org.kawanfw.sql.api.server.firewall.DenySqlInjectionManagerAsync Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of aceql-http Show documentation

AceQL HTTP is a framework of REST like http APIs that allow to access to remote SQL databases over http from any device that supports http. AceQL HTTP is provided with four client SDK: - The AceQL C# Client SDK allows to wrap the HTTP APIs using Microsoft SQL Server like calls in their code, just like they would for a local database. - The AceQL Java Client SDK allows to wrap the HTTP APIs using JDBC calls in their code, just like they would for a local database. - The AceQL Python Client SDK allows SQL calls to be encoded with standard unmodified DB-API 2.0 syntax

There is a newer version: 12.2

Show newest version

/*
 * Copyright (c)2022 KawanSoft S.A.S. All rights reserved.
 * 
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-11-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
package org.kawanfw.sql.api.server.firewall;

import java.io.IOException;
import java.sql.Connection;
import java.sql.SQLException;

import org.kawanfw.sql.api.server.DatabaseConfigurator;
import org.kawanfw.sql.api.server.SqlEvent;
import org.kawanfw.sql.api.server.firewall.trigger.SqlFirewallTrigger;
import org.kawanfw.sql.api.util.firewall.cloudmersive.CloudmersiveApi;
import org.kawanfw.sql.api.util.firewall.cloudmersive.DenySqlInjectionManagerUtil;
import org.kawanfw.sql.servlet.injection.classes.InjectedClassesStore;
import org.kawanfw.sql.servlet.util.logging.LoggerWrapper;
import org.kawanfw.sql.util.Tag;
import org.slf4j.Logger;

/**
 * A firewall manager that allows detecting SQL asynchronously injection
 * attacks, using the third-party
 * Cloudmersive API: 

 * Usage requires getting a Cloudmersive API key through a free or paying
 * account creation at www.cloudmersive.com/pricing. 

 * 

 * The Cloudmersive parameters (API key, detection level, ...) are stored in the
 * {@code cloudmersive.properties} file that is loaded at the AceQL server
 * startup. 

 * The file must be located in the same directory as the
 * {@code aceql-server.properties} file used when starting the AceQL server.

 * 

 * The SQL injection detection is asynchronous: this means that
 * {@code allowSqlRunAfterAnalysis} will always immediately return {@code true}
 * and that the result of the analysis will trigger later all
 * {@code SqlFirewallTrigger} defined in the {@code aceql-server.properties} file. 

 * 

 * Note that because of the asynchronous behavior, a new {@code Connection} will
 * be extracted from the pool in order to process the
 * {@link SqlFirewallTrigger#runIfStatementRefused(SqlEvent, SqlFirewallManager, Connection)}
 * methods. 

 * The {@code Connection} will be cleanly released after all calls.
 * 
 * @see DenySqlInjectionManager
 * 
 * @author Nicolas de Pomereu
 * @since 11.0
 */
public class DenySqlInjectionManagerAsync implements SqlFirewallManager {

    /** The running instance */
    private CloudmersiveApi cloudmersiveApi = null;
    private Logger logger;

    /**
     * Allows detecting in background / asynchronously if
     * Cloudmersive SQL injection
     * detector accepts the SQL statement. (The {@code allowSqlRunAfterAnalysis} call thus always returns immediately
     * {@code true}).
     */
    @Override
    public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException {

	try {
	    if (logger == null) {
		DatabaseConfigurator databaseConfigurator = InjectedClassesStore.get().getDatabaseConfigurators()
			.get(sqlEvent.getDatabase());
		logger = databaseConfigurator.getLogger();
	    }
	    // If not loaded, load the APIs & connect to Cloudmersive
	    if (cloudmersiveApi == null) {
		cloudmersiveApi = new CloudmersiveApi(DenySqlInjectionManagerUtil.getCloudmersivePropertiesFile());
	    }

	    cloudmersiveApi.sqlInjectionDetectAsync(sqlEvent, this);
	    return true;
	} catch (Exception exception) {
	    exception.printStackTrace();
	    try {
		LoggerWrapper.log(logger, Tag.PRODUCT + ": " + DenySqlInjectionManagerAsync.class.getSimpleName()
			+ " Unable to verify SQL injection in async mode: ", exception);
	    } catch (Exception exception2) {
		exception2.printStackTrace();
	    }
	    return true;
	}
    }
    
	
    /**
     * @return true. (Client programs will be allowed to create
     *         raw Statement, i.e. call statements without parameters.)
     */
    @Override
    public boolean allowStatementClass(String username, String database, Connection connection)
	    throws IOException, SQLException {
	return true;
    }

    /**
     * @return true. (Client programs will be allowed to call
     *         the Metadata Query API).
     */
    @Override
    public boolean allowMetadataQuery(String username, String database, Connection connection)
	    throws IOException, SQLException {
	return true;
    }    
}