Commit 0e588176 authored by Vetle.Hjelmtvedt's avatar Vetle.Hjelmtvedt
Browse files

Merge branch 'task1' into 'master'

Task1 - SQL Injection

See merge request !1
parents b4038162 c78ebd70
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="CompilerConfiguration">
<annotationProcessing>
<profile name="Maven default annotation processors profile" enabled="true">
<sourceOutputDir name="target/generated-sources/annotations" />
<sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
<outputRelativeToContentRoot value="true" />
<module name="inchat" />
</profile>
</annotationProcessing>
</component>
<component name="JavacSettings">
<option name="ADDITIONAL_OPTIONS_OVERRIDE">
<module name="inchat" options="-Xlint:all,-options,-path" />
</option>
</component>
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="DataSourceManagerImpl" format="xml" multifile-model="true">
<data-source source="LOCAL" name="production" uuid="a2fcbe37-87b6-4a1f-a8c0-4102cd0f3616">
<driver-ref>sqlite.xerial</driver-ref>
<synchronize>true</synchronize>
<jdbc-driver>org.sqlite.JDBC</jdbc-driver>
<jdbc-url>jdbc:sqlite:$PROJECT_DIR$/production.db</jdbc-url>
<working-dir>$ProjectFileDir$</working-dir>
</data-source>
</component>
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="Encoding">
<file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
</component>
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="RemoteRepositoriesConfiguration">
<remote-repository>
<option name="id" value="central" />
<option name="name" value="Central Repository" />
<option name="url" value="https://repo.maven.apache.org/maven2" />
</remote-repository>
<remote-repository>
<option name="id" value="central" />
<option name="name" value="Maven Central repository" />
<option name="url" value="https://repo1.maven.org/maven2" />
</remote-repository>
<remote-repository>
<option name="id" value="jboss.community" />
<option name="name" value="JBoss Community repository" />
<option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
</remote-repository>
</component>
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ExternalStorageConfigurationManager" enabled="true" />
<component name="MavenProjectsManager">
<option name="originalFiles">
<list>
<option value="$PROJECT_DIR$/pom.xml" />
</list>
</option>
</component>
<component name="PDMPlugin">
<option name="skipTestSources" value="false" />
</component>
<component name="ProjectRootManager" version="2" languageLevel="JDK_15" default="true" project-jdk-name="15" project-jdk-type="JavaSDK" />
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="RunConfigurationProducerService">
<option name="ignoredProducers">
<set>
<option value="com.android.tools.idea.compose.preview.runconfiguration.ComposePreviewRunConfigurationProducer" />
</set>
</option>
</component>
</project>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="VcsDirectoryMappings">
<mapping directory="$PROJECT_DIR$" vcs="Git" />
</component>
</project>
\ No newline at end of file
File added
......@@ -40,7 +40,7 @@ public final class Account {
/**
* Join a channel with this account.
*
* @return A new account object with the cannnel added.
* @return A new account object with the channel added.
*/
public Account joinChannel(final String alias,
final Stored<Channel> channel) {
......
