From: Simon Brandhof <simon.brandhof@gmail.com>
Date: Sun, 23 Jun 2013 22:38:08 +0000 (+0200)
Subject: SONAR-4278 SQL Injection in measure filters
X-Git-Tag: 3.6.1~9
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=815117e000e72fd04c63b04ac3cdbf63587c0e29;p=sonarqube.git

SONAR-4278 SQL Injection in measure filters
---

diff --git a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
index c60e1ec0c1d..6b8b877b285 100644
--- a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
+++ b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
@@ -210,9 +210,16 @@ class MeasureFilterSql {
   }
 
   private static void appendInStatement(List<String> values, StringBuilder to) {
-    to.append(" ('");
-    to.append(StringUtils.join(values, "','"));
-    to.append("') ");
+    to.append(" (");
+    for (int i=0 ; i<values.size() ; i++) {
+      if (i>0) {
+        to.append(",");
+      }
+      to.append("'");
+      to.append(StringEscapeUtils.escapeSql(values.get(i)));
+      to.append("'");
+    }
+    to.append(") ");
   }
 
   abstract static class RowProcessor {
diff --git a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
index 5ce365c1121..682dfb3c174 100644
--- a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
@@ -121,6 +121,22 @@ public class MeasureFilterExecutorTest extends AbstractDaoTestCase {
     verifyPhpProject(rows.get(1));
   }
 
+  @Test
+  public void should_prevent_sql_injection_through_parameters() throws SQLException {
+    setupData("shared");
+    MeasureFilter filter = new MeasureFilter()
+      .setResourceQualifiers(Arrays.asList("'"))
+      .setResourceLanguages(Arrays.asList("'"))
+      .setBaseResourceKey("'")
+      .setResourceKeyRegexp("'")
+      .setResourceName("'")
+      .setResourceName("'")
+      .setResourceScopes(Arrays.asList("'"));
+    List<MeasureFilterRow> rows = executor.execute(filter, new MeasureFilterContext());
+    // an exception would be thrown if SQL is not valid
+    assertThat(rows).isEmpty();
+  }
+
   @Test
   public void test_default_sort() {
     setupData("shared");