org.kawanfw.sql.api.server.firewall.DenySqlInjectionManager Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of aceql-http Show documentation
Show all versions of aceql-http Show documentation
AceQL HTTP is a framework of REST like http APIs that allow to access to remote SQL databases over http from any device that supports http.
AceQL HTTP is provided with four client SDK:
- The AceQL C# Client SDK allows to wrap the HTTP APIs using Microsoft SQL Server like calls in their code, just like they would for a local database.
- The AceQL Java Client SDK allows to wrap the HTTP APIs using JDBC calls in their code, just like they would for a local database.
- The AceQL Python Client SDK allows SQL calls to be encoded with standard unmodified DB-API 2.0 syntax
/*
* Copyright (c)2022 KawanSoft S.A.S. All rights reserved.
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file in the project's root directory.
*
* Change Date: 2026-11-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2.0 of the Apache License.
*/
package org.kawanfw.sql.api.server.firewall;
import java.io.IOException;
import java.sql.Connection;
import java.sql.SQLException;
import org.kawanfw.sql.api.server.DatabaseConfigurator;
import org.kawanfw.sql.api.server.SqlEvent;
import org.kawanfw.sql.api.util.firewall.cloudmersive.CloudmersiveApi;
import org.kawanfw.sql.api.util.firewall.cloudmersive.DenySqlInjectionManagerUtil;
import org.kawanfw.sql.servlet.injection.classes.InjectedClassesStore;
import org.kawanfw.sql.servlet.util.logging.LoggerWrapper;
import org.kawanfw.sql.util.Tag;
import org.slf4j.Logger;
/**
* A firewall manager that allows detecting SQL injection attacks, using the
* third-party Cloudmersive API:
* Usage requires getting a Cloudmersive API key through a free or paying
* account creation at www.cloudmersive.com/pricing.
*
* The Cloudmersive parameters (API key, detection level, ...) are stored in the
* {@code cloudmersive.properties} file that is loaded at the AceQL server
* startup.
* The file must be located in the same directory as the
* {@code aceql-server.properties} file used when starting the AceQL server.
*
* Note that SQL injections are detected synchronously, which will slow down the
* SQL calls. The {@code DenySqlInjectionManagerAsync} SQLFirewallManager is
* provided for asynchronous detection.
*
*
* @see DenySqlInjectionManagerAsync
* @author Nicolas de Pomereu
* @since 11.0
*/
public class DenySqlInjectionManager implements SqlFirewallManager {
/** The running instance */
private CloudmersiveApi cloudmersiveApi = null;
private Logger logger;
/**
* Says if Cloudmersive SQL injection
* detector accepts the SQL statement.
*/
@Override
public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException {
try {
if (logger == null) {
DatabaseConfigurator databaseConfigurator = InjectedClassesStore.get().getDatabaseConfigurators()
.get(sqlEvent.getDatabase());
logger = databaseConfigurator.getLogger();
}
String sql = sqlEvent.getSql();
// If not loaded, load the APIs & connect to Cloudmersive
if (cloudmersiveApi == null) {
cloudmersiveApi = new CloudmersiveApi(DenySqlInjectionManagerUtil.getCloudmersivePropertiesFile());
}
return !cloudmersiveApi.sqlInjectionDetect(sql);
} catch (Exception exception) {
exception.printStackTrace();
try {
LoggerWrapper.log(logger, Tag.PRODUCT + ": " + DenySqlInjectionManager.class.getSimpleName()
+ " Unable to verify SQL injection: ", exception);
} catch (Exception exception2) {
exception2.printStackTrace();
}
return true;
}
}
/**
* @return true
. (Client programs will be allowed to create
* raw Statement
, i.e. call statements without parameters.)
*/
@Override
public boolean allowStatementClass(String username, String database, Connection connection)
throws IOException, SQLException {
return true;
}
/**
* @return true
. (Client programs will be allowed to call
* the Metadata Query API).
*/
@Override
public boolean allowMetadataQuery(String username, String database, Connection connection)
throws IOException, SQLException {
return true;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy