SONAR-4278 SQL Injection in measure filters

author: Simon Brandhof <simon.brandhof@gmail.com> 2013-06-24 00:38:08 +0200
committer: Simon Brandhof <simon.brandhof@gmail.com> 2013-06-24 00:38:08 +0200
commit: 08257f901822eba9bc060ea3b9b391f314d13218 (patch)
tree: 2d2fd09aa59d8f004fd3207eb57d462170031c5c /sonar-core
parent: b82081b353645dd87222596cb0688dbe559acfa6 (diff)
download: sonarqube-08257f901822eba9bc060ea3b9b391f314d13218.tar.gz
sonarqube-08257f901822eba9bc060ea3b9b391f314d13218.zip
2 files changed, 26 insertions, 3 deletions
diff --git a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
index c60e1ec0c1d..6b8b877b285 100644
--- a/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
+++ b/sonar-core/src/main/java/org/sonar/core/measure/MeasureFilterSql.java
@@ -210,9 +210,16 @@ class MeasureFilterSql {
   }
 
   private static void appendInStatement(List<String> values, StringBuilder to) {
-    to.append(" ('");
-    to.append(StringUtils.join(values, "','"));
-    to.append("') ");
+    to.append(" (");
+    for (int i=0 ; i<values.size() ; i++) {
+      if (i>0) {
+        to.append(",");
+      }
+      to.append("'");
+      to.append(StringEscapeUtils.escapeSql(values.get(i)));
+      to.append("'");
+    }
+    to.append(") ");
   }
 
   abstract static class RowProcessor {
diff --git a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
index 5ce365c1121..682dfb3c174 100644
--- a/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
+++ b/sonar-core/src/test/java/org/sonar/core/measure/MeasureFilterExecutorTest.java
@@ -122,6 +122,22 @@ public class MeasureFilterExecutorTest extends AbstractDaoTestCase {
   }
 
   @Test
+  public void should_prevent_sql_injection_through_parameters() throws SQLException {
+    setupData("shared");
+    MeasureFilter filter = new MeasureFilter()
+      .setResourceQualifiers(Arrays.asList("'"))
+      .setResourceLanguages(Arrays.asList("'"))
+      .setBaseResourceKey("'")
+      .setResourceKeyRegexp("'")
+      .setResourceName("'")
+      .setResourceName("'")
+      .setResourceScopes(Arrays.asList("'"));
+    List<MeasureFilterRow> rows = executor.execute(filter, new MeasureFilterContext());
+    // an exception would be thrown if SQL is not valid
+    assertThat(rows).isEmpty();
+  }
+
+  @Test
   public void test_default_sort() {
     setupData("shared");
     MeasureFilter filter = new MeasureFilter().setResourceQualifiers(Arrays.asList("CLA"));
author	Simon Brandhof <simon.brandhof@gmail.com>	2013-06-24 00:38:08 +0200
committer	Simon Brandhof <simon.brandhof@gmail.com>	2013-06-24 00:38:08 +0200
commit	08257f901822eba9bc060ea3b9b391f314d13218 (patch)
tree	2d2fd09aa59d8f004fd3207eb57d462170031c5c /sonar-core
parent	b82081b353645dd87222596cb0688dbe559acfa6 (diff)
download	sonarqube-08257f901822eba9bc060ea3b9b391f314d13218.tar.gz sonarqube-08257f901822eba9bc060ea3b9b391f314d13218.zip