All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.kawanfw.sql.api.server.firewall.DenySqlInjectionManager Maven / Gradle / Ivy

Go to download

AceQL HTTP is a framework of REST like http APIs that allow to access to remote SQL databases over http from any device that supports http. AceQL HTTP is provided with four client SDK: - The AceQL C# Client SDK allows to wrap the HTTP APIs using Microsoft SQL Server like calls in their code, just like they would for a local database. - The AceQL Java Client SDK allows to wrap the HTTP APIs using JDBC calls in their code, just like they would for a local database. - The AceQL Python Client SDK allows SQL calls to be encoded with standard unmodified DB-API 2.0 syntax

There is a newer version: 12.2
Show newest version
/*
 * Copyright (c)2022 KawanSoft S.A.S. All rights reserved.
 * 
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-11-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
package org.kawanfw.sql.api.server.firewall;

import java.io.IOException;
import java.sql.Connection;
import java.sql.SQLException;

import org.kawanfw.sql.api.server.DatabaseConfigurator;
import org.kawanfw.sql.api.server.SqlEvent;
import org.kawanfw.sql.api.util.firewall.cloudmersive.CloudmersiveApi;
import org.kawanfw.sql.api.util.firewall.cloudmersive.DenySqlInjectionManagerUtil;
import org.kawanfw.sql.servlet.injection.classes.InjectedClassesStore;
import org.kawanfw.sql.servlet.util.logging.LoggerWrapper;
import org.kawanfw.sql.util.Tag;
import org.slf4j.Logger;

/**
 * A firewall manager that allows detecting SQL injection attacks, using the
 * third-party Cloudmersive API: 
* Usage requires getting a Cloudmersive API key through a free or paying * account creation at www.cloudmersive.com/pricing.
*
* The Cloudmersive parameters (API key, detection level, ...) are stored in the * {@code cloudmersive.properties} file that is loaded at the AceQL server * startup.
* The file must be located in the same directory as the * {@code aceql-server.properties} file used when starting the AceQL server.
*
* Note that SQL injections are detected synchronously, which will slow down the * SQL calls. The {@code DenySqlInjectionManagerAsync} SQLFirewallManager is * provided for asynchronous detection. * * * @see DenySqlInjectionManagerAsync * @author Nicolas de Pomereu * @since 11.0 */ public class DenySqlInjectionManager implements SqlFirewallManager { /** The running instance */ private CloudmersiveApi cloudmersiveApi = null; private Logger logger; /** * Says if Cloudmersive SQL injection * detector accepts the SQL statement. */ @Override public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException { try { if (logger == null) { DatabaseConfigurator databaseConfigurator = InjectedClassesStore.get().getDatabaseConfigurators() .get(sqlEvent.getDatabase()); logger = databaseConfigurator.getLogger(); } String sql = sqlEvent.getSql(); // If not loaded, load the APIs & connect to Cloudmersive if (cloudmersiveApi == null) { cloudmersiveApi = new CloudmersiveApi(DenySqlInjectionManagerUtil.getCloudmersivePropertiesFile()); } return !cloudmersiveApi.sqlInjectionDetect(sql); } catch (Exception exception) { exception.printStackTrace(); try { LoggerWrapper.log(logger, Tag.PRODUCT + ": " + DenySqlInjectionManager.class.getSimpleName() + " Unable to verify SQL injection: ", exception); } catch (Exception exception2) { exception2.printStackTrace(); } return true; } } /** * @return true. (Client programs will be allowed to create * raw Statement, i.e. call statements without parameters.) */ @Override public boolean allowStatementClass(String username, String database, Connection connection) throws IOException, SQLException { return true; } /** * @return true. (Client programs will be allowed to call * the Metadata Query API). */ @Override public boolean allowMetadataQuery(String username, String database, Connection connection) throws IOException, SQLException { return true; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy