From e59e57a35009a0d4c6c6c8b43da34067ac542fb1 Mon Sep 17 00:00:00 2001 From: Kohei Tamura Date: Thu, 16 Feb 2017 18:17:22 +0900 Subject: [PATCH] Unify two inner EmbeddedJavaDb classes --- .../easybuggy/servers/EmbeddedJavaDb.java | 205 ++++++++++++++++++ .../easybuggy/troubles/DeadlockServlet2.java | 155 +------------ .../vulnerabilities/SQLInjectionServlet.java | 95 +------- 3 files changed, 211 insertions(+), 244 deletions(-) create mode 100644 src/main/java/org/t246osslab/easybuggy/servers/EmbeddedJavaDb.java diff --git a/src/main/java/org/t246osslab/easybuggy/servers/EmbeddedJavaDb.java b/src/main/java/org/t246osslab/easybuggy/servers/EmbeddedJavaDb.java new file mode 100644 index 00000000..d14fb14f --- /dev/null +++ b/src/main/java/org/t246osslab/easybuggy/servers/EmbeddedJavaDb.java @@ -0,0 +1,205 @@ +package org.t246osslab.easybuggy.servers; + +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.SQLTransactionRollbackException; +import java.sql.Statement; +import java.util.Locale; +import java.util.UUID; + +import javax.servlet.http.HttpServletRequest; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.t246osslab.easybuggy.utils.ApplicationUtils; +import org.t246osslab.easybuggy.utils.MessageUtils; + +public class EmbeddedJavaDb { + + private static Logger log = LoggerFactory.getLogger(EmbeddedJavaDb.class); + + static Connection conn; + + static { + Statement stmt = null; + try { + String dbDriver = ApplicationUtils.getDatabaseDriver(); + if (dbDriver != null && !dbDriver.equals("")) { + try { + Class.forName(dbDriver); + } catch (Exception e) { + log.error("Exception occurs: ", e); + } + } + String dbUrl = ApplicationUtils.getDatabaseURL(); + conn = DriverManager.getConnection(dbUrl); + stmt = conn.createStatement(); + try { + stmt.executeUpdate("drop table users"); + } catch (SQLException e) { + // ignore exception if exist the table + } + // create users table + stmt.executeUpdate("create table users (id int primary key, name varchar(30), password varchar(30), secret varchar(30))"); + + // insert rows + stmt.executeUpdate("insert into users values (0,'Mark','password','57249037993')"); + stmt.executeUpdate("insert into users values (1,'David','p@s2w0rd','42368923031')"); + stmt.executeUpdate("insert into users values (2,'Peter','pa33word','54238496555')"); + stmt.executeUpdate("insert into users values (3,'James','pathwood','70414823225')"); + + try { + stmt.executeUpdate("drop table users2"); + } catch (SQLException e) { + // ignore exception if exist the table + } + // create users table + stmt.executeUpdate("create table users2 (id int primary key, name varchar(30), password varchar(100))"); + + // insert rows + for (int i = 1; i <= 2; i++) { + stmt.executeUpdate("insert into users2 values (" + i + ",'user" + i + "','password')"); + } + + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } finally { + if (stmt != null) { + try { + stmt.close(); + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } + } + } + } + + public String selectUsers(String name, String password, HttpServletRequest req) { + + String message = MessageUtils.getMsg("msg.error.user.not.exist", req.getLocale()); + Statement stmt = null; + ResultSet rs = null; + try { + stmt = conn.createStatement(); + + // query + rs = stmt.executeQuery("SELECT * FROM users WHERE name='" + name + "' AND password='" + password + "'"); + + StringBuilder sb = new StringBuilder(); + while (rs.next()) { + sb.append(rs.getString("name") + ", " + rs.getString("secret") + "
"); + } + if (sb.length() > 0) { + message = MessageUtils.getMsg("user.table.column.names", req.getLocale()) + "
" + sb.toString(); + } + } catch (Exception e) { + log.error("Exception occurs: ", e); + } finally { + if (rs != null) { + try { + rs.close(); + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } + } + if (stmt != null) { + try { + stmt.close(); + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } + } + } + return message; + } + + public String updateUsers2(int[] ids, Locale locale) { + + PreparedStatement stmt = null; + Connection conn = null; + int executeUpdate = 0; + String message = ""; + try { + String dbUrl = ApplicationUtils.getDatabaseURL(); + String dbDriver = ApplicationUtils.getDatabaseDriver(); + if (dbDriver != null && !dbDriver.equals("")) { + try { + Class.forName(dbDriver); + } catch (Exception e) { + log.error("Exception occurs: ", e); + } + } + conn = DriverManager.getConnection(dbUrl); + conn.setAutoCommit(false); + // conn.setTransactionIsolation(Connection.TRANSACTION_READ_COMMITTED); + + stmt = conn.prepareStatement("Update users2 set password = ? where id = ?"); + stmt.setString(1, UUID.randomUUID().toString()); + stmt.setInt(2, ids[0]); + executeUpdate = stmt.executeUpdate(); + + Thread.sleep(5000); + + stmt.setString(1, UUID.randomUUID().toString()); + stmt.setInt(2, ids[1]); + executeUpdate = executeUpdate + stmt.executeUpdate(); + conn.commit(); + message = MessageUtils.getMsg("msg.update.records", new Object[] { executeUpdate }, locale); + + } catch (SQLTransactionRollbackException e) { + message = MessageUtils.getMsg("msg.deadlock.occurs", locale); + log.error("Exception occurs: ", e); + if (conn != null) { + try { + conn.rollback(); + } catch (SQLException e1) { + log.error("Exception occurs: ", e1); + } + } + } catch (SQLException e) { + if ("41000".equals(e.getSQLState())) { + message = MessageUtils.getMsg("msg.deadlock.occurs", locale); + } else { + message = MessageUtils.getMsg("msg.unknown.exception.occur", locale); + } + log.error("Exception occurs: ", e); + if (conn != null) { + try { + conn.rollback(); + } catch (SQLException e1) { + log.error("Exception occurs: ", e1); + } + } + } catch (Exception e) { + message = MessageUtils.getMsg("easybuggy", locale); + log.error("Exception occurs: ", e); + if (conn != null) { + try { + conn.rollback(); + } catch (SQLException e1) { + log.error("Exception occurs: ", e1); + } + } + } finally { + if (stmt != null) { + try { + stmt.close(); + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } + } + if (conn != null) { + try { + conn.close(); + } catch (SQLException e) { + log.error("Exception occurs: ", e); + } + } + } + return message; + } + +} diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java b/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java index 9f44ee61..d967fbf1 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java @@ -2,14 +2,7 @@ import java.io.IOException; import java.io.PrintWriter; -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.PreparedStatement; -import java.sql.SQLException; -import java.sql.SQLTransactionRollbackException; -import java.sql.Statement; import java.util.Locale; -import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; @@ -19,7 +12,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.t246osslab.easybuggy.utils.ApplicationUtils; +import org.t246osslab.easybuggy.servers.EmbeddedJavaDb; import org.t246osslab.easybuggy.utils.Closer; import org.t246osslab.easybuggy.utils.HTTPResponseCreator; import org.t246osslab.easybuggy.utils.MessageUtils; @@ -50,12 +43,12 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S bodyHtml.append(""); bodyHtml.append("

"); - EmbeddedJavaDb2 app = new EmbeddedJavaDb2(); + EmbeddedJavaDb app = new EmbeddedJavaDb(); if ("asc".equals(order)) { - String message = app.update(new int[] { 1, EmbeddedJavaDb2.MAX_USER_COUNT }, locale); + String message = app.updateUsers2(new int[] { 1, 2 }, locale); bodyHtml.append(message); } else if ("desc".equals(order)) { - String message = app.update(new int[] { EmbeddedJavaDb2.MAX_USER_COUNT, 1 }, locale); + String message = app.updateUsers2(new int[] { 2, 1 }, locale); bodyHtml.append(message); } else { bodyHtml.append(MessageUtils.getMsg("msg.warn.enter.asc.or.desc", locale)); @@ -70,143 +63,3 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S } } } - -class EmbeddedJavaDb2 { - - private static Logger log = LoggerFactory.getLogger(EmbeddedJavaDb2.class); - - static final int MAX_USER_COUNT = 2; - static final String dbUrl = ApplicationUtils.getDatabaseURL(); - static final String dbDriver = ApplicationUtils.getDatabaseDriver(); - - static { - Connection conn = null; - Statement stmt = null; - try { - if (dbDriver != null && !dbDriver.equals("")) { - try { - Class.forName(dbDriver); - } catch (ClassNotFoundException e) { - log.error("Exception occurs: ", e); - } - } - conn = DriverManager.getConnection(dbUrl); - stmt = conn.createStatement(); - - try { - stmt.executeUpdate("drop table users2"); - } catch (SQLException e) { - // ignore exception if exist the table - } - // create users table - stmt.executeUpdate("create table users2 (id int primary key, name varchar(30), password varchar(100))"); - - // insert rows - for (int i = 1; i <= MAX_USER_COUNT; i++) { - stmt.executeUpdate("insert into users2 values (" + i + ",'user" + i + "','password')"); - } - - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } finally { - if (stmt != null) { - try { - stmt.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - if (conn != null) { - try { - conn.