|
1 | 1 | package org.sasanlabs.service.vulnerability.sqlInjection; |
2 | 2 |
|
3 | | -import static org.mockito.Mockito.*; |
4 | 3 | import static org.junit.jupiter.api.Assertions.*; |
| 4 | +import static org.mockito.Mockito.*; |
5 | 5 |
|
6 | 6 | import java.sql.ResultSet; |
7 | 7 | import java.sql.SQLException; |
8 | 8 | import java.util.HashMap; |
9 | 9 | import java.util.Map; |
10 | | - |
11 | 10 | import org.junit.jupiter.api.BeforeEach; |
12 | 11 | import org.junit.jupiter.api.Test; |
13 | 12 | import org.mockito.InjectMocks; |
|
21 | 20 |
|
22 | 21 | public class BlindSQLInjectionVulnerabilityTest { |
23 | 22 |
|
24 | | - @Mock |
25 | | - private JdbcTemplate jdbcTemplate; |
26 | | - |
27 | | - @InjectMocks |
28 | | - private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; |
29 | | - |
30 | | - @BeforeEach |
31 | | - public void setUp() { |
32 | | - MockitoAnnotations.openMocks(this); |
33 | | - } |
34 | | - |
35 | | - @Test |
36 | | - public void testGetCarInformationLevel1_CarPresent() throws SQLException { |
37 | | - // Arrange |
38 | | - String id = "1"; |
39 | | - Map<String, String> queryParams = new HashMap<>(); |
40 | | - queryParams.put("id", id); |
41 | | - |
42 | | - // The query is simulated to have returned a result (i.e. there is a car with ID "1") |
43 | | - ResultSet mockResultSet = mock(ResultSet.class); |
44 | | - when(mockResultSet.next()).thenReturn(true); |
45 | | - |
46 | | - // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) |
47 | | - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
48 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
49 | | - return rse.extractData(mockResultSet); |
50 | | - }); |
51 | | - |
52 | | - // Act |
53 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); |
54 | | - |
55 | | - // Assert |
56 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
57 | | - assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
58 | | - } |
59 | | - |
60 | | - @Test |
61 | | - public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { |
62 | | - // Arrange |
63 | | - String id = "2"; |
64 | | - Map<String, String> queryParams = new HashMap<>(); |
65 | | - queryParams.put("id", id); |
66 | | - |
67 | | - // The query is simulated to have returned a result (i.e. there is no a car with ID "2") |
68 | | - ResultSet mockResultSet = mock(ResultSet.class); |
69 | | - when(mockResultSet.next()).thenReturn(false); |
70 | | - |
71 | | - // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the data from the mockResultSet (which mocks the query result) |
72 | | - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
73 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
74 | | - return rse.extractData(mockResultSet); |
75 | | - }); |
76 | | - |
77 | | - // Act |
78 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); |
79 | | - |
80 | | - // Assert |
81 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
82 | | - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
83 | | - } |
84 | | - |
85 | | - @Test |
86 | | - public void testGetCarInformationLevel2_CarPresent() throws SQLException { |
87 | | - // Arrange |
88 | | - String id = "1"; |
89 | | - Map<String, String> queryParams = new HashMap<>(); |
90 | | - queryParams.put("id", id); |
91 | | - |
92 | | - // Mock the ResultSet behavior |
93 | | - ResultSet mockResultSet = mock(ResultSet.class); |
94 | | - when(mockResultSet.next()).thenReturn(true); |
95 | | - |
96 | | - // Mock the query method of JdbcTemplate |
97 | | - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
98 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
99 | | - return rse.extractData(mockResultSet); |
100 | | - }); |
101 | | - |
102 | | - // Act |
103 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); |
104 | | - |
105 | | - // Assert |
106 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
107 | | - assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
108 | | - } |
109 | | - |
110 | | - @Test |
111 | | - public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { |
112 | | - // Arrange |
113 | | - String id = "2"; |
114 | | - Map<String, String> queryParams = new HashMap<>(); |
115 | | - queryParams.put("id", id); |
116 | | - |
117 | | - // Mock the ResultSet behavior |
118 | | - ResultSet mockResultSet = mock(ResultSet.class); |
119 | | - when(mockResultSet.next()).thenReturn(false); |
120 | | - |
121 | | - // Mock the query method of JdbcTemplate |
122 | | - when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
123 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
124 | | - return rse.extractData(mockResultSet); |
125 | | - }); |
126 | | - |
127 | | - // Act |
128 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); |
129 | | - |
130 | | - // Assert |
131 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
132 | | - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
133 | | - } |
134 | | - |
135 | | - @Test |
136 | | - public void testGetCarInformationLevel3_CarPresent() throws SQLException { |
137 | | - // Arrange |
138 | | - String id = "1"; |
139 | | - Map<String, String> queryParams = new HashMap<>(); |
140 | | - queryParams.put("id", id); |
141 | | - |
142 | | - // Mock the ResultSet behavior |
143 | | - ResultSet mockResultSet = mock(ResultSet.class); |
144 | | - when(mockResultSet.next()).thenReturn(true); |
145 | | - |
146 | | - // Mock the query method of JdbcTemplate |
147 | | - when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
148 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(2); |
149 | | - return rse.extractData(mockResultSet); |
150 | | - }); |
151 | | - |
152 | | - // Act |
153 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); |
154 | | - |
155 | | - // Assert |
156 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
157 | | - assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
158 | | - } |
159 | | - |
160 | | - @Test |
161 | | - public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { |
162 | | - // Arrange |
163 | | - String id = "2"; |
164 | | - Map<String, String> queryParams = new HashMap<>(); |
165 | | - queryParams.put("id", id); |
166 | | - |
167 | | - // Mock the ResultSet behavior |
168 | | - ResultSet mockResultSet = mock(ResultSet.class); |
169 | | - when(mockResultSet.next()).thenReturn(false); |
170 | | - |
171 | | - // Mock the query method of JdbcTemplate |
172 | | - when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))).thenAnswer(invocation -> { |
173 | | - ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(2); |
174 | | - return rse.extractData(mockResultSet); |
175 | | - }); |
176 | | - |
177 | | - // Act |
178 | | - ResponseEntity<String> response = blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); |
179 | | - |
180 | | - // Assert |
181 | | - assertEquals(HttpStatus.OK, response.getStatusCode()); |
182 | | - assertEquals(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
183 | | - } |
| 23 | + @Mock private JdbcTemplate jdbcTemplate; |
| 24 | + |
| 25 | + @InjectMocks private BlindSQLInjectionVulnerability blindSQLInjectionVulnerability; |
| 26 | + |
| 27 | + @BeforeEach |
| 28 | + public void setUp() { |
| 29 | + MockitoAnnotations.openMocks(this); |
| 30 | + } |
| 31 | + |
| 32 | + @Test |
| 33 | + public void testGetCarInformationLevel1_CarPresent() throws SQLException { |
| 34 | + // Arrange |
| 35 | + String id = "1"; |
| 36 | + Map<String, String> queryParams = new HashMap<>(); |
| 37 | + queryParams.put("id", id); |
| 38 | + |
| 39 | + // The query is simulated to have returned a result (i.e. there is a car with ID "1") |
| 40 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 41 | + when(mockResultSet.next()).thenReturn(true); |
| 42 | + |
| 43 | + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the |
| 44 | + // data from the mockResultSet (which mocks the query result) |
| 45 | + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) |
| 46 | + .thenAnswer( |
| 47 | + invocation -> { |
| 48 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
| 49 | + |
| 50 | + return rse.extractData(mockResultSet); |
| 51 | + }); |
| 52 | + |
| 53 | + // Act |
| 54 | + ResponseEntity<String> response = |
| 55 | + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); |
| 56 | + |
| 57 | + // Assert |
| 58 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 59 | + assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
| 60 | + } |
| 61 | + |
| 62 | + @Test |
| 63 | + public void testGetCarInformationLevel1_CarNotPresent() throws SQLException { |
| 64 | + // Arrange |
| 65 | + String id = "2"; |
| 66 | + Map<String, String> queryParams = new HashMap<>(); |
| 67 | + queryParams.put("id", id); |
| 68 | + |
| 69 | + // The query is simulated to have returned a result (i.e. there is no a car with ID "2") |
| 70 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 71 | + when(mockResultSet.next()).thenReturn(false); |
| 72 | + |
| 73 | + // return rse.extractData(mockResultSet); indicates that the ResultSetExtractor extracts the |
| 74 | + // data from the mockResultSet (which mocks the query result) |
| 75 | + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) |
| 76 | + .thenAnswer( |
| 77 | + invocation -> { |
| 78 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
| 79 | + return rse.extractData(mockResultSet); |
| 80 | + }); |
| 81 | + |
| 82 | + // Act |
| 83 | + ResponseEntity<String> response = |
| 84 | + blindSQLInjectionVulnerability.getCarInformationLevel1(queryParams); |