package inf226.inchat;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.*;
import java.time.Instant;
import java.util.UUID;
......@@ -48,12 +45,13 @@ public final class AccountStorage
throws SQLException {
final Stored<Account> stored = new Stored<Account>(account);
String sql =
"INSERT INTO Account VALUES('" + stored.identity + "','"
+ stored.version + "','"
+ account.user.identity + "','"
+ account.password + "')";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("INSERT INTO Account VALUES(?,?,?,?)");
statement.setObject(1, stored.identity);
statement.setObject(2, stored.version);
statement.setObject(3, account.user.identity);
statement.setString(4, account.password);
statement.executeUpdate();
// Write the list of channels
final Maybe.Builder<SQLException> exception = Maybe.builder();
......@@ -61,13 +59,17 @@ public final class AccountStorage
account.channels.forEach(element -> {
String alias = element.first;
Stored<Channel> channel = element.second;
final String msql
= "INSERT INTO AccountChannel VALUES('" + stored.identity + "','"
+ channel.identity + "','"
+ alias + "','"
+ ordinal.get().toString() + "')";
try { connection.createStatement().executeUpdate(msql); }
catch (SQLException e) { exception.accept(e) ; }
try {
PreparedStatement statement1 = connection.prepareStatement("INSERT INTO AccountChannel VALUES(?,?,?,?");
statement1.setObject(1, stored.identity);
statement1.setObject(2, channel.identity);
statement1.setString(3, alias);
statement1.setString(4, ordinal.get().toString());
//Execute statement
statement1.executeUpdate();
} catch (SQLException e) { exception.accept(e); }
ordinal.accept(ordinal.get() + 1);
});
......@@ -84,29 +86,35 @@ public final class AccountStorage
final Stored<Account> current = get(account.identity);
final Stored<Account> updated = current.newVersion(new_account);
if(current.version.equals(account.version)) {
String sql = "UPDATE Account SET" +
" (version,user) =('"
+ updated.version + "','"
+ new_account.user.identity
+ "') WHERE id='"+ updated.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("UPDATE Account SET (version,user) =(?,?) WHERE id=?");
statement.setObject(1, updated.version);
statement.setObject(2, new_account.user.identity);
statement.setObject(3, updated.identity);
statement.executeUpdate();
// Rewrite the list of channels
connection.createStatement().executeUpdate("DELETE FROM AccountChannel WHERE account='" + account.identity + "'");
PreparedStatement deleteStmt = connection.prepareStatement("DELETE FROM AccountChannel WHERE account=?");
deleteStmt.setObject(1, account.identity);
deleteStmt.executeUpdate();
final Maybe.Builder<SQLException> exception = Maybe.builder();
final Mutable<Integer> ordinal = new Mutable<Integer>(0);
new_account.channels.forEach(element -> {
String alias = element.first;
Stored<Channel> channel = element.second;
final String msql
= "INSERT INTO AccountChannel VALUES('" + account.identity + "','"
+ channel.identity + "','"
+ alias + "','"
+ ordinal.get().toString() + "')";
try { connection.createStatement().executeUpdate(msql); }
catch (SQLException e) { exception.accept(e) ; }
try {
PreparedStatement statement1 = connection.prepareStatement("INSERT INTO AccountChannel VALUES(?,?,?,?)");
statement1.setObject(1, account.identity);
statement1.setObject(2, channel.identity);
statement1.setString(3, alias);
statement1.setString(4, ordinal.get().toString());
// Execute statement
statement1.executeUpdate();
} catch (SQLException e) { exception.accept(e); }
ordinal.accept(ordinal.get() + 1);
});
......@@ -124,8 +132,10 @@ public final class AccountStorage
SQLException {
final Stored<Account> current = get(account.identity);
if(current.version.equals(account.version)) {
String sql = "DELETE FROM Account WHERE id ='" + account.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("DELETE FROM Account WHERE id =?");
statement.setObject(1, account.identity);
statement.executeUpdate();
} else {
throw new UpdatedException(current);
}
......@@ -135,14 +145,15 @@ public final class AccountStorage
throws DeletedException,
SQLException {
final String accountsql = "SELECT version,user,password FROM Account WHERE id = '" + id.toString() + "'";
final String channelsql = "SELECT channel,alias,ordinal FROM AccountChannel WHERE account = '" + id.toString() + "' ORDER BY ordinal DESC";
PreparedStatement accountStmt = connection.prepareStatement("SELECT version,user,password FROM Account WHERE id =?");
accountStmt.setString(1, id.toString());
final Statement accountStatement = connection.createStatement();
final Statement channelStatement = connection.createStatement();
PreparedStatement channelStmt = connection.prepareStatement("SELECT channel,alias,ordinal FROM AccountChannel WHERE account = ? ORDER BY ordinal DESC");
channelStmt.setString(1, id.toString());
final ResultSet accountResult = accountStatement.executeQuery(accountsql);
final ResultSet channelResult = channelStatement.executeQuery(channelsql);
final ResultSet accountResult = accountStmt.executeQuery();
final ResultSet channelResult = channelStmt.executeQuery();
if(accountResult.next()) {
final UUID version = UUID.fromString(accountResult.getString("version"));
......@@ -173,12 +184,11 @@ public final class AccountStorage
public Stored<Account> lookup(String username)
throws DeletedException,
SQLException {
final String sql = "SELECT Account.id from Account INNER JOIN User ON user=User.id where User.name='" + username + "'";
System.err.println(sql);
final Statement statement = connection.createStatement();
final ResultSet rs = statement.executeQuery(sql);
PreparedStatement stmt = connection.prepareStatement("SELECT Account.id from Account INNER JOIN User ON user=User.id where User.name=?");
stmt.setString(1, username);
final ResultSet rs = stmt.executeQuery();
if(rs.next()) {
final UUID identity =
UUID.fromString(rs.getString("id"));
......
