2222import org .kohsuke .stapler .QueryParameter ;
2323import org .kohsuke .stapler .HttpRedirect ;
2424import org .kohsuke .stapler .HttpResponses ;
25+ import org .apache .ibatis .jdbc .SqlRunner ;
26+ import org .springframework .jdbc .core .JdbcTemplate ;
27+ import org .springframework .jdbc .core .namedparam .NamedParameterJdbcTemplate ;
28+ import java .util .Map ;
2529
2630@ Controller
2731public class CsrfUnprotectedRequestTypeTest {
@@ -142,29 +146,46 @@ public void bad6() { // $ hasCsrfUnprotectedRequestType
142146 } catch (SQLException e ) { }
143147 }
144148
149+ // BAD: allows request type not default-protected from CSRF when
150+ // updating a database using `Statement.executeUpdate`
145151 @ RequestMapping ("/" )
146152 public void badStatementExecuteUpdate () { // $ hasCsrfUnprotectedRequestType
147153 try {
148154 String item = "item" ;
149155 String price = "price" ;
150156 Statement statement = connection .createStatement ();
151- String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
152- int count = statement .executeUpdate (query );
157+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
158+ int count = statement .executeUpdate (sql );
153159 } catch (SQLException e ) { }
154160 }
155161
162+ // BAD: allows request type not default-protected from CSRF when
163+ // updating a database using `Statement.executeLargeUpdate`
164+ @ RequestMapping ("/" )
165+ public void badStatementExecuteLargeUpdate () { // $ hasCsrfUnprotectedRequestType
166+ try {
167+ String item = "item" ;
168+ String price = "price" ;
169+ Statement statement = connection .createStatement ();
170+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
171+ long count = statement .executeLargeUpdate (sql );
172+ } catch (SQLException e ) { }
173+ }
174+
175+ // BAD: allows request type not default-protected from CSRF when
176+ // updating a database using `Statement.execute` with SQL UPDATE
156177 @ RequestMapping ("/" )
157178 public void badStatementExecute () { // $ hasCsrfUnprotectedRequestType
158179 try {
159180 String item = "item" ;
160181 String price = "price" ;
161182 Statement statement = connection .createStatement ();
162- String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
163- boolean bool = statement .execute (query );
183+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
184+ boolean bool = statement .execute (sql );
164185 } catch (SQLException e ) { }
165186 }
166187
167- // GOOD: select not insert/ update/delete
188+ // GOOD: does not update a database, queries with SELECT
168189 @ RequestMapping ("/" )
169190 public void goodStatementExecute () {
170191 try {
@@ -176,6 +197,135 @@ public void goodStatementExecute() {
176197 } catch (SQLException e ) { }
177198 }
178199
200+ // BAD: allows request type not default-protected from CSRF when
201+ // updating a database using `SqlRunner.insert`
202+ @ RequestMapping ("/" )
203+ public void badSqlRunnerInsert () { // $ hasCsrfUnprotectedRequestType
204+ try {
205+ String item = "item" ;
206+ String price = "price" ;
207+ String sql = "INSERT PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
208+ SqlRunner sqlRunner = new SqlRunner (connection );
209+ sqlRunner .insert (sql );
210+ } catch (SQLException e ) { }
211+ }
212+
213+ // BAD: allows request type not default-protected from CSRF when
214+ // updating a database using `SqlRunner.update`
215+ @ RequestMapping ("/" )
216+ public void badSqlRunnerUpdate () { // $ hasCsrfUnprotectedRequestType
217+ try {
218+ String item = "item" ;
219+ String price = "price" ;
220+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
221+ SqlRunner sqlRunner = new SqlRunner (connection );
222+ sqlRunner .update (sql );
223+ } catch (SQLException e ) { }
224+ }
225+
226+ // BAD: allows request type not default-protected from CSRF when
227+ // updating a database using `SqlRunner.delete`
228+ @ RequestMapping ("/" )
229+ public void badSqlRunnerDelete () { // $ hasCsrfUnprotectedRequestType
230+ try {
231+ String item = "item" ;
232+ String price = "price" ;
233+ String sql = "DELETE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
234+ SqlRunner sqlRunner = new SqlRunner (connection );
235+ sqlRunner .delete (sql );
236+ } catch (SQLException e ) { }
