From ca12393fdaf764d0cba02f2d92739fd4fd1821cf Mon Sep 17 00:00:00 2001
From: imertetsu <imertpro@gmail.com>
Date: Thu, 31 Oct 2024 17:30:36 -0400
Subject: [PATCH] Add secure implementation level 5 for
 BlindSQLInjectionVulnerability

---
 .../BlindSQLInjectionVulnerability.java       | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java
index 47bf3b43..39e1fa10 100644
--- a/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java
+++ b/src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/BlindSQLInjectionVulnerability.java
@@ -1,6 +1,8 @@
 package org.sasanlabs.service.vulnerability.sqlInjection;
 
 import java.util.Map;
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
 import org.sasanlabs.internal.utility.LevelConstants;
 import org.sasanlabs.internal.utility.Variant;
 import org.sasanlabs.internal.utility.annotations.AttackVector;
@@ -29,6 +31,7 @@
         value = "BlindSQLInjectionVulnerability")
 public class BlindSQLInjectionVulnerability {
 
+    @PersistenceContext private EntityManager entityManager;
     private JdbcTemplate applicationJdbcTemplate;
 
     static final String CAR_IS_PRESENT_RESPONSE = "{ \"isCarPresent\": true}";
@@ -107,7 +110,7 @@ public ResponseEntity<String> getCarInformationLevel3(
                 });
     }
 
-    //Input Validation - Ensure that the input data is valid and of the expected type.
+    // Input Validation - Ensure that the input data is valid and of the expected type.
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_4,
             variant = Variant.SECURE,
@@ -134,4 +137,22 @@ public ResponseEntity<String> getCarInformationLevel4(
                 });
     }
 
+    // Implementation Level 5 - Hibernate
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_5,
+            variant = Variant.SECURE,
+            htmlTemplate = "LEVEL_1/SQLInjection_Level1")
+    public ResponseEntity<String> getCarInformationLevel5(
+            @RequestParam Map<String, String> queryParams) {
+        int id = Integer.parseInt(queryParams.get(Constants.ID));
+
+        CarInformation car = entityManager.find(CarInformation.class, id);
+
+        if (car != null) {
+            return ResponseEntity.ok(CAR_IS_PRESENT_RESPONSE);
+        } else {
+            return ResponseEntity.status(HttpStatus.NOT_FOUND)
+                    .body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
+        }
+    }
 }