package inf226.inchat;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.*;
import java.time.Instant;
import java.util.UUID;
import java.util.TreeMap;
......@@ -43,10 +40,11 @@ public final class ChannelStorage
throws SQLException {
final Stored<Channel> stored = new Stored<Channel>(channel);
String sql = "INSERT INTO Channel VALUES('" + stored.identity + "','"
+ stored.version + "','"
+ channel.name + "')";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("INSERT INTO Channel VALUES(?,?,?)");
statement.setObject(1, stored.identity);
statement.setObject(2, stored.version);
statement.setObject(3, channel.name);
statement.executeUpdate();
return stored;
}
......@@ -59,12 +57,12 @@ public final class ChannelStorage
final Stored<Channel> current = get(channel.identity);
final Stored<Channel> updated = current.newVersion(new_channel);
if(current.version.equals(channel.version)) {
String sql = "UPDATE Channel SET" +
" (version,name) =('"
+ updated.version + "','"
+ new_channel.name
+ "') WHERE id='"+ updated.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("UPDATE Channel SET (version,name) =(?,?) WHERE id=?");
statement.setObject(1, updated.version);
statement.setString(2, new_channel.name);
statement.setObject(3, updated.version);
statement.executeUpdate();
} else {
throw new UpdatedException(current);
}
......@@ -79,8 +77,9 @@ public final class ChannelStorage
SQLException {
final Stored<Channel> current = get(channel.identity);
if(current.version.equals(channel.version)) {
String sql = "DELETE FROM Channel WHERE id ='" + channel.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("DELETE FROM Channel WHERE id =?");
statement.setObject(1, channel.identity);
statement.executeUpdate();
} else {
throw new UpdatedException(current);
}
......@@ -90,14 +89,15 @@ public final class ChannelStorage
throws DeletedException,
SQLException {
final String channelsql = "SELECT version,name FROM Channel WHERE id = '" + id.toString() + "'";
final String eventsql = "SELECT id,rowid FROM Event WHERE channel = '" + id.toString() + "' ORDER BY rowid ASC";
PreparedStatement channelStmt = connection.prepareStatement("SELECT version,name FROM Channel WHERE id = ?");
channelStmt.setString(1, id.toString());
PreparedStatement eventStmt = connection.prepareStatement("SELECT id,rowid FROM Event WHERE channel = ? ORDER BY rowid ASC");
eventStmt.setString(1, id.toString());
final Statement channelStatement = connection.createStatement();
final Statement eventStatement = connection.createStatement();
final ResultSet channelResult = channelStatement.executeQuery(channelsql);
final ResultSet eventResult = eventStatement.executeQuery(eventsql);
final ResultSet channelResult = channelStmt.executeQuery();
final ResultSet eventResult = eventStmt.executeQuery();
if(channelResult.next()) {
final UUID version =
......@@ -125,7 +125,10 @@ public final class ChannelStorage
throws SQLException, DeletedException {
String sql = "UPDATE Channel SET" +
" (version) =('" + UUID.randomUUID() + "') WHERE id='"+ channelId + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("UPDATE Channel SET (version) =(?) WHERE id=?");
statement.setObject(1, UUID.randomUUID());
statement.setObject(2, channelId);
statement.executeUpdate();
Stored<Channel> channel = get(channelId);
giveNextVersion(channel);
return channel;
......@@ -139,10 +142,10 @@ public final class ChannelStorage
throws DeletedException,
SQLException {
final String channelsql = "SELECT version FROM Channel WHERE id = '" + id.toString() + "'";
final Statement channelStatement = connection.createStatement();
PreparedStatement statement = connection.prepareStatement("SELECT version FROM Channel WHERE id = ?");
