I have a system that uses a Oracle database, with a schema that is different from the application user. The schema name itself is not known in advance, so we can't just hardcode it. It's a system property.
Most of the data access is through Hibernate, which can specify the default schema on connection so this is not a problem in those cases.
However, there are a few places where plain SQL queries are used (using spring jdbcTemplate). So right now we have something that boils down to:
Map<String,Object> result = jdbcTemplate.queryForMap("SELECT A, B, C FROM "+schema+".TABLE WHERE blablablah");
And this, of course, is an open SQL injection vulnerability. We're planning security audits and this will be flagged for sure.
So the question is: How do I specify the schema on the query, be it with jdbcTemplate, another Sprint data access utility, or even plain jdbc?
Thank you,
JGN
You can use Connection.setSchema to specify the schema for a JDBC connection. This should be done before you create the Statement to execute a SQL command.
Related
im running Checkmarx on my code and im getting an sql injection vulnerability.
this is the simplified method im using
public String assignRole(String userId, String roleId) {
Optional<RoleEntity> roleEntity = roleRepository.findById(roleId)
if (roleEntity.isPresent()) {
UserEntity user = UserEntity.builder().userId(userId).role(roleEntity.get()).build();
userRepository.save(user);
return "SUCCESS";
} else {
throw new ServiceException("ERROR");
}}
and the analysis of checkmax says:
The application's assignRole method executes an SQL query with save, at line xx of
src/Service.java. The application
constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The
concatenated string is submitted to the database, where it is parsed and executed accordingly.
An attacker would be able to inject arbitrary syntax and data into the SQL query, by crafting a malicious
payload and providing it via the input roleId;
This may enable an SQL Injection attack.
im a little bit confused because im not building a native query or concatenating strings in a query, or maybe im missing something.
any ideas for fix this? or maybe is a false positive.
This sounds like a false positive.
If your Java code uses Spring, I recommend configuring your scan (Settings > Scan Settings > Preset Manager) with the SQL_Injection and Second_Order_SQL_Injection items under the Java section disabled (unchecked) to avoid false positives from these items.
If your code persists data to the database exclusively via the Spring save action, it is not at risk of SQL injection exploitation. That’s because Spring saves (inserts or updates) to the database using an object mapped to your db (the ORM approach) which does not allow additional sql to be maliciously forced in.
Nonetheless, from what I’ve seen, Checkmarx marks Spring save actions, falsely, as high severity SQL Injection vulnerabilities (SQL_Injection and/or Second_Order_SQL_Injection). Given this, disabling those rules seems to me valid and in fact the only viable way around this.
But if you do take this approach, make sure your code does not for some reason also use some other some other sql approach such as a String containing SQL that’s not sanitized via the use of PreparedStatement. Those statements are vulnerable to sql injection exploits and I believe are what the Checkmarx SQL injection rules are intending to identify.
We are trying to implement a query with cosmosTemplate from spring-data-cosmosdb project.
The query has the following syntax:
"select * from movie where ARRAY_CONTAINS(movie.countries, #country)".
CosmosTemplate accepts DocumentQuery object, that is build upon Criteria object. Criteria object supports a small subset of basic predicates like in, or, is equal and etc., but doesn't have array_contains predicate.
At the moment the query is performed by using cosmos client(from sdk), instead of cosmosTemplate.
This brings us two issues:
We have to mix the code by using cosmosTemplate and cosmos client together.
Since we have complex parameterized queries that use system functions, we have to concatenate sql query string and gather sql parameters.
How queries like this should be handled with cosmosTemplate and is that even possible?
P.S we are using com.microsoft.azure:azure-cosmosdb-spring-boot-starter:2.2.5 library.
In the current GA release you will have to use the Client and template together like you mentioned.
The latest beta release includes support for QueryAnnotation Using annotated queries in repositories. Following is an example:
#Query(value = "select * from c where c.firstName = #firstName and c.lastName = #lastName")
List<User> getUsersByTitleAndValue(#Param("firstName") int firstName, #Param("lastName") String lastName);
Ravi's answer is correct. To create custom queries directly from Spring Data connector, there are current two options.
