2222import org .kohsuke .stapler .QueryParameter ;
2323import org .kohsuke .stapler .HttpRedirect ;
2424import org .kohsuke .stapler .HttpResponses ;
25+ import org .apache .ibatis .jdbc .SqlRunner ;
26+ import org .springframework .jdbc .core .JdbcTemplate ;
27+ import org .springframework .jdbc .core .namedparam .NamedParameterJdbcTemplate ;
28+ import java .util .Map ;
2529
2630@ Controller
2731public class CsrfUnprotectedRequestTypeTest {
@@ -142,29 +146,46 @@ public void bad6() { // $ hasCsrfUnprotectedRequestType
142146 } catch (SQLException e ) { }
143147 }
144148
149+ // BAD: allows request type not default-protected from CSRF when
150+ // updating a database using `Statement.executeUpdate`
145151 @ RequestMapping ("/" )
146152 public void badStatementExecuteUpdate () { // $ hasCsrfUnprotectedRequestType
147153 try {
148154 String item = "item" ;
149155 String price = "price" ;
150156 Statement statement = connection .createStatement ();
151- String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
152- int count = statement .executeUpdate (query );
157+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
158+ int count = statement .executeUpdate (sql );
153159 } catch (SQLException e ) { }
154160 }
155161
162+ // BAD: allows request type not default-protected from CSRF when
163+ // updating a database using `Statement.executeLargeUpdate`
164+ @ RequestMapping ("/" )
165+ public void badStatementExecuteLargeUpdate () { // $ hasCsrfUnprotectedRequestType
166+ try {
167+ String item = "item" ;
168+ String price = "price" ;
169+ Statement statement = connection .createStatement ();
170+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
171+ long count = statement .executeLargeUpdate (sql );
172+ } catch (SQLException e ) { }
173+ }
174+
175+ // BAD: allows request type not default-protected from CSRF when
176+ // updating a database using `Statement.execute` with SQL UPDATE
156177 @ RequestMapping ("/" )
157178 public void badStatementExecute () { // $ hasCsrfUnprotectedRequestType
158179 try {
159180 String item = "item" ;
160181 String price = "price" ;
161182 Statement statement = connection .createStatement ();
162- String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
163- boolean bool = statement .execute (query );
183+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
184+ boolean bool = statement .execute (sql );
164185 } catch (SQLException e ) { }
165186 }
166187
167- // GOOD: select not insert/ update/delete
188+ // GOOD: does not update a database, queries with SELECT
168189 @ RequestMapping ("/" )
169190 public void goodStatementExecute () {
170191 try {
@@ -176,6 +197,92 @@ public void goodStatementExecute() {
176197 } catch (SQLException e ) { }
177198 }
178199
200+ // BAD: allows request type not default-protected from CSRF when
201+ // updating a database using `SqlRunner.insert`
202+ @ RequestMapping ("/" )
203+ public void badSqlRunnerInsert () { // $ hasCsrfUnprotectedRequestType
204+ try {
205+ String item = "item" ;
206+ String price = "price" ;
207+ String sql = "INSERT PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
208+ SqlRunner sqlRunner = new SqlRunner (connection );
209+ sqlRunner .insert (sql );
210+ } catch (SQLException e ) { }
211+ }
212+
213+ // BAD: allows request type not default-protected from CSRF when
214+ // updating a database using `SqlRunner.update`
215+ @ RequestMapping ("/" )
216+ public void badSqlRunnerUpdate () { // $ hasCsrfUnprotectedRequestType
217+ try {
218+ String item = "item" ;
219+ String price = "price" ;
220+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
221+ SqlRunner sqlRunner = new SqlRunner (connection );
222+ sqlRunner .update (sql );
223+ } catch (SQLException e ) { }
224+ }
225+
226+ // BAD: allows request type not default-protected from CSRF when
227+ // updating a database using `SqlRunner.delete`
228+ @ RequestMapping ("/" )
229+ public void badSqlRunnerDelete () { // $ hasCsrfUnprotectedRequestType
230+ try {
231+ String item = "item" ;
232+ String price = "price" ;
233+ String sql = "DELETE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
234+ SqlRunner sqlRunner = new SqlRunner (connection );
235+ sqlRunner .delete (sql );
236+ } catch (SQLException e ) { }
237+ }
238+
239+ // BAD: allows request type not default-protected from CSRF when
240+ // updating a database using `NamedParameterJdbcTemplate.update`
241+ @ RequestMapping ("/" )
242+ public void badNamedParameterJdbcTemplateUpdate () { // $ hasCsrfUnprotectedRequestType
243+ String item = "item" ;
244+ String price = "price" ;
245+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
246+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
247+ NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
248+ nameParamjdbcTemplate .update (sql , null , null );
249+ }
250+
251+ // BAD: allows request type not default-protected from CSRF when
252+ // updating a database using `NamedParameterJdbcTemplate.batchUpdate`
253+ @ RequestMapping ("/" )
254+ public void badNamedParameterJdbcTemplateBatchUpdate () { // $ hasCsrfUnprotectedRequestType
255+ String item = "item" ;
256+ String price = "price" ;
257+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
258+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
259+ NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
260+ nameParamjdbcTemplate .batchUpdate (sql , (Map <String ,?>[]) null );
261+ }
262+
263+ // BAD: allows request type not default-protected from CSRF when
264+ // updating a database using `NamedParameterJdbcTemplate.execute`
265+ @ RequestMapping ("/" )
266+ public void badNamedParameterJdbcTemplateExecute () { // $ hasCsrfUnprotectedRequestType
267+ String item = "item" ;
268+ String price = "price" ;
269+ String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'" ;
270+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
271+ NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
272+ nameParamjdbcTemplate .execute (sql , null );
273+ }
274+
275+ // GOOD: does not update a database, queries with SELECT
276+ @ RequestMapping ("/" )
277+ public void goodNamedParameterJdbcTemplateExecute () {
278+ String category = "category" ;
279+ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
280+ + category + "' ORDER BY PRICE" ;
281+ JdbcTemplate jdbcTemplate = new JdbcTemplate ();
282+ NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate (jdbcTemplate );
283+ nameParamjdbcTemplate .execute (query , null );
284+ }
285+
179286 @ Autowired
180287 private MyBatisService myBatisService ;
181288
0 commit comments