teammates icon indicating copy to clipboard operation
teammates copied to clipboard
verified publisher icon TEAMMATES

[#12048] SQL injection test for FeedbackQuestionsDbIT

Open EuniceSim142 opened this issue 1 year ago • 2 comments

Part of #12048. Test for SQL injections in FeedbackQuestions database methods.

Tests not created for the following db methods as they do not accept string params (so they're type-checked at compile time):

  • getFeedbackQuestion
  • getFeedbackQuestionsForSession
  • getFeedbackQuestionsForGiverType (query uses feedbackSession's id which is UUID and giverType which is FeedbackParticipantType)
  • deleteFeedbackQuestion

EuniceSim142 avatar Feb 26 '24 16:02 EuniceSim142

@EuniceSim142 shall we test for the getFeedbackQuestionsForGiverType method as well? Just pass in a FeedbackSession that has injection strings in name / email / etc. I think the other methods that use UUID don't need to be tested. Do also fix the lint checks

I don't think this works as having the sqli string in name and email of feedback session won't inject it into the sql query:

cq.select(root)
                .where(cb.and(
                        cb.equal(fqJoin.get("id"), feedbackSession.getId()),
                        cb.equal(root.get("giverType"), giverType)));

the query only uses giver type and id which are typed, and name and email which contain the sqli are not used in the where clause.

EuniceSim142 avatar Mar 07 '24 08:03 EuniceSim142

@EuniceSim142 Let's get the checks to pass and resolve the merge conflict before we merge.

jayasting98 avatar Mar 19 '24 13:03 jayasting98