237+ }
238+
239+ // BAD: allows request type not default-protected from CSRF when
240+ // updating a database using `JdbcTemplate.update`
241+ @ RequestMapping ("/" )
242+ public void badJdbcTemplateUpdate () { // $ hasCsrfUnprotectedRequestType
243+ String item = "item" ;
244+ String price = "price" ;
245+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
246+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
247+ jdbcTemplate .update (sql );
248+ }
249+
250+ // BAD: allows request type not default-protected from CSRF when
251+ // updating a database using `JdbcTemplate.batchUpdate`
252+ @ RequestMapping ("/" )
253+ public void badJdbcTemplateBatchUpdate () { // $ hasCsrfUnprotectedRequestType
254+ String item = "item" ;
255+ String price = "price" ;
256+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
257+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
258+ jdbcTemplate .batchUpdate (sql , null , null );
259+ }
260+
261+ // BAD: allows request type not default-protected from CSRF when
262+ // updating a database using `JdbcTemplate.execute`
263+ @ RequestMapping ("/" )
264+ public void badJdbcTemplateExecute () { // $ hasCsrfUnprotectedRequestType
265+ String item = "item" ;
266+ String price = "price" ;
267+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
268+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
269+ jdbcTemplate .execute (sql );
270+ }
271+
272+ // GOOD: does not update a database, queries with SELECT
273+ @ RequestMapping ("/" )
274+ public void goodJdbcTemplateExecute () {
275+ String category = "category" ;
276+ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
277+ + category + "' ORDER BY PRICE" ;
278+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
279+ jdbcTemplate .execute (query );
280+ }
281+
282+ // BAD: allows request type not default-protected from CSRF when
283+ // updating a database using `NamedParameterJdbcTemplate.update`
284+ @ RequestMapping ("/" )
285+ public void badNamedParameterJdbcTemplateUpdate () { // $ hasCsrfUnprotectedRequestType
286+ String item = "item" ;
287+ String price = "price" ;
288+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
289+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
290+ NamedParameterJdbcTemplate namedParamJdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
291+ namedParamJdbcTemplate .update (sql , null , null );
292+ }
293+
294+ // BAD: allows request type not default-protected from CSRF when
295+ // updating a database using `NamedParameterJdbcTemplate.batchUpdate`
296+ @ RequestMapping ("/" )
297+ public void badNamedParameterJdbcTemplateBatchUpdate () { // $ hasCsrfUnprotectedRequestType
298+ String item = "item" ;
299+ String price = "price" ;
300+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
301+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
302+ NamedParameterJdbcTemplate namedParamJdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
303+ namedParamJdbcTemplate .batchUpdate (sql , (Map <String ,?>[]) null );
304+ }
305+
306+ // BAD: allows request type not default-protected from CSRF when
307+ // updating a database using `NamedParameterJdbcTemplate.execute`
308+ @ RequestMapping ("/" )
309+ public void badNamedParameterJdbcTemplateExecute () { // $ hasCsrfUnprotectedRequestType
310+ String item = "item" ;
311+ String price = "price" ;
312+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
313+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
314+ NamedParameterJdbcTemplate namedParamJdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
315+ namedParamJdbcTemplate .execute (sql , null );
316+ }
317+
318+ // GOOD: does not update a database, queries with SELECT
319+ @ RequestMapping ("/" )
320+ public void goodNamedParameterJdbcTemplateExecute () {
321+ String category = "category" ;
322+ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
323+ + category + "' ORDER BY PRICE" ;
324+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
325+ NamedParameterJdbcTemplate namedParamJdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
326+ namedParamJdbcTemplate .execute (query , null );
327+ }
328+
179329 @ Autowired
180330 private MyBatisService myBatisService ;
181331
0 commit comments