-
-
Notifications
You must be signed in to change notification settings - Fork 421
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and…
… 3 (#474) * Add unit tests for BlindSQLInjectionVulnerability Level 1 * Add unit tests for BlindSQLInjectionVulnerability Level 2 * Add unit tests for BlindSQLInjectionVulnerability Level 3
- Loading branch information
Showing
1 changed file
with
215 additions
and
0 deletions.
There are no files selected for viewing
215 changes: 215 additions & 0 deletions
215
.../org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,215 @@ | ||
package org.sasanlabs.service.vulnerability.sqlInjection; | ||
|
||
import static org.junit.jupiter.api.Assertions.*; | ||
import static org.mockito.Mockito.*; | ||
|
||
import java.sql.ResultSet; | ||
import java.sql.SQLException; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.Test; | ||
import org.mockito.InjectMocks; | ||
import org.mockito.Mock; | ||
import org.mockito.MockitoAnnotations; | ||
import org.springframework.http.HttpStatus; | ||
import org.springframework.http.ResponseEntity; | ||
import org.springframework.jdbc.core.JdbcTemplate; | ||
import org.springframework.jdbc.core.PreparedStatementCreator; | ||
import org.springframework.jdbc.core.ResultSetExtractor; | ||
|
||
public class BlindSQLInjectionVulnerabilityTest { | ||
|
||
@Mock private JdbcTemplate jdbcTemplate; | ||
|
||
@InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; | ||
|
||
@BeforeEach | ||
public void setUp() { | ||
MockitoAnnotations.openMocks(this); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel1_CarPresent() throws SQLException { | ||
// Arrange | ||
String id = "1"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// The query is simulated to have returned a result (i.e. there is a car with ID "1") | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(true); | ||
|
||
// return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the | ||
// data from the mockResultSet (which mocks the query result) | ||
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(1); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals("{ \"isCarPresent\": true}", response.getBody()); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { | ||
// Arrange | ||
String id = "2"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// The query is simulated to have returned a result (i.e. there is no a car with ID "2") | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(false); | ||
|
||
// return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the | ||
// data from the mockResultSet (which mocks the query result) | ||
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(1); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals( | ||
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, | ||
response.getBody()); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel2_CarPresent() throws SQLException { | ||
// Arrange | ||
String id = "1"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// Mock the ResultSet behavior | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(true); | ||
|
||
// Mock the query method of JdbcTemplate | ||
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(1); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals("{ \"isCarPresent\": true}", response.getBody()); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { | ||
// Arrange | ||
String id = "2"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// Mock the ResultSet behavior | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(false); | ||
|
||
// Mock the query method of JdbcTemplate | ||
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(1); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals( | ||
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, | ||
response.getBody()); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel3_CarPresent() throws SQLException { | ||
// Arrange | ||
String id = "1"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// Mock the ResultSet behavior | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(true); | ||
|
||
// Mock the query method of JdbcTemplate | ||
when(jdbcTemplate.query( | ||
(PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(2); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals("{ \"isCarPresent\": true}", response.getBody()); | ||
} | ||
|
||
@Test | ||
public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { | ||
// Arrange | ||
String id = "2"; | ||
Map<String, String> queryParams = new HashMap<>(); | ||
queryParams.put("id", id); | ||
|
||
// Mock the ResultSet behavior | ||
ResultSet mockResultSet = mock(ResultSet.class); | ||
when(mockResultSet.next()).thenReturn(false); | ||
|
||
// Mock the query method of JdbcTemplate | ||
when(jdbcTemplate.query( | ||
(PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) | ||
.thenAnswer( | ||
invocation -> { | ||
ResultSetExtractor<ResponseEntity<String>> rse = | ||
invocation.getArgument(2); | ||
return rse.extractData(mockResultSet); | ||
}); | ||
|
||
// Act | ||
ResponseEntity<String> response = | ||
blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); | ||
|
||
// Assert | ||
assertEquals(HttpStatus.OK, response.getStatusCode()); | ||
assertEquals( | ||
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, | ||
response.getBody()); | ||
} | ||
} |