]> source.dussan.org Git - sonarqube.git/commitdiff
SONAR-4278 SQL Injection in measure filters
authorSimon Brandhof <simon.brandhof@gmail.com>
Sun, 23 Jun 2013 22:38:08 +0000 (00:38 +0200)
committerSimon Brandhof <simon.brandhof@gmail.com>
Sun, 23 Jun 2013 22:38:08 +0000 (00:38 +0200)
sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java

index c60e1ec0c1ddb87d250714419eb7f70d6864ebdb..6b8b877b2851b78dbbf78f8e425158f1b93bc4ce 100644 (file)
@@ -210,9 +210,16 @@ class MeasureFilterSql {
   }
 
   private static void appendInStatement(List<String> values, StringBuilder to) {
-    to.append(" ('");
-    to.append(StringUtils.join(values, "','"));
-    to.append("') ");
+    to.append(" (");
+    for (int i=0 ; i<values.size() ; i++) {
+      if (i>0) {
+        to.append(",");
+      }
+      to.append("'");
+      to.append(StringEscapeUtils.escapeSql(values.get(i)));
+      to.append("'");
+    }
+    to.append(") ");
   }
 
   abstract static class RowProcessor {
index 5ce365c1121bbe6ccc3e29334c845b2654a0dac5..682dfb3c174b17881a6988fcfb92e0042e7cec6d 100644 (file)
@@ -121,6 +121,22 @@ public class MeasureFilterExecutorTest extends AbstractDaoTestCase {
     verifyPhpProject(rows.get(1));
   }
 
+  @Test
+  public void should_prevent_sql_injection_through_parameters() throws SQLException {
+    setupData("shared");
+    MeasureFilter filter = new MeasureFilter()
+      .setResourceQualifiers(Arrays.asList("'"))
+      .setResourceLanguages(Arrays.asList("'"))
+      .setBaseResourceKey("'")
+      .setResourceKeyRegexp("'")
+      .setResourceName("'")
+      .setResourceName("'")
+      .setResourceScopes(Arrays.asList("'"));
+    List<MeasureFilterRow> rows = executor.execute(filter, new MeasureFilterContext());
+    // an exception would be thrown if SQL is not valid
+    assertThat(rows).isEmpty();
+  }
+
   @Test
   public void test_default_sort() {
     setupData("shared");