-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#12901] Added the check for search service and moved the method to the correct file #13021
base: master
Are you sure you want to change the base?
Changes from 5 commits
12d1d20
f19e93c
ecc6bbc
1ce6ab1
3868de8
c807729
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -164,4 +164,23 @@ private static void verifySearchResults(List<AccountRequest> actual, | |
AssertHelper.assertSameContentIgnoreOrder(Arrays.asList(expected), actual); | ||
} | ||
|
||
} | ||
@Test | ||
public void testSqlInjectionSearchAccountRequestsInWholeSystem() throws Exception { | ||
|
||
if (!TestProperties.isSearchServiceActive()) { | ||
return; | ||
} | ||
|
||
______TS("SQL Injection test in searchAccountRequestsInWholeSystem"); | ||
|
||
AccountRequest accountRequest = new AccountRequest("test@gmail.com", "name", "institute"); | ||
accountRequestsDb.createAccountRequest(accountRequest); | ||
|
||
String searchInjection = "institute'; DROP TABLE account_requests; --"; | ||
List<AccountRequest> actualInjection = accountRequestsDb.searchAccountRequestsInWholeSystem(searchInjection); | ||
assertEquals(0, actualInjection.size()); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the component test is failing here where 0 is expected whereas actual is 11, maybe you could check why is it returning such a value. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yes i am trying to fix it. Thanks for the feedback |
||
|
||
AccountRequest actual = accountRequestsDb.getAccountRequest("test@gmail.com", "institute"); | ||
assertEquals(accountRequest, actual); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,6 +5,7 @@ | |
|
||
import org.apache.solr.client.solrj.SolrQuery; | ||
import org.apache.solr.client.solrj.response.QueryResponse; | ||
import org.apache.solr.client.solrj.util.ClientUtils; | ||
import org.apache.solr.common.SolrDocument; | ||
|
||
import teammates.common.exception.SearchServiceException; | ||
|
@@ -50,7 +51,10 @@ void sortResult(List<AccountRequest> result) { | |
* Searches for account requests. | ||
*/ | ||
public List<AccountRequest> searchAccountRequests(String queryString) throws SearchServiceException { | ||
SolrQuery query = getBasicQuery(queryString); | ||
// Escape special characters in the query string | ||
String escapedQueryString = ClientUtils.escapeQueryChars(queryString); | ||
|
||
SolrQuery query = getBasicQuery(escapedQueryString); | ||
Comment on lines
+54
to
+57
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is an interesting solution. From what I know, the only special characters here are the two Regardless, I am also not sure if this can be accepted. Wouldn't this prevent a user from using those special characters when using the search functionality? We may want to see if we can find an alternative way to solve this instead. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. you are right, it isn't passing the tests. if I update it all the changes will be lost There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since the comment have been escaped, it shouldn't return 0 responses? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. if the response is an error the list size should be 0, but what if in our case we don't check it and it accepts the error as a response? That would cause a non-empty-list There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
We cannot merge this into the |
||
|
||
QueryResponse response = performQuery(query); | ||
return convertDocumentToEntities(response.getResults()); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's ensure the files have trailing newlines. That means also for the
AccountRequestSearchIT.java
file.