Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8245607

Bug in class Prepared Statement on method executeQuery

    Details

    • Subcomponent:
    • CPU:
      x86
    • OS:
      os_x

      Description

      ADDITIONAL SYSTEM INFORMATION :
      S.O Catalina 10.15.3 and Java version 8 (build 1.8.0_251-b08) an Postgres lasted

      A DESCRIPTION OF THE PROBLEM :
      Following the documentation I was planning to use executeQuery to ensure that my system does not have SQL Injection, however when creating tests on JUNIT4, to validate the method. I identified that it accepts any type of SQL verb as <DELETE> with that, I cannot guarantee the security of my method

      REGRESSION : Last worked in version 8

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      It is necessary to create a table in your database, and place a record. With that you get her identifier and put it in the delete clause.

        @Test()
        public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
                throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
          Class.forName("org.postgresql.Driver");

          String query =
              "delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
          Connection connection = DriverManager.getConnection(host, user,null);
             PreparedStatement ps = connection.prepareStatement(query);
       
         ps.executeQuery();

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      That generates a PSQLException and my record remains in the database.
      ACTUAL -
      org.postgresql.util.PSQLException: Nenhum resultado foi retornado pela consulta.
      AND
      deleted database record

      ---------- BEGIN SOURCE ----------
        @Test()
        public void should_return_throw_excecption_when_detected_delete_in_query_maliciuos()
                throws InjectionSqlException, ServiceException, ClassNotFoundException, SQLException {
          Class.forName("org.postgresql.Driver");

          String query =
              "delete from transactions where id = '9d0e1b60-c3d8-4ee0-9b1d-cc21689f3727'";
          Connection connection = DriverManager.getConnection(host, user,null);
             PreparedStatement ps = connection.prepareStatement(query);
          ps.executeQuery();
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
       private Object executeQuery(String query) throws Exception {
          if (query.toUpperCase().contains("DELETE") || query.toUpperCase().contains("UPDATE")){
            throw new InjectionSqlException("Query malicious detected. ");
          } else {
            return entityManager.createNativeQuery(query).getSingleResult();
          }
        }

      FREQUENCY : always


        Attachments

          Activity

            People

            • Assignee:
              lancea Lance Andersen
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: