Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for auto handling of SQL Injection in Mule #146

Closed
sanagaraj-pivotal opened this issue Jun 7, 2022 · 0 comments
Closed

Support for auto handling of SQL Injection in Mule #146

sanagaraj-pivotal opened this issue Jun 7, 2022 · 0 comments
Assignees
@sanagaraj-pivotal
Labels
type: enhancement New feature or request
Milestone
v0.12.0

Comments

@sanagaraj-pivotal
Copy link
Contributor

sanagaraj-pivotal commented Jun 7, 2022
edited

What needs to be done

This PR and previous PRs related to SQL query support execute sql query directly using jdbctemplate.execute(sqlQueryFromMuleXML).

we need a way to automatically sanitise sqlQueryFromMuleXML so SQL injection can be prevented.

Ideal translation

Input
xml:

<?xml version="1.0" encoding="UTF-8"?>

<mule xmlns:dw="http://www.mulesoft.org/schema/mule/ee/dw"
	xmlns:db="http://www.mulesoft.org/schema/mule/db" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
	xmlns:spring="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/ee/dw http://www.mulesoft.org/schema/mule/ee/dw/current/dw.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/db http://www.mulesoft.org/schema/mule/db/current/mule-db.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd">
	<db:mysql-config name="MySQL_Configuration" host="localhost" port="3306" user="root" password="root" doc:name="MySQL Configuration" database="mulemigration"/>
	<flow name="dbFlow">
		<http:listener config-ref="HTTP_Listener_Configuration" path="/db" doc:name="HTTP"/>
		<logger level="INFO" doc:name="Logger"/>
		<db:select config-ref="MySQL_Configuration" doc:name="Database">
			<db:dynamic-query><![CDATA[select * from users where username='#[payload.username]' and password='#[payload.password]']]></db:dynamic-query>
		</db:select>
	</flow>
</mule>

Auto generated translation:

    @Bean
    IntegrationFlow sqlInjection(JdbcTemplate jdbcTemplate) {
        return IntegrationFlows.from(
                    Http.inboundGateway("/sql-injection")
                )
                /* TODO: The datatype might not be LinkedMultiValueMap please substitute the right type for payload*/
                .<LinkedMultiValueMap<String, String>>handle((p, h) ->
                        jdbcTemplate.queryForList(
                                "select  * from users where username = ? and password = ?",
                                p.getFirst("varForFirstParameter") /* TODO: Translate #[payload.username]*/,
                                p.getFirst("varForSecondParameter") /* TODO: Translate #[payload.username]*/
                        ))
                .log()
                .handle((p, h) -> p)
                .get();
    }

Manual translation will look like this:

java:

    @Bean
    IntegrationFlow sqlInjection(JdbcTemplate jdbcTemplate) {
        return IntegrationFlows.from(
                    Http.inboundGateway("/sql-injection")
                )
                .<LinkedMultiValueMap<String, String>>handle((p, h) ->
                        jdbcTemplate.queryForList(
                                "select  * from users where username = ? and password = ?",
                                p.getFirst("username"),
                                p.getFirst("password")
                        ))
                .log()
                .handle((p, h) -> p)
                .get();
    }

Why it needs to be done

This adds an important security feature to our mule translations

TBD:
translations for auto handling sql injections.
@fabapp2 fabapp2 closed this as completed in 35868d6 Jul 7, 2022
fabapp2 pushed a commit that referenced this issue Jul 13, 2022
@ashakirin @sanagaraj-pivotal @fabapp2
Support for auto handling of SQL Injection in Mule closes #146
f769f9c 
Co-authored-by: sanagaraj-pivotal <sanagaraj@pivotal.io>
fabapp2 pushed a commit that referenced this issue Jul 14, 2022
@ashakirin @sanagaraj-pivotal @fabapp2
Support for auto handling of SQL Injection in Mule closes #146
1578870 
Co-authored-by: sanagaraj-pivotal <sanagaraj@pivotal.io>
fabapp2 pushed a commit that referenced this issue Jul 14, 2022
@ashakirin @sanagaraj-pivotal @fabapp2
Support for auto handling of SQL Injection in Mule closes #146
090cefe 
Co-authored-by: sanagaraj-pivotal <sanagaraj@pivotal.io>
@fabapp2 fabapp2 added this to the v0.12.0 milestone Sep 20, 2022
@fabapp2 fabapp2 added the type: enhancement New feature or request label Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sanagaraj-pivotal sanagaraj-pivotal

Labels
type: enhancement New feature or request
Projects
None yet
Milestone
v0.12.0
Development

No branches or pull requests
2 participants
@fabapp2 @sanagaraj-pivotal