Skip to content

Commit

Permalink
FINERACT-1870: Run reports fix for 1.8.x
Browse files Browse the repository at this point in the history
  • Loading branch information
vidakovic committed Feb 19, 2023
1 parent 8cede8d commit 7a37a47
Showing 1 changed file with 32 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.apache.fineract.infrastructure.security.utils;

import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
Expand All @@ -37,23 +38,32 @@ private SQLInjectionValidator() {

private static final String SQL_PATTERN = "[a-zA-Z_=,\\-'!><.?\"`% ()0-9*\n\r]*";

// TODO: see here https://rails-sqli.org for and
// https://larrysteinle.com/2011/02/20/use-regular-expressions-to-detect-sql-code-injection more examples
private static final List<String> INJECTION_PATTERNS = List.of("(?i).*[or|and]\s*[\"']?-1[\"']?\\s*(-*).*",
"(?i).*\\s+[\"']?(\\d+)[\"']?\\s*=\\s*[\"']?(\\1)[\"']?\\s*(-*).*");

public static void validateSQLInput(final String sqlSearch) {
if (StringUtils.isBlank(sqlSearch)) {
return;
}

// TODO: this should be replaced by INJECTION_PATTERNS
String lowerCaseSQL = sqlSearch.toLowerCase();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.contains(ddl)) {
throw new SQLInjectionException();
}
}

// TODO: this should be replaced by INJECTION_PATTERNS
for (String dml : DML_COMMANDS) {
if (lowerCaseSQL.contains(dml)) {
throw new SQLInjectionException();
}
}

// TODO: this should be replaced by INJECTION_PATTERNS
for (String comments : COMMENTS) {
if (lowerCaseSQL.contains(comments)) {
throw new SQLInjectionException();
Expand All @@ -63,17 +73,10 @@ public static void validateSQLInput(final String sqlSearch) {
// Removing the space before and after '=' operator
// String s = " \" OR 1 = 1"; For the cases like this
boolean injectionFound = false;
String inputSqlString = lowerCaseSQL;
while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
// = operator
inputSqlString = inputSqlString.replaceAll(" =", "=");
}

while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
// operator
inputSqlString = inputSqlString.replaceAll("= ", "=");
}
String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");

// TODO: this should be replaced by INJECTION_PATTERNS
StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken().trim();
Expand Down Expand Up @@ -118,6 +121,14 @@ public static void validateSQLInput(final String sqlSearch) {
throw new SQLInjectionException();
}

for (String injectionPattern : INJECTION_PATTERNS) {
Pattern pattern = Pattern.compile(injectionPattern);
Matcher matcher = pattern.matcher(sqlSearch);
if (matcher.matches()) {
throw new SQLInjectionException();
}
}

Pattern pattern = Pattern.compile(SQL_PATTERN);
Matcher matcher = pattern.matcher(sqlSearch);
if (!matcher.matches()) {
Expand All @@ -129,13 +140,16 @@ public static void validateAdhocQuery(final String sqlSearch) {
if (StringUtils.isBlank(sqlSearch)) {
return;
}

// TODO: this should be replaced by INJECTION_PATTERNS
String lowerCaseSQL = sqlSearch.toLowerCase().trim();
for (String ddl : DDL_COMMANDS) {
if (lowerCaseSQL.startsWith(ddl)) {
throw new SQLInjectionException();
}
}

// TODO: this should be replaced by INJECTION_PATTERNS
for (String comments : COMMENTS) {
if (lowerCaseSQL.contains(comments)) {
throw new SQLInjectionException();
Expand All @@ -145,16 +159,8 @@ public static void validateAdhocQuery(final String sqlSearch) {
// Removing the space before and after '=' operator
// String s = " \" OR 1 = 1"; For the cases like this
boolean injectionFound = false;
String inputSqlString = lowerCaseSQL;
while (inputSqlString.indexOf(" =") > 0) { // Don't remove space before
// = operator
inputSqlString = inputSqlString.replaceAll(" =", "=");
}

while (inputSqlString.indexOf("= ") > 0) { // Don't remove space after =
// operator
inputSqlString = inputSqlString.replaceAll("= ", "=");
}
String inputSqlString = lowerCaseSQL.replaceAll("\\s*=\\s*", "=");

StringTokenizer tokenizer = new StringTokenizer(inputSqlString, " ");
while (tokenizer.hasMoreTokens()) {
Expand Down Expand Up @@ -200,6 +206,14 @@ public static void validateAdhocQuery(final String sqlSearch) {
throw new SQLInjectionException();
}

for (String injectionPattern : INJECTION_PATTERNS) {
Pattern pattern = Pattern.compile(injectionPattern);
Matcher matcher = pattern.matcher(sqlSearch);
if (matcher.matches()) {
throw new SQLInjectionException();
}
}

Pattern pattern = Pattern.compile(SQL_PATTERN);
Matcher matcher = pattern.matcher(sqlSearch);
if (!matcher.matches()) {
Expand Down

0 comments on commit 7a37a47

Please sign in to comment.