statement.setString(1, id.toString());
final ResultSet channelResult = channelStatement.executeQuery(channelsql);
final ResultSet channelResult = statement.executeQuery();
if(channelResult.next()) {
return UUID.fromString(
channelResult.getString("version"));
......@@ -215,8 +218,10 @@ public final class ChannelStorage
*/
public Stored<Channel> lookupChannelForEvent(Stored<Channel.Event> e)
throws SQLException, DeletedException {
String sql = "SELECT channel FROM ChannelEvent WHERE event='" + e.identity + "'";
final ResultSet rs = connection.createStatement().executeQuery(sql);
PreparedStatement statement = connection.prepareStatement("SELECT channel FROM ChannelEvent WHERE event=?");
statement.setObject(1, e.identity);
final ResultSet rs = statement.executeQuery();
if(rs.next()) {
final UUID channelId = UUID.fromString(rs.getString("channel"));
return get(channelId);
......
package inf226.inchat;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.*;
import java.time.Instant;
import java.util.UUID;
import java.util.function.Consumer;
......@@ -35,25 +32,32 @@ public final class EventStorage
throws SQLException {
final Stored<Channel.Event> stored = new Stored<Channel.Event>(event);
String sql = "INSERT INTO Event VALUES('" + stored.identity + "','"
+ stored.version + "','"
+ event.channel + "','"
+ event.type.code + "','"
+ event.time + "')";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("INSERT INTO Event VALUES(?,?,?,?,?)");
statement.setObject(1, stored.identity);
statement.setObject(2, stored.version);
statement.setObject(3, event.channel);
statement.setInt(4, event.type.code);
statement.setObject(5, event.time);
statement.executeUpdate();
PreparedStatement eventStmt = null;
switch (event.type) {
case message:
sql = "INSERT INTO Message VALUES('" + stored.identity + "','"
+ event.sender + "','"
+ event.message +"')";
eventStmt = connection.prepareStatement("INSERT INTO Message VALUES(?,?,?)");
eventStmt.setObject(1, stored.identity);
eventStmt.setString(2, event.sender);
eventStmt.setString(3, event.message);
break;
case join:
sql = "INSERT INTO Joined VALUES('" + stored.identity + "','"
+ event.sender +"')";
eventStmt = connection.prepareStatement("INSERT INTO Joined VALUES(?,?)");
eventStmt.setObject(1, stored.identity);
eventStmt.setString(2, event.sender);
break;
}
connection.createStatement().executeUpdate(sql);
eventStmt.executeUpdate();
return stored;
}
......@@ -66,24 +70,32 @@ public final class EventStorage
final Stored<Channel.Event> current = get(event.identity);
final Stored<Channel.Event> updated = current.newVersion(new_event);
if(current.version.equals(event.version)) {
String sql = "UPDATE Event SET" +
" (version,channel,time,type) =('"
+ updated.version + "','"
+ new_event.channel + "','"
+ new_event.time + "','"
+ new_event.type.code
+ "') WHERE id='"+ updated.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("UPDATE Event SET (version,channel,time,type) =(?,?,?,?) WHERE id=?");
statement.setObject(1, updated.version);
statement.setObject(2, new_event.channel);
statement.setObject(3, new_event.time);
statement.setInt(4, new_event.type.code);
statement.setObject(5, updated.identity);
statement.executeUpdate();
PreparedStatement eventStmt = null;
switch (new_event.type) {
case message:
sql = "UPDATE Message SET (sender,content)=('" + new_event.sender + "','"
+ new_event.message +"') WHERE id='"+ updated.identity + "'";
eventStmt = connection.prepareStatement("UPDATE Message SET (sender,content)=(?,?) WHERE id=?");
eventStmt.setString(1, new_event.sender);
eventStmt.setString(2, new_event.message);
eventStmt.setObject(3, updated.identity);
break;
case join:
