Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#12048] SQL injection test for AccountRequestsDbIT #12788

Merged
merged 12 commits into from
Mar 4, 2024
121 changes: 120 additions & 1 deletion src/it/java/teammates/it/storage/sqlapi/AccountRequestsDbIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
import teammates.storage.sqlentity.AccountRequest;

/**
* SUT: {@link CoursesDb}.
* SUT: {@link AccountRequestsDb}.
*/
public class AccountRequestsDbIT extends BaseTestCaseWithSqlDatabaseAccess {

Expand Down Expand Up @@ -88,4 +88,123 @@ public void testUpdateAccountRequest() throws Exception {
accountRequest.getEmail(), accountRequest.getInstitute());
verifyEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInCreateAccountRequestEmailField() throws Exception {
______TS("SQL Injection test in email field");

// Attempt to use SQL commands in email field
String email = "email'/**/OR/**/1=1/**/@gmail.com";
weiquu marked this conversation as resolved.
Show resolved Hide resolved
AccountRequest accountRequest = new AccountRequest(email, "name", "institute");

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(email, actual.getEmail());
}

@Test
public void testSqlInjectionInCreateAccountRequestNameField() throws Exception {
______TS("SQL Injection test in name field");

// Attempt to use SQL commands in name field
String name = "name'; SELECT * FROM account_requests; --";
AccountRequest accountRequest = new AccountRequest("[email protected]", name, "institute");

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(name, actual.getName());
}

@Test
public void testSqlInjectionInCreateAccountRequestInstituteField() throws Exception {
______TS("SQL Injection test in institute field");

// Attempt to use SQL commands in institute field
String institute = "institute'; DROP TABLE account_requests; --";
AccountRequest accountRequest = new AccountRequest("[email protected]", "name", institute);

// The system should treat the input as a plain text string
accountRequestDb.createAccountRequest(accountRequest);
AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), institute);
assertEquals(institute, actual.getInstitute());
}

@Test
public void testSqlInjectionInGetAccountRequest() throws Exception {
______TS("SQL Injection test in getAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String instituteInjection = "institute'; DROP TABLE account_requests; --";
AccountRequest actualInjection = accountRequestDb.getAccountRequest(accountRequest.getEmail(), instituteInjection);
assertNull(actualInjection);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInGetAccountRequestByRegistrationKey() throws Exception {
______TS("SQL Injection test in getAccountRequestByRegistrationKey");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String regKeyInjection = "regKey'; DROP TABLE account_requests; --";
AccountRequest actualInjection = accountRequestDb.getAccountRequestByRegistrationKey(regKeyInjection);
assertNull(actualInjection);

AccountRequest actual = accountRequestDb.getAccountRequestByRegistrationKey(accountRequest.getRegistrationKey());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInUpdateAccountRequest() throws Exception {
______TS("SQL Injection test in updateAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String nameInjection = "newName'; DROP TABLE account_requests; --";
accountRequest.setName(nameInjection);
accountRequestDb.updateAccountRequest(accountRequest);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionInDeleteAccountRequest() throws Exception {
______TS("SQL Injection test in deleteAccountRequest");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String emailInjection = "email'/**/OR/**/1=1/**/@gmail.com";
String nameInjection = "name'; DROP TABLE account_requests; --";
String instituteInjection = "institute'; DROP TABLE account_requests; --";
AccountRequest accountRequestInjection = new AccountRequest(emailInjection, nameInjection, instituteInjection);
Comment on lines +186 to +189
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Actually, I should have combined everything in one shot like you did.

accountRequestDb.deleteAccountRequest(accountRequestInjection);

AccountRequest actual = accountRequestDb.getAccountRequest(accountRequest.getEmail(), accountRequest.getInstitute());
assertEquals(accountRequest, actual);
}

@Test
public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception {
______TS("SQL Injection test in searchAccountRequestsInWholeSystem");

AccountRequest accountRequest = new AccountRequest("[email protected]", "name", "institute");
accountRequestDb.createAccountRequest(accountRequest);

String searchInjection = "institute'; DROP TABLE account_requests; --";
List<AccountRequest> actualInjection = accountRequestDb.searchAccountRequestsInWholeSystem(searchInjection);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this use SQL? I thought it's Solr. Still, I guess there's no harm, and it's possible the implementation may change to use SQL, but I'm not sure it's likely, even if PostgreSQL can do full-text search.

assertEquals(0, actualInjection.size());

AccountRequest actual = accountRequestDb.getAccountRequest("[email protected]", "institute");
assertEquals(accountRequest, actual);
}
}
Loading