Skip to content

Commit

Permalink
Added tests for HS-JAVA-134 rule (#687)
Browse files Browse the repository at this point in the history 
rules: add tests for HS-JAVA-134 rule

Signed-off-by: Maximillian Arruda <[email protected]>
(cherry picked from commit b6e7899)
  • Loading branch information
@dearrudam @matheusalcantarazup
dearrudam authored and matheusalcantarazup committed Oct 28, 2021
1 parent 6e0c4ef commit 309254f
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 0 deletions.
23 changes: 23 additions & 0 deletions internal/services/engines/rules_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -443,6 +443,22 @@ func TestRulesVulnerableCode(t *testing.T) {
},
},
},

// Java
{
name: "HS-JAVA-134",
rule: java.NewSQLInjection(),
src: SampleVulnerableJavaSQLInjection,
findings: []engine.Finding{
{
CodeSample: "var pstmt = con.prepareStatement(\"select * from mytable where field01 = '\" + field01 + \"'\");",
SourceLocation: engine.Location{
Line: 14,
Column: 50,
},
},
},
},
}

for _, tt := range testcases {
Expand Down Expand Up @@ -605,6 +621,13 @@ func TestRulesSafeCode(t *testing.T) {
rule: leaks.NewWPConfig(),
src: SampleSafeLeaksRegularWPConfig,
},

// Java
{
name: "HS-JAVA-134",
rule: java.NewSQLInjection(),
src: SampleSafeJavaSQLInjection,
},
}

for _, tt := range testcases {
Expand Down
47 changes: 47 additions & 0 deletions internal/services/engines/samples_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -561,4 +561,51 @@ func main() {
<?php
define('AUTH_KEY', getenv("AUTH_KEY"));
`

SampleVulnerableJavaSQLInjection = `
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.sql.DataSource;
public class VulnerableCodeSQLInjection134 {
public void printResults(DataSource ds, String field01) throws SQLException {
try (
var con = ds.getConnection();
var pstmt = con.prepareStatement("select * from mytable where field01 = '" + field01 + "'");
var rs = pstmt.executeQuery()) {
while (rs.next()) {
System.out.println(rs.getString(1));
}
}
}
}
`

SampleSafeJavaSQLInjection = `
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import javax.sql.DataSource;
public class VulnerableCodeSQLInjection134 {
public void printResults(DataSource ds, String field01) throws SQLException {
try {
var con = ds.getConnection();
var pstmt = con.prepareStatement("select * from mytable where field01 = ? ");
pstmt.setString(1,field01);
var rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println(rs.getString(1));
}
}
}
}
`
)

0 comments on commit 309254f

Please sign in to comment.