sql = "UPDATE Joined SET (sender)=('" + new_event.sender +"') WHERE id='"+ updated.identity + "'";
eventStmt = connection.prepareStatement("UPDATE Joined SET (sender)=(?) WHERE id=?");
eventStmt.setString(1, new_event.sender);
eventStmt.setObject(2, updated.identity);
break;
}
connection.createStatement().executeUpdate(sql);
eventStmt.executeUpdate();
} else {
throw new UpdatedException(current);
}
......@@ -97,8 +109,9 @@ public final class EventStorage
SQLException {
final Stored<Channel.Event> current = get(event.identity);
if(current.version.equals(event.version)) {
String sql = "DELETE FROM Event WHERE id ='" + event.identity + "'";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("DELETE FROM Event WHERE id =?");
statement.setObject(1, event.identity);
statement.executeUpdate();
} else {
throw new UpdatedException(current);
}
......@@ -107,9 +120,10 @@ public final class EventStorage
public Stored<Channel.Event> get(UUID id)
throws DeletedException,
SQLException {
final String sql = "SELECT version,channel,time,type FROM Event WHERE id = '" + id.toString() + "'";
final Statement statement = connection.createStatement();
final ResultSet rs = statement.executeQuery(sql);
PreparedStatement statement = connection.prepareStatement("SELECT version,channel,time,type FROM Event WHERE id = ?");
statement.setString(1, id.toString());
final ResultSet rs = statement.executeQuery();
if(rs.next()) {
final UUID version = UUID.fromString(rs.getString("version"));
......@@ -120,19 +134,21 @@ public final class EventStorage
final Instant time =
Instant.parse(rs.getString("time"));
final Statement mstatement = connection.createStatement();
PreparedStatement mstatement = null;
switch(type) {
case message:
final String msql = "SELECT sender,content FROM Message WHERE id = '" + id.toString() + "'";
final ResultSet mrs = mstatement.executeQuery(msql);
mstatement = connection.prepareStatement("SELECT sender,content FROM Message WHERE id = ?");
mstatement.setString(1, id.toString());
final ResultSet mrs = mstatement.executeQuery();
mrs.next();
return new Stored<Channel.Event>(
Channel.Event.createMessageEvent(channel,time,mrs.getString("sender"),mrs.getString("content")),
id,
version);
case join:
final String asql = "SELECT sender FROM Joined WHERE id = '" + id.toString() + "'";
final ResultSet ars = mstatement.executeQuery(asql);
mstatement = connection.prepareStatement("SELECT sender FROM Joined WHERE id = ?");
mstatement.setString(1, id.toString());
final ResultSet ars = mstatement.executeQuery();
ars.next();
return new Stored<Channel.Event>(
Channel.Event.createJoinEvent(channel,time,ars.getString("sender")),
......
package inf226.inchat;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.sql.*;
import java.time.Instant;
import java.util.UUID;
......@@ -32,11 +29,13 @@ public final class SessionStorage
throws SQLException {
final Stored<Session> stored = new Stored<Session>(session);
String sql = "INSERT INTO Session VALUES('" + stored.identity + "','"
+ stored.version + "','"
+ session.account.identity + "','"
+ session.expiry.toString() + "')";
connection.createStatement().executeUpdate(sql);
PreparedStatement statement = connection.prepareStatement("INSERT INTO Session VALUES(?,?,?,?)");
statement.setObject(1, stored.identity);
statement.setObject(2, stored.version);
statement.setObject(3, session.account.identity);
statement.setString(4, session.expiry.toString());
statement.executeUpdate();
return stored;
}
......@@ -49,13 +48,13 @@ public final class SessionStorage
final Stored<Session> current = get(session.identity);
final Stored<Session> updated = current.newVersion(new_session);
if(current.version.equals(session.version)) {
String sql = <