I have something like this:
PreparedStatement ps;
// ...
public static final String sqlQuery = "select * from users where user_id = ?";
public ResultSet getResultData(int id) {
ps = conn.prepareStatement(sqlQuery); // SpotBugs warning here
ps.setInteger(1, id);
return ps.executeQuery();
}
SpotBugs says next:
This use of
java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement;
can be vulnerable to SQL injection (with JDBC)
And suggest already implemented solution.
Is that false positive warning and should be suppressed or did I miss something?
SpotBugs may be tracing your code back to the caller of that getResultData() function. It may be seeing that there's a way for an untrusted user to provide an arbitrary integer and get it into that query. For example, if your user_id number is 123 and you can view your account with
https://example.com/account?user_id=123
then a cybercreep can try
https://example.com/account?user_id=124
to see somebody else's account. This is an unfortunately common exploit people use to steal data. Notoriously, Panera Bread's online ordering site was hacked this way a few years ago.
You can fix such problems by making sure the user_id values you pass into your function are authorized for viewing by your logged-in user.
Related
I'm a newbie with jMeter. I would to ask opinion and guide from forum to point me to right direction. I've have been tasked to do Load test on API Update Password. I have try several approach I can think off plus with the info from internet, but failed to have successful execution.
Below is my most successful approach but still failed after 3-5 minutes execution.
Test Plan
CSV Data Set Config - (Default setting, contain 500 member id's)
Thread Group (Setting: 100vu/100s, Loop: Infinite, Duration: 1 hour)
Counter1 (Old Password) example: abc001
Counter2 (New Password) example: abc002
Http Request (Get Token) {
Old Password
Member Id } --> Send token to next http request
Http Request (Update Password) {
Old Password
New Password
Confirm New Password }
The both Counter have increment of 1 and checked for Track counter independently for each user.
Based on my logic, it should be able to handle the execution as below.
Member1 (abc001,abc002) > Member1 (abc002,abc003) > Member1 (abc003,abc004) > etc
But in reality if failed. I also have try using JSR223 for counter, but still failed. Please help me by pointing me to correct direction how to execute this. I hope anyone can help! Thanks
In its current form your question doesn't make a lot of sense, it's unclear to me what is expected behaviour, what is the actual one, how exactly your test is failing and so on.
Try running it with Debug Sampler added so you would see the JMeter Variables with their respective values.
If it doesn't help - come up with a minimal test plan which shows the issue you're having using i.e. Dummy Sampler and indicate what's wrong and how it should behave according to your expectations.
I'm trying to wrap my head around Elm. I have experience in Haskell, and a bit of Erlang.
I want to complete the following exercise:
User is shown a login form
On submit, the frontend makes a request to localhost/auth to try and receive an auth token.
On success, the homepage is shown, which fetches some data.
On failure, the login screen displays an error.
This is quite basic, but hopefully complex enough to model the behaviour of a real webapp.
My first problem is with the Model. I only need the data if the client is authenticated. Should I wrap this in something similar to a Maybe monad?
type Model
= NoAuth String String
| AuthFetching
| AuthFailed err
| AuthSuccess String
And then the login screen can display a spinner, and error, or redirect to a new page.
This feels like it ties the rest of the applications state to the authentication state. Although is is "correct", it feels wrong to have the whole model be a (variant type?) with only one record.
It "feels" more correct to have the model like so:
type FetchStatus
= Loading
| Success val
| Err err
type Model =
{ token : RequestStatus String
, data : List number
}
But whenever you update the model, you now need to check if token is still present - i.e. pattern match within the record. In the first example, you only needed to pattern match on the whole model, which is a bit simpler.
And to hold the login form state, I'd need to add extra fields:
type Model =
{ token : RequestStatus String
, data : List number
, username : String
, password : String
}
Which feels incorrect because the password should not be held in memory after login. I'd hold these in records, but I cannot use records in custom type declarations.
All in all, I'm a bit confused. Can someone please shed some light on the most "correct", idiomatic way to do this?
All authorization related stuff should be handled on the backend side. Elm's job is only to display what server has sent to it. In my opinion the first option you proposed is the best for such a little example, but in more real-life application the typesystem would be more complex:
type LoginForm =
{ username : String
, password : String
}
type Activity
= Login LoginForm
| LoginSuccess
| LoginFailure String
type Model =
{ loggedUser : Maybe String
, activity : Activity
, ...
}
You don't need (and shouldn't) keep password on frontend. You also shouldn't perform any authorizations on the client side, as the client may easily replace any script in his browser. The backend will track whether the user is logged in by eg. session cookies. In this scenario even if the loggedUser value is set to Just "someguy" and "someguy" is not marked as logged in the server database, any action that requires authorization shall fail.
Summarizing, handling login and giving permissions to access any content is a job for backend. Elm is frontend language, so it's only purpose here is to display things.
I have a method in the WCF service with a SQL query for a basic log in authentication :
SELECT StudentID, Password
FROM tbUserAccounts
WHERE StudentID = #ID AND Password = #Password
If this query does not find any results, will the WCF encounter this as an error / exception or does it return anything?
The reason I ask is because running this method from my Universal Windows app, I am still able to log in with the password box (which is a textbox) being empty. I must be missing something here since the AND statement is there?
