From 815117e000e72fd04c63b04ac3cdbf63587c0e29 Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Mon, 24 Jun 2013 00:38:08 +0200 Subject: [PATCH] SONAR-4278 SQL Injection in measure filters --- .../org/sonar/core/measure/MeasureFilterSql.java | 13 ++++++++++--- .../core/measure/MeasureFilterExecutorTest.java | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java index c60e1ec0c1d..6b8b877b285 100644 --- a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java +++ b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java @@ -210,9 +210,16 @@ class MeasureFilterSql { } private static void appendInStatement(List values, StringBuilder to) { - to.append(" ('"); - to.append(StringUtils.join(values, "','")); - to.append("') "); + to.append(" ("); + for (int i=0 ; i0) { + to.append(","); + } + to.append("'"); + to.append(StringEscapeUtils.escapeSql(values.get(i))); + to.append("'"); + } + to.append(") "); } abstract static class RowProcessor { diff --git a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java index 5ce365c1121..682dfb3c174 100644 --- a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java +++ b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java @@ -121,6 +121,22 @@ public class MeasureFilterExecutorTest extends AbstractDaoTestCase { verifyPhpProject(rows.get(1)); } + @Test + public void should_prevent_sql_injection_through_parameters() throws SQLException { + setupData("shared"); + MeasureFilter filter = new MeasureFilter() + .setResourceQualifiers(Arrays.asList("'")) + .setResourceLanguages(Arrays.asList("'")) + .setBaseResourceKey("'") + .setResourceKeyRegexp("'") + .setResourceName("'") + .setResourceName("'") + .setResourceScopes(Arrays.asList("'")); + List rows = executor.execute(filter, new MeasureFilterContext()); + // an exception would be thrown if SQL is not valid + assertThat(rows).isEmpty(); + } + @Test public void test_default_sort() { setupData("shared"); -- 2.39.5