Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and 3 #474

Merged
merged 7 commits into from
Nov 10, 2024
Merged

Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and 3 #474

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ae8b21c
Add unit tests for BlindSQLInjectionVulnerability Level 1
imertetsu Oct 1, 2024
f71afc4
Add unit tests for BlindSQLInjectionVulnerability Level 2
imertetsu Oct 1, 2024
62c0eed
Add unit tests for BlindSQLInjectionVulnerability Level 3
imertetsu Oct 1, 2024
f454552
Apply google java format to the test file
imertetsu Oct 2, 2024
33835a3
Apply google java format AOSP to the test file
imertetsu Oct 2, 2024
151eaa1
fixing spotless
preetkaran20 Oct 2, 2024
38038e3
Trying with java 8
preetkaran20 Oct 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
215 changes: 215 additions & 0 deletions .../org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerabilityTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,215 @@
package org.sasanlabs.service.vulnerability.sqlInjection;

import static org.junit.jupiter.api.Assertions.*;
import static org.mockito.Mockito.*;

import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.PreparedStatementCreator;
import org.springframework.jdbc.core.ResultSetExtractor;

public class BlindSQLInjectionVulnerabilityTest {

@Mock private JdbcTemplate jdbcTemplate;

@InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability;

@BeforeEach
public void setUp() {
MockitoAnnotations.openMocks(this);
}

@Test
public void testGetCarInformationLevel1_CarPresent() throws SQLException {
// Arrange
String id = "1";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// The query is simulated to have returned a result (i.e. there is a car with ID "1")
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(true);

// return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
// data from the mockResultSet (which mocks the query result)
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(1);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals("{ \"isCarPresent\": true}", response.getBody());
}

@Test
public void testGetCarInformationLevel1_CarNotPresent() throws SQLException {
// Arrange
String id = "2";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// The query is simulated to have returned a result (i.e. there is no a car with ID "2")
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(false);

// return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the
// data from the mockResultSet (which mocks the query result)
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(1);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
response.getBody());
}

@Test
public void testGetCarInformationLevel2_CarPresent() throws SQLException {
// Arrange
String id = "1";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// Mock the ResultSet behavior
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(true);

// Mock the query method of JdbcTemplate
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(1);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals("{ \"isCarPresent\": true}", response.getBody());
}

@Test
public void testGetCarInformationLevel2_CarNotPresent() throws SQLException {
// Arrange
String id = "2";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// Mock the ResultSet behavior
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(false);

// Mock the query method of JdbcTemplate
when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(1);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
response.getBody());
}

@Test
public void testGetCarInformationLevel3_CarPresent() throws SQLException {
// Arrange
String id = "1";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// Mock the ResultSet behavior
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(true);

// Mock the query method of JdbcTemplate
when(jdbcTemplate.query(
(PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(2);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals("{ \"isCarPresent\": true}", response.getBody());
}

@Test
public void testGetCarInformationLevel3_CarNotPresent() throws SQLException {
// Arrange
String id = "2";
Map<String, String> queryParams = new HashMap<>();
queryParams.put("id", id);

// Mock the ResultSet behavior
ResultSet mockResultSet = mock(ResultSet.class);
when(mockResultSet.next()).thenReturn(false);

// Mock the query method of JdbcTemplate
when(jdbcTemplate.query(
(PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class)))
.thenAnswer(
invocation -> {
ResultSetExtractor<ResponseEntity<String>> rse =
invocation.getArgument(2);
return rse.extractData(mockResultSet);
});

// Act
ResponseEntity<String> response =
blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams);

// Assert
assertEquals(HttpStatus.OK, response.getStatusCode());
assertEquals(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE,
response.getBody());
}
}
Loading