I have a try catch also but it doesn't seem to trigger the catch
the Query will return a result set with 0 records
You should test for zero results in the result set
If it doesn't find any results it will still succeed and return an empty result set. You probably need to check and make sure that you are getting 1 and only 1 row back. Also, please don't use this as an actual authentication method for production code.
I have a Web API 2 project using MVC. It uses entity framework. This entity framework uses a database first approach with a .edmx file.
The project is based on VS 2013 Express Web API 2 template. I just used my own database. I didn't modify any account related code. But when I try to register a new user, the following statement in AccountController.cs throw exception:
public async Task<IHttpActionResult> Register(RegisterBindingModel model)
{
...
IdentityResult result = await UserManager.CreateAsync(user, model.Password);
...
}
The exception says:
Cannot insert the value NULL into column 'Discriminator', table 'xxx.dbo.AspNetUsers'; column does not allow nulls. INSERT fails.
The statement has been terminated.
Can anyone help me? Thank you!
The answer is in your question's body.
table 'xxx.dbo.AspNetUsers'; column does not allow nulls.
Seems to be, that you're trying to insert a NULL value from your model instance RegisterBindingModel model, where the structure of your table in database server doesn't allow to accept NULL value.
Try to debug and check, is your model instance is creating correctly when the request is coming.
Also I can see, that you use:
IdentityResult result = await UserManager.CreateAsync(user, model.Password);
Why user isn't a member of your model, like the Password property?
Maybe try to use:
IdentityResult result = await UserManager.CreateAsync(model.User, model.Password);
Anyway... I don't have more info and don't imagine, what is inside your model instance, how you're binding data in it from the request. You should to look in the debugger and debug very well to repair your project or provide more info.
But one thing is clear as a crystal, you're trying to insert a NULL value into the column, which doesn't accept NULL, so you must check how is your model binding. Maybe your client-side application doesn't send correctly some arguments, maybe you're binding you model incorrectly, maybe something else... There is a need to get more information from you to help you, otherwise you should debug carefully.
I upgraded all NuGet Packages yesterday. Among them Asp.net Identity is upgraded to 2.0.0.0.
It magically worked.
So I suspect that was because of some bug in Identity 1.0
Problem. In a registration scenario, I'm trying to insert a user in my User table and then call WebSercurity.CreateAccount for that user (in a transaction). This causes the error that MS DTC is not available on the server.
Description. The reason I'm doing this is because I have a Customer Entity which inherits from User, so WebSercurity.CreateUserAndAccount cannot be used because it doesn't know about Customer and just inserts a User record.
I'm using Asp.net MVC 4 with EntityFramework 5, CodeFirst, and SQL Server 2008 R2.
any suggestions for not using DTC would be appreciated!
EDIT.
It is obvious why this error occurs, because websecurity uses its own connection to the database, and my repositories use another connection, although I've configured simplemembership to use the same DbContext class as my repositories, but the problem is it creates a new instance of the DbContext ...
I was hoping if there is a way to pass an existing context object, or connection to the WebSecurity to use with its methods.
here's the code:
if (ModelState.IsValid)
{
//using (TransactionScope tx = new TransactionScope())
//{
UnitOfWork.UserRepository.Insert(new Customer
{
FirstName = model.FirstName,
LastName = model.LastName,
Email = model.Email,
Tel = model.Tel,
Mobile = model.Mobile,
BirthDate = model.BirthDate,
InsertDate = DateTime.Now,
UserType = UserType.Customer,
MaritalStatus = model.MaritalStatus,
ZipCode = model.ZipCode,
StreetAddress = model.StreetAddress,
City = model.City,
State = model.State
});
UnitOfWork.Commit();
string token = WebSecurity.CreateAccount(model.Email, model.Password, true);
Roles.AddUserToRole(model.Email, "Customer");
//WebSecurity.Login(model.Email, model.Password, true);
await Task.Run(() => EmailHelper.SendConfrimationEmail(token, model.Email));
// tx.Complete();
//}
The DTC error occurs because you are trying to span a transaction over two different database connections. You have several options.
SimpleMembership is designed for simple scenarios. You are doing an advanced scenario, so you should probably use a different membership provider.
I found a possible solution but I'm not sure if it's the best solution. The idea came from this blog post that says how we can include simplemembership tables in our POCO entities and create the tables ourselves (not using WebSecurity).
So as a result I think I can implement the CreateAccount method in my repositories by simply inserting a record in the webpages_Membership table, and AddUserToRole by inserting a record in webpages_UsersInRoles table.
For other queries like GetUser and ... we can use WebSecurity and Roles class like before.
It seems to work OK (otherwise I'm missing something), but has some extra work to do which I wish not to!
So if anyone can give me a better solution I would be glad.
As Mystere Man pointed out the error is occurring because the transaction is over two different databases. You have several options. Here are a few that come to mind.
You can customize the existing User entity used by the SimpleMembership provider to capture the custom information you want for each user. This is fairly straightforward and is discussed in this blog post. It looks like you are trying to do an email confirmation which the SimpleMembership provider also supports and is discussed here.
You can also tie the information in your other database with the unique user ID (int) that SimpleMembership uses. Once you create the user and log them in you can get that id by calling WebSecurity.CurrentUserId.
You could bypass the whole SimpleMempership provider and create your own custom membership provider, which is discussed here.