feat: Additional routes with SQLi vulns

leftrightleft · leftrightleft · commit 3782835a6883 · 2021-10-18T21:58:56.000-07:00
diff --git a/go.mod b/go.mod
@@ -2,4 +2,4 @@ module github.com/octodemo/advanced-security-go
 
 go 1.17
 
-require github.com/mattn/go-sqlite3 v1.14.8 // indirect
+require github.com/mattn/go-sqlite3 v1.14.8
diff --git a/main.go b/main.go
@@ -48,20 +48,57 @@ func main() {
 		log.Fatal(err)
 	}
 
-	http.HandleFunc("/books", booksIndex)
+	http.HandleFunc("/books", handler)
 	http.ListenAndServe(":3000", nil)
 }
 
-// booksIndex sends a HTTP response listing all books.
-func booksIndex(w http.ResponseWriter, r *http.Request) {
-	bks, err := models.AllBooks()
-	if err != nil {
-		log.Println(err)
-		http.Error(w, http.StatusText(500), 500)
-		return
-	}
+func handler(w http.ResponseWriter, r *http.Request) {
+	name := r.URL.Query().Get("name")
+	author := r.URL.Query().Get("author")
+	read := r.URL.Query().Get("read")
+
+	if len(name) > 0 {
+		bks, err := models.NameQuery(name)
+		if err != nil {
+			http.Error(w, http.StatusText(500), 500)
+			return
+		}
+
+		for _, bk := range bks {
+			fmt.Fprintf(w, "%s, %s, %s\n", bk.Title, bk.Author, bk.Read)
+		}
+
+	} else if len(author) > 0 {
+		bks, err := models.AuthorQuery(author)
+		if err != nil {
+			http.Error(w, http.StatusText(500), 500)
+			return
+		}
+
+		for _, bk := range bks {
+			fmt.Fprintf(w, "%s, %s, %s\n", bk.Title, bk.Author, bk.Read)
+		}
+
+	} else if len(read) > 0 {
+		bks, err := models.ReadQuery(read)
+		if err != nil {
+			http.Error(w, http.StatusText(500), 500)
+			return
+		}
+
+		for _, bk := range bks {
+			fmt.Fprintf(w, "%s, %s, %s\n", bk.Title, bk.Author, bk.Read)
+		}
+
+	} else {
+		bks, err := models.AllBooks()
+		if err != nil {
+			http.Error(w, http.StatusText(500), 500)
+			return
+		}
 
-	for _, bk := range bks {
-		fmt.Fprintf(w, "%s, %s, %s\n", bk.Title, bk.Author, bk.Read)
+		for _, bk := range bks {
+			fmt.Fprintf(w, "%s, %s, %s\n", bk.Title, bk.Author, bk.Read)
+		}
 	}
 }
diff --git a/models/models.go b/models/models.go
@@ -2,9 +2,9 @@ package models
 
 import (
 	"database/sql"
+	"fmt"
 )
 
-// Create an exported global variable to hold the database connection pool.
 var DB *sql.DB
 
 type Book struct {
@@ -13,28 +13,95 @@ type Book struct {
 	Read   string
 }
 
-// AllBooks returns a slice of all books in the books table.
+// Get all books in the books table.
 func AllBooks() ([]Book, error) {
-	// Note that we are calling Query() on the global variable.
-	rows, err := DB.Query("SELECT * FROM books")
+	query := "SELECT * FROM books"
+	rows, err := DB.Query(query)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 
+	bks, err := makeBookSlice(rows)
+	if err != nil {
+		return nil, err
+	}
+
+	return bks, nil
+}
+
+// Query for books by name. This function contains a SQL Injection issue.
+// The user input is not parameterized. Instead of using fmt.Sprintf() to build
+// the query, you should be using a parameterized query.
+func NameQuery(r string) ([]Book, error) {
+	// Fix: rows, err := db.Query("SELECT * FROM books WHERE name = ?", r)
+	rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE name = '%s'", r))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	bks, err := makeBookSlice(rows)
+	if err != nil {
+		return nil, err
+	}
+
+	return bks, nil
+}
+
+// Query for books by Author. This function contains a SQL Injection issue.
+// The user input is not parameterized. Instead of using fmt.Sprintf() to build
+// the query, you should be using a parameterized query.
+func AuthorQuery(r string) ([]Book, error) {
+	// Fix: rows, err := db.Query("SELECT * FROM books WHERE author = ?", r)
+	rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE author = '%s'", r))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	bks, err := makeBookSlice(rows)
+	if err != nil {
+		return nil, err
+	}
+
+	return bks, nil
+}
+
+// Query for books by read.  This function contains a SQL Injection issue.
+// The user input is not parameterized. Instead of using fmt.Sprintf() to build
+// the query, you should be using a parameterized query.
+func ReadQuery(r string) ([]Book, error) {
+	// Fix: rows, err := db.Query("SELECT * FROM books WHERE read = ?", r)
+	rows, err := DB.Query(fmt.Sprintf("SELECT * FROM books WHERE read = '%s'", r))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	bks, err := makeBookSlice(rows)
+	if err != nil {
+		return nil, err
+	}
+
+	return bks, nil
+}
+
+// A helper function to cast the query results to a slice
+func makeBookSlice(r *sql.Rows) ([]Book, error) {
 	var bks []Book
 
-	for rows.Next() {
+	for r.Next() {
 		var bk Book
 
-		err := rows.Scan(&bk.Title, &bk.Author, &bk.Read)
+		err := r.Scan(&bk.Title, &bk.Author, &bk.Read)
 		if err != nil {
 			return nil, err
 		}
 
 		bks = append(bks, bk)
 	}
-	if err = rows.Err(); err != nil {
+	if err := r.Err(); err != nil {
 		return nil, err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@ module github.com/octodemo/advanced-security-go`
`2`	`2`
`3`	`3`	`go 1.17`
`4`	`4`
`5`		`-require github.com/mattn/go-sqlite3 v1.14.8 // indirect`
	`5`	`+require github.com/mattn/go-sqlite3 v1.14.8`