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - } - } - - public String update(int[] ids, Locale locale) { - - PreparedStatement stmt = null; - Connection conn = null; - int executeUpdate = 0; - String message = ""; - try { - if (dbDriver != null && !dbDriver.equals("")) { - try { - Class.forName(dbDriver); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - } - conn = DriverManager.getConnection(dbUrl); - conn.setAutoCommit(false); - // conn.setTransactionIsolation(Connection.TRANSACTION_READ_COMMITTED); - - stmt = conn.prepareStatement("Update users2 set password = ? where id = ?"); - stmt.setString(1, UUID.randomUUID().toString()); - stmt.setInt(2, ids[0]); - executeUpdate = stmt.executeUpdate(); - - Thread.sleep(5000); - - stmt.setString(1, UUID.randomUUID().toString()); - stmt.setInt(2, ids[1]); - executeUpdate = executeUpdate + stmt.executeUpdate(); - conn.commit(); - message = MessageUtils.getMsg("msg.update.records", new Object[] { executeUpdate }, locale); - - } catch (SQLTransactionRollbackException e) { - message = MessageUtils.getMsg("msg.deadlock.occurs", locale); - log.error("Exception occurs: ", e); - if (conn != null) { - try { - conn.rollback(); - } catch (SQLException e1) { - log.error("Exception occurs: ", e1); - } - } - } catch (SQLException e) { - if ("41000".equals(e.getSQLState())) { - message = MessageUtils.getMsg("msg.deadlock.occurs", locale); - } else { - message = MessageUtils.getMsg("msg.unknown.exception.occur", locale); - } - log.error("Exception occurs: ", e); - if (conn != null) { - try { - conn.rollback(); - } catch (SQLException e1) { - log.error("Exception occurs: ", e1); - } - } - } catch (Exception e) { - message = MessageUtils.getMsg("easybuggy", locale); - log.error("Exception occurs: ", e); - if (conn != null) { - try { - conn.rollback(); - } catch (SQLException e1) { - log.error("Exception occurs: ", e1); - } - } - } finally { - if (stmt != null) { - try { - stmt.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - if (conn != null) { - try { - conn.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - } - return message; - } -} diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java index 25b38c9c..4acf3551 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java @@ -2,11 +2,6 @@ import java.io.IOException; import java.io.PrintWriter; -import java.sql.Connection; -import java.sql.DriverManager; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; import java.util.Locale; import javax.servlet.ServletException; @@ -17,7 +12,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.t246osslab.easybuggy.utils.ApplicationUtils; +import org.t246osslab.easybuggy.servers.EmbeddedJavaDb; import org.t246osslab.easybuggy.utils.Closer; import org.t246osslab.easybuggy.utils.HTTPResponseCreator; import org.t246osslab.easybuggy.utils.MessageUtils; @@ -55,7 +50,7 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S if (name != null && password != null && !name.equals("") && !password.equals("")) { EmbeddedJavaDb app = new EmbeddedJavaDb(); - String message = app.selectUser(name, password, req); + String message = app.selectUsers(name, password, req); bodyHtml.append(message); } else { bodyHtml.append(MessageUtils.getMsg("msg.warn.enter.name.and.passwd", locale)); @@ -72,89 +67,3 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S } } } - -class EmbeddedJavaDb { - - private static Logger log = LoggerFactory.getLogger(EmbeddedJavaDb.class); - - static Connection conn; - - static { - Statement stmt = null; - try { - String dbDriver = ApplicationUtils.getDatabaseDriver(); - if (dbDriver != null && !dbDriver.equals("")) { - try { - Class.forName(dbDriver); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - } - String dbUrl = ApplicationUtils.getDatabaseURL(); - conn = DriverManager.getConnection(dbUrl); - stmt = conn.createStatement(); - try { - stmt.executeUpdate("drop table users"); - } catch (SQLException e) { - // ignore exception if exist the table - } - // create users table - stmt.executeUpdate("create table users (id int primary key, name varchar(30), password varchar(30), secret varchar(30))"); - - // insert rows - stmt.executeUpdate("insert into users values (0,'Mark','password','57249037993')"); - stmt.executeUpdate("insert into users values (1,'David','p@s2w0rd','42368923031')"); - stmt.executeUpdate("insert into users values (2,'Peter','pa33word','54238496555')"); - stmt.executeUpdate("insert into users values (3,'James','pathwood','70414823225')"); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } finally { - if (stmt != null) { - try { - stmt.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - } - } - - String selectUser(String name, String password, HttpServletRequest req) { - - String message = MessageUtils.getMsg("msg.error.user.not.exist", req.getLocale()); - Statement stmt = null; - ResultSet rs = null; - try { - stmt = conn.createStatement(); - - // query - rs = stmt.executeQuery("SELECT * FROM users WHERE name='" + name + "' AND password='" + password + "'"); - - StringBuilder sb = new StringBuilder(); - while (rs.next()) { - sb.append(rs.getString("name") + ", " + rs.getString("secret") + "
"); - } - if (sb.length() > 0) { - message = MessageUtils.getMsg("user.table.column.names", req.getLocale()) + "
" + sb.toString(); - } - } catch (Exception e) { - log.error("Exception occurs: ", e); - } finally { - if (rs != null) { - try { - rs.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - if (stmt != null) { - try { - stmt.close(); - } catch (SQLException e) { - log.error("Exception occurs: ", e); - } - } - } - return message; - } -}