string + accountRequestDb.createAccountRequest(accountRequest); + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); + assertEquals(name, actual.getName()); + } + + @Test + public void testSqlInjectionInCreateAccountRequestInstituteField() throws Exception { + ______TS("SQL Injection test in institute field"); + + // Attempt to use SQL commands in institute field + String institute = "institute'; DROP TABLE account_requests; --"; + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", institute); + + // The system should treat the input as a plain text string + accountRequestDb.createAccountRequest(accountRequest); + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), institute); + assertEquals(institute, actual.getInstitute()); + } + + @Test + public void testSqlInjectionInGetAccountRequest() throws Exception { + ______TS("SQL Injection test in getAccountRequest"); + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestDb.createAccountRequest(accountRequest); + + String instituteInjection = "institute'; DROP TABLE account_requests; --"; + AccountRequest actualInjection = accountRequestDb.getAccountRequest(accountRequest.getEmail(), instituteInjection); + assertNull(actualInjection); + + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); + assertEquals(accountRequest, actual); + } + + @Test + public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Exception { + ______TS("SQL Injection test in getAccountRequestByRegistrationKey"); + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestDb.createAccountRequest(accountRequest); + + String regKeyInjection = "regKey'; DROP TABLE account_requests; --"; + AccountRequest actualInjection = accountRequestDb.getAccountRequestByRegistrationKey(regKeyInjection); + assertNull(actualInjection); + + AccountRequest actual = accountRequestDb.getAccountRequestByRegistrationKey(accountRequest.getRegistrationKey()); + assertEquals(accountRequest, actual); + } + + @Test + public void testSqlInjectionInUpdateAccountRequest() throws Exception { + ______TS("SQL Injection test in updateAccountRequest"); + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestDb.createAccountRequest(accountRequest); + + String nameInjection = "newName'; DROP TABLE account_requests; --"; + accountRequest.setName(nameInjection); + accountRequestDb.updateAccountRequest(accountRequest); + + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); + assertEquals(accountRequest, actual); + } + + @Test + public void testSqlInjectionInDeleteAccountRequest() throws Exception { + ______TS("SQL Injection test in deleteAccountRequest"); + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestDb.createAccountRequest(accountRequest); + + String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com"; + String nameInjection = "name'; DROP TABLE account_requests; --"; + String instituteInjection = "institute'; DROP TABLE account_requests; --"; + AccountRequest accountRequestInjection = new AccountRequest(emailInjection, nameInjection, instituteInjection); + accountRequestDb.deleteAccountRequest(accountRequestInjection); + + AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute()); + assertEquals(accountRequest, actual); + } + + @Test + public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { + ______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); + + AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); + accountRequestDb.createAccountRequest(accountRequest); + + String searchInjection = "institute'; DROP TABLE account_requests; --"; + List actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection); + assertEquals(0, actualInjection.size()); + + AccountRequest actual = accountRequestDb.getAccountRequest("test@gmail.com", "institute"); + assertEquals(accountRequest, actual); + } }