Merge pull request #229 from AikidoSec/add-hypersql-support

Add support for HyperSQL

Author: bitterpanda63

.github/workflows/end2end.yml

@@ -45,6 +45,7 @@ jobs:
           - { name: JavalinPostgres, test_file: end2end/javalin_postgres.py }
           - { name: JavalinMySQLKotlin, test_file: end2end/javalin_mysql_kotlin.py }
           - { name: SpringBoot2.7Postgres, test_file: end2end/spring_boot_2.7_postgres.py }
+          - { name: SpringBootHyperSQL, test_file: end2end/spring_boot_hypersql.py }
         java-version: [17, 18, 19, 20, 21]
         distribution: ['adopt', 'corretto', 'oracle']
     steps:

agent/src/main/java/dev/aikido/agent/Wrappers.java

@@ -41,6 +41,7 @@ private Wrappers() {}
             new JavalinWrapper(),
             new JavalinDataWrapper(),
             new JavalinContextClearWrapper(),
-            new SQLiteWrapper()
