Skip to content

DR-112 - New Feature #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

DR-112 - New Feature #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ff24541
Add spring-security-core dependency and update save method in SalesDAO
tsviz Mar 22, 2024
4744482
Update CI workflow and CodeQL actions
tsviz Mar 22, 2024
258833f
updated styles.js
tsviz Mar 22, 2024
5d6b789
Update SalesDAO.java
tsviz Nov 14, 2024
d201499
Merge branch 'main' into DR-112
tsviz Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 8 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,9 @@ on:
# manual trigger
workflow_dispatch:
inputs:
ssh_debug_enabled:
debug_enabled:
type: boolean
description: 'Run the build/test with ssh debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false
debug_deployment:
type: boolean
description: 'Run the pipeline with debug deployment enabled'
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
required: false
default: false

Expand Down Expand Up @@ -67,6 +62,7 @@ jobs:
fail-fast: false
matrix:
language: [ 'java', 'javascript' ]

# # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# # Use only 'java' to analyze code written in Java, Kotlin or both
# # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
Expand All @@ -92,7 +88,7 @@ jobs:
# runnning code scanning with CodeQL. Link to the documentation - https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
# first step is to initialize CodeQL
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }} # defining the language for the CodeQL analysis
# debug: true # uncomment this line to enable debugging for CodeQL analysis step
Expand All @@ -107,11 +103,11 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@v2

# performing Code Quality Analysis with CodeQL. Link to the documentation - https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}" # defining the language for the CodeQL analysis

Expand Down Expand Up @@ -239,7 +235,7 @@ jobs:
id: split-tests
name: Split tests
with:
glob: src/test/**/**/*.java # glob pattern to match the test files
glob: src/test/**/**/**.java # glob pattern to match the test files
split-total: ${{ env.total-runners }} # total number of github-hosted runners
split-index: ${{ matrix.runner-index }} # current runner index
junit-path: test_results/**/*xml # path to the junit test results with wildcards to match all the files
Expand All @@ -260,6 +256,7 @@ jobs:
name: testresults-${{ github.run_id }}-split-${{ matrix.runner-index }} # naming the artifact with the test results
path: ./target/surefire-reports # path to the test results
retention-days: 90 # retention period for the artifact in days. Link to the documentation - https://docs.github.com/en/actions/guides/storing-workflow-data-as-artifacts#about-workflow-artifact-retention


publish-test-results:
needs: [build, unit-parallel-tests]
Expand Down Expand Up @@ -361,5 +358,4 @@ jobs:
with:
# with tag from the build-and-publish-docker-image job in the output_tags step
image_tag: "${{ needs.build-and-publish-docker-image.outputs.image_tag }}"
debug: "${{ github.event.inputs.debug_deployment }}"
secrets: inherit
6 changes: 6 additions & 0 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@
<artifactId>spring-data-commons</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.7.0</version>
</dependency>

</dependencies>

<build>
Expand Down
37 changes: 4 additions & 33 deletions src/main/java/net/codejava/SalesDAO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,38 +30,9 @@
return listSale;
}

public void save(Sale sale) throws DuplicateKeyException {
try {
System.out.println(sale); // log the Sale object

if (sale == null) {
throw new IllegalArgumentException("Sale object cannot be null");
}

if (jdbcTemplate == null) {
throw new IllegalStateException("JdbcTemplate cannot be null");
}
// Check if a record with the same primary key already exists
int count = jdbcTemplate.queryForObject(
"SELECT COUNT(*) FROM sales WHERE serial_number = ?", Integer.class, sale.getSerialNumber());

if (count > 0) {
// If such a record exists, throw an exception
throw new DuplicateKeyException("A record with the same serial number already exists.");
}

// If no such record exists, insert the new record
SimpleJdbcInsert insertActor =
new SimpleJdbcInsert(jdbcTemplate != null ? jdbcTemplate : new JdbcTemplate());
insertActor.withTableName("sales").usingColumns("serial_number", "item", "quantity", "amount", "date");
BeanPropertySqlParameterSource param = new BeanPropertySqlParameterSource(sale);

insertActor.execute(param);
} catch (DuplicateKeyException e) {
throw e; // rethrow the exception to be handled by the caller
} catch (Exception e) {
e.printStackTrace(); // log any other exceptions
}
public void save(Sale sale) {
Copy link

Copilot AI Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the null check for the sale object might lead to a NullPointerException. Re-add the null check for the sale object.

Copilot uses AI. Check for mistakes.
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
Copy link

Copilot AI Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new save method introduces a potential SQL injection vulnerability. Use parameterized queries to prevent SQL injection.

Suggested change
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";
jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());

Copilot uses AI. Check for mistakes.
jdbcTemplate.update(sql);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources High

This query depends on a
user-provided value
Loading
.

Copilot Autofix

AI 12 months ago

To fix the problem, we need to replace the string concatenation in the save method with a parameterized query using PreparedStatement. This will ensure that user input is properly escaped and prevent SQL injection attacks.

  • Change the SQL query construction in the save method to use placeholders (?) for the values.
  • Use jdbcTemplate.update with the SQL query and the values from the Sale object as parameters.
Suggested changeset 1
src/main/java/net/codejava/SalesDAO.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/main/java/net/codejava/SalesDAO.java b/src/main/java/net/codejava/SalesDAO.java
--- a/src/main/java/net/codejava/SalesDAO.java
+++ b/src/main/java/net/codejava/SalesDAO.java
@@ -32,6 +32,6 @@
 
-	public void save(Sale sale) {
-		String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
-		jdbcTemplate.update(sql);
-	}
+	public void save(Sale sale) {
+		String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";
+		jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());
+	}
 
EOF
@@ -32,6 +32,6 @@

public void save(Sale sale) {
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
jdbcTemplate.update(sql);
}
public void save(Sale sale) {
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";
jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());
}

Copilot is powered by AI and may make mistakes. Always verify output.
}
Comment on lines +33 to 36
Copy link

Copilot AI Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This concatenated SQL string is vulnerable to SQL injection and omits the serial_number and date columns; switch to a parameterized query using jdbcTemplate.update(String, Object...) or NamedParameterJdbcTemplate.

Suggested change
public void save(Sale sale) {
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
jdbcTemplate.update(sql);
}
public void save(Sale sale) {
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";
jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());
}

Copilot uses AI. Check for mistakes.

public Sale get(String serialNumber) {
Expand Down Expand Up @@ -118,7 +89,7 @@
return new PageImpl<>(sales, pageable, total);
}

// a method to returns a list of all sales in a jdbctemplate query to use as a csv output
// a method to returns a list of all sales in a jdbctemplate query to use as a csv output
public List<Sale> listAll() {
String sql = "SELECT * FROM sales ORDER BY serial_number ASC";
List<Sale> listSale = jdbcTemplate.query(sql, BeanPropertyRowMapper.newInstance(Sale.class));
Expand Down
2 changes: 1 addition & 1 deletion src/main/resources/static/js/styles.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ addStyles();
let themeColors;
if (!window.enableSearchFeature) { // Swapped the condition to check for not enabled
themeColors = {
'--h1-color': '#2196F3',
'--h1-color': window.searchFeatureColor || '#4CAF50',
'--th-bg-color': '#2196F3',
'--a-color': '#2196F3',
'--tr-bg-color': '#c2e0fb',
Expand Down
Loading