| 85 | + |
| 86 | + // Assert |
| 87 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 88 | + assertEquals( |
| 89 | + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
| 90 | + } |
| 91 | + |
| 92 | + @Test |
| 93 | + public void testGetCarInformationLevel2_CarPresent() throws SQLException { |
| 94 | + // Arrange |
| 95 | + String id = "1"; |
| 96 | + Map<String, String> queryParams = new HashMap<>(); |
| 97 | + queryParams.put("id", id); |
| 98 | + |
| 99 | + // Mock the ResultSet behavior |
| 100 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 101 | + when(mockResultSet.next()).thenReturn(true); |
| 102 | + |
| 103 | + // Mock the query method of JdbcTemplate |
| 104 | + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) |
| 105 | + .thenAnswer( |
| 106 | + invocation -> { |
| 107 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
| 108 | + return rse.extractData(mockResultSet); |
| 109 | + }); |
| 110 | + |
| 111 | + // Act |
| 112 | + ResponseEntity<String> response = |
| 113 | + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); |
| 114 | + |
| 115 | + // Assert |
| 116 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 117 | + assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
| 118 | + } |
| 119 | + |
| 120 | + @Test |
| 121 | + public void testGetCarInformationLevel2_CarNotPresent() throws SQLException { |
| 122 | + // Arrange |
| 123 | + String id = "2"; |
| 124 | + Map<String, String> queryParams = new HashMap<>(); |
| 125 | + queryParams.put("id", id); |
| 126 | + |
| 127 | + // Mock the ResultSet behavior |
| 128 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 129 | + when(mockResultSet.next()).thenReturn(false); |
| 130 | + |
| 131 | + // Mock the query method of JdbcTemplate |
| 132 | + when(jdbcTemplate.query(anyString(), any(ResultSetExtractor.class))) |
| 133 | + .thenAnswer( |
| 134 | + invocation -> { |
| 135 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(1); |
| 136 | + return rse.extractData(mockResultSet); |
| 137 | + }); |
| 138 | + |
| 139 | + // Act |
| 140 | + ResponseEntity<String> response = |
| 141 | + blindSQLInjectionVulnerability.getCarInformationLevel2(queryParams); |
| 142 | + |
| 143 | + // Assert |
| 144 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 145 | + assertEquals( |
| 146 | + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
| 147 | + } |
| 148 | + |
| 149 | + @Test |
| 150 | + public void testGetCarInformationLevel3_CarPresent() throws SQLException { |
| 151 | + // Arrange |
| 152 | + String id = "1"; |
| 153 | + Map<String, String> queryParams = new HashMap<>(); |
| 154 | + queryParams.put("id", id); |
| 155 | + |
| 156 | + // Mock the ResultSet behavior |
| 157 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 158 | + when(mockResultSet.next()).thenReturn(true); |
| 159 | + |
| 160 | + // Mock the query method of JdbcTemplate |
| 161 | + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) |
| 162 | + .thenAnswer( |
| 163 | + invocation -> { |
| 164 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(2); |
| 165 | + return rse.extractData(mockResultSet); |
| 166 | + }); |
| 167 | + |
| 168 | + // Act |
| 169 | + ResponseEntity<String> response = |
| 170 | + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); |
| 171 | + |
| 172 | + // Assert |
| 173 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 174 | + assertEquals("{ \"isCarPresent\": true}", response.getBody()); |
| 175 | + } |
| 176 | + |
| 177 | + @Test |
| 178 | + public void testGetCarInformationLevel3_CarNotPresent() throws SQLException { |
| 179 | + // Arrange |
| 180 | + String id = "2"; |
| 181 | + Map<String, String> queryParams = new HashMap<>(); |
| 182 | + queryParams.put("id", id); |
| 183 | + |
| 184 | + // Mock the ResultSet behavior |
| 185 | + ResultSet mockResultSet = mock(ResultSet.class); |
| 186 | + when(mockResultSet.next()).thenReturn(false); |
| 187 | + |
| 188 | + // Mock the query method of JdbcTemplate |
| 189 | + when(jdbcTemplate.query((PreparedStatementCreator) any(), any(), any(ResultSetExtractor.class))) |
| 190 | + .thenAnswer( |
| 191 | + invocation -> { |
| 192 | + ResultSetExtractor<ResponseEntity<String>> rse = invocation.getArgument(2); |
| 193 | + return rse.extractData(mockResultSet); |
| 194 | + }); |
| 195 | + |
| 196 | + // Act |
| 197 | + ResponseEntity<String> response = |
| 198 | + blindSQLInjectionVulnerability.getCarInformationLevel3(queryParams); |
| 199 | + |
| 200 | + // Assert |
| 201 | + assertEquals(HttpStatus.OK, response.getStatusCode()); |
| 202 | + assertEquals( |
| 203 | + ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE, response.getBody()); |
| 204 | + } |
184 | 205 | } |
0 commit comments