}
private static void appendInStatement(List<String> values, StringBuilder to) {
- to.append(" ('");
- to.append(StringUtils.join(values, "','"));
- to.append("') ");
+ to.append(" (");
+ for (int i=0 ; i<values.size() ; i++) {
+ if (i>0) {
+ to.append(",");
+ }
+ to.append("'");
+ to.append(StringEscapeUtils.escapeSql(values.get(i)));
+ to.append("'");
+ }
+ to.append(") ");
}
abstract static class RowProcessor {
verifyPhpProject(rows.get(1));
}
+ @Test
+ public void should_prevent_sql_injection_through_parameters() throws SQLException {
+ setupData("shared");
+ MeasureFilter filter = new MeasureFilter()
+ .setResourceQualifiers(Arrays.asList("'"))
+ .setResourceLanguages(Arrays.asList("'"))
+ .setBaseResourceKey("'")
+ .setResourceKeyRegexp("'")
+ .setResourceName("'")
+ .setResourceName("'")
+ .setResourceScopes(Arrays.asList("'"));
+ List<MeasureFilterRow> rows = executor.execute(filter, new MeasureFilterContext());
+ // an exception would be thrown if SQL is not valid
+ assertThat(rows).isEmpty();
+ }
+
@Test
public void test_default_sort() {
setupData("shared");
projects / sonarqube.git / commitdiff