From 792f46fe02e4ec8e175971054f369917e327c0b9 Mon Sep 17 00:00:00 2001
From: Sebastian Klawin <sebastian.klawin@diva-e.com>
Date: Thu, 2 Nov 2023 15:09:19 +0100
Subject: [PATCH] fixes Typos, renames entityManager and implements
 getCarInformationLevel5-test

---
 .../UnionBasedSQLInjectionVulnerability.java  | 14 +++---
 ...ionBasedSQLInjectionVulnerabilityTest.java | 46 +++++++++++++++----
 2 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java
index 3f4e6268..92fa9aa1 100644
--- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java
+++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerability.java
@@ -41,14 +41,14 @@ public class UnionBasedSQLInjectionVulnerability {
     private final JdbcTemplate applicationJdbcTemplate;
     private final NamedParameterJdbcTemplate namedParameterJdbcTemplate;
     private final CarInformationRepository carInformationRepository;
-    private final EntityManager em;
+    private final EntityManager entityManager;
 
     public UnionBasedSQLInjectionVulnerability(
-            @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager em) {
+            @Qualifier("applicationJdbcTemplate") final JdbcTemplate applicationJdbcTemplate, NamedParameterJdbcTemplate namedParameterJdbcTemplate, CarInformationRepository carInformationRepository, EntityManager entityManager) {
         this.applicationJdbcTemplate = applicationJdbcTemplate;
         this.namedParameterJdbcTemplate = namedParameterJdbcTemplate;
         this.carInformationRepository = carInformationRepository;
-        this.em = em;
+        this.entityManager = entityManager;
     }
 
     @AttackVector(
@@ -131,7 +131,7 @@ public ResponseEntity<CarInformation> getCarInformationLevel6(
             @RequestParam final Map<String, String> queryParams) {
         final String id = queryParams.get("id");
         String jql = "from CarInformation where id = :id";
-        TypedQuery<CarInformation> q = em.createQuery(jql, CarInformation.class)
+        TypedQuery<CarInformation> q = entityManager.createQuery(jql, CarInformation.class)
                 .setParameter("id", Integer.valueOf(id));
         return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK);
     }
@@ -144,13 +144,13 @@ public ResponseEntity<CarInformation> getCarInformationLevel7(
             @RequestParam final Map<String, String> queryParams) {
         final String id = queryParams.get("id");
 
-        CriteriaBuilder cb = em.getCriteriaBuilder();
+        CriteriaBuilder cb = entityManager.getCriteriaBuilder();
         CriteriaQuery<CarInformation> cq = cb.createQuery(CarInformation.class);
         Root<CarInformation> root = cq.from(CarInformation.class);
 
         cq.select(root).where(cb.equal(root.get("id"), id));
 
-        TypedQuery<CarInformation> q = em.createQuery(cq);
+        TypedQuery<CarInformation> q = entityManager.createQuery(cq);
         return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK);
     }
 
@@ -161,7 +161,7 @@ public ResponseEntity<CarInformation> getCarInformationLevel7(
     public ResponseEntity<CarInformation> getCarInformationLevel8(
             @RequestParam final Map<String, String> queryParams) {
         final String id = queryParams.get("id");
-        TypedQuery<CarInformation> q = em.createNamedQuery("findById", CarInformation.class)
+        TypedQuery<CarInformation> q = entityManager.createNamedQuery("findById", CarInformation.class)
                 .setParameter("id", Integer.valueOf(id));
         return new ResponseEntity<>(q.getSingleResult(), HttpStatus.OK);
     }
diff --git a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java
index bd55a6c6..e2731a0a 100644
--- a/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java
+++ b/src/test/java/org/sasanlabs/service/vulnerability/sqlInjection/UnionBasedSQLInjectionVulnerabilityTest.java
@@ -1,29 +1,39 @@
 package org.sasanlabs.service.vulnerability.sqlInjection;
 