First, you can follow the instructions in the "Custom Query" section of this document
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/how-to-guides-spring-data-cosmosdb
which guide you through using the Java SDK CosmosClient directly. The current GA release of Spring Data connector does not have #Query annotation which would enable custom query annotation, that is why you need to use the Java SDK directly.
Second, upgrade to the latest beta which enables #Query annotation
https://mvnrepository.com/artifact/com.azure/azure-spring-data-cosmos
Sample code for this will be released in the next few days, and the GA release is scheduled for 9/30 so it is not a long wait.
After a research in azure sdk, I've found that at the moment not all system functions are supported by cosmosTemplate.
List of supported system functions can be found there:
https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/cosmos/azure-spring-data-cosmos/src/main/java/com/azure/spring/data/cosmos/core/query/CriteriaType.java
If you wan't to write query that uses system function, that isn't in the list in the link above, you can use either #Query annotation or directly use cosmos client instead of cosmosTemplate.
I am using Oracle as my database, Spring Boot as my framework.
I don't know how to write a test case to check database query?
I have heard that it is possible through In-Memory Database. But don't find a proper example.
Suppose in my code I have written a SQL query that SELECT * FROM tableName and it is returning me a ResultSet Object.
So in while writing test case how can I check that?
Every time I don't want to go into the database and fetch a query.
I know that is possible but my question is how can I replace my query's result with a dummy result which I will store in any file.
Thanks in advance
You should initialize your Hibernate SessionFactory with another hibernate config, that uses H2 in-memory database, example test-hibenate.properties:
hibernate.dialect=org.hibernate.dialect.H2Dialect
hibernate.connection.url=jdbc:h2:mem:orm
javax.persistence.schema-generation.database.action=drop-and-create
Then in your tests you can use your DAO's just in regular way.
If you use plain JDBC, you can create connection to H2 in-memory database this way:
Connection connection = DriverManager.getConnection("jdbc:h2:mem:test;DB_CLOSE_DELAY=-1", "", "");
And you will need H2 database dependency:
https://mvnrepository.com/artifact/com.h2database/h2
I already have an existing code base, where schema(like db_1, db_2..) are created at run time.
We are currently using JdbcTemplate, using that its quite easy to append schema in the native SQL queries some thing like :-
sql = " Select * from "+schema+".user";
jdbcTemplate.query(sql, new UserMapper());
Now I want to know is how to provide schema to hibernate at runtime like I did with the jdbcTemplate?
What connection url should I provide in hibernate.cfg.xml so that it doesn't connects to a single schema rather whole database?
Any suggestions will be helpfull.
P.S: I am new to hibernate (So I might have missed something stupid)
I know of two options:
Use native SQL query binding results to JPA entities. Details here.
Use Hibernate multi-tenancy. Details here and here.
Although I haven't tried either.
I have this error when trying to generate the meta model with JOOQ:
org.jooq.exception.DataAccessException: SQL [select [SYS].[SYSUSER].[user_name] from [SYS].[SYSUSER]]; SYS.SYSUSER not found.
It's probably because the user does not have administration rights.
Can JOOQ generate metamodel code from create statements?
I don't have another user. Any suggestions?
You're probably using the wrong database as understood by jOOQ, as documented here:
http://www.jooq.org/manual/META/Configuration/
Note, how the documentation states:
<!-- The database dialect from jooq-meta. Available dialects are
named org.util.[database].[database]Database. Known values are:
org.jooq.util.ase.ASEDatabase
[...]
org.jooq.util.sybase.SybaseDatabase
You can also provide your own org.jooq.util.Database implementation
here, if your database is currently not supported -->
<name>org.jooq.util.oracle.OracleDatabase</name>
The SQL you've mentioned seems to be from the SybaseDatabase class (which corresponds to Sybase SQL Anywhere), whereas you should use the ASEDatabase class instead, generating calls to sp_help