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.ArgumentMatchers.*;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.verify;
 
-import java.io.IOException;
 import java.util.Collections;
 import java.util.Map;
+import java.util.Objects;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentMatcher;
 import org.mockito.Mockito;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.jdbc.core.PreparedStatementSetter;
 import org.springframework.jdbc.core.ResultSetExtractor;
+import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
+
+import javax.persistence.EntityManager;
 
 class UnionBasedSQLInjectionVulnerabilityTest {
 
     private UnionBasedSQLInjectionVulnerability unionBasedSQLInjectionVulnerability;
     private JdbcTemplate template;
+    private NamedParameterJdbcTemplate namedParameterJdbcTemplate;
+    private CarInformationRepository carInformationRepository;
+    private EntityManager entityManager;
 
     @BeforeEach
-    void setUp() throws IOException {
+    void setUp() {
         template = Mockito.mock(JdbcTemplate.class);
+        namedParameterJdbcTemplate = Mockito.mock(NamedParameterJdbcTemplate.class);
+        carInformationRepository = Mockito.mock(CarInformationRepository.class);
+        entityManager = Mockito.mock(EntityManager.class);
 
         // mock database
         doReturn(null)
@@ -36,11 +46,11 @@ void setUp() throws IOException {
                         (PreparedStatementSetter) any(),
                         (ResultSetExtractor<? extends Object>) any());
 
-        unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate);
+        unionBasedSQLInjectionVulnerability = new UnionBasedSQLInjectionVulnerability(template, namedParameterJdbcTemplate, carInformationRepository, entityManager);
     }
 
     @Test
-    void getCarInformationLevel1_ExpectParamInjected() throws IOException {
+    void getCarInformationLevel1_ExpectParamInjected() {
         // Act
         final Map<String, String> params =
                 Collections.singletonMap("id", "1 UNION SELECT * FROM cars;");
@@ -54,7 +64,7 @@ void getCarInformationLevel1_ExpectParamInjected() throws IOException {
     }
 
     @Test
-    void getCarInformationLevel2_ExpectParamInjected() throws IOException {
+    void getCarInformationLevel2_ExpectParamInjected() {
         // Act
         final Map<String, String> params =
                 Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --");
@@ -68,7 +78,7 @@ void getCarInformationLevel2_ExpectParamInjected() throws IOException {
     }
 
     @Test
-    void getCarInformationLevel3_ExpectParamEscaped() throws IOException {
+    void getCarInformationLevel3_ExpectParamEscaped() {
         // Act
         final Map<String, String> params =
                 Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --");
@@ -82,7 +92,7 @@ void getCarInformationLevel3_ExpectParamEscaped() throws IOException {
     }
 
     @Test
-    void getCarInformationLevel4_ExpecParamEscaped() throws IOException {
+    void getCarInformationLevel4_ExpectParamEscaped() {
         // Act
         final Map<String, String> params =
                 Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --");
@@ -95,4 +105,20 @@ void getCarInformationLevel4_ExpecParamEscaped() throws IOException {
                         (PreparedStatementSetter) any(),
                         (ResultSetExtractor<? extends Object>) any());
     }
+
+    @Test
+    void getCarInformationLevel5_ExpectParamEscaped() {
+        // Act
+        final Map<String, String> params =
+                Collections.singletonMap("id", "1' UNION SELECT * FROM cars; --");
+        final String id = "1' UNION SELECT * FROM cars; --";
+        unionBasedSQLInjectionVulnerability.getCarInformationLevel5(params);
+        // Assert
+        ArgumentMatcher<MapSqlParameterSource> argumentMatcher = sqlParameterSource -> Objects.requireNonNull(sqlParameterSource.getValue("id").equals(id));
+        verify(namedParameterJdbcTemplate)
+                .queryForObject(
+                        eq("select * from cars where id=:id"),
+                        argThat(argumentMatcher),
+                        eq(CarInformation.class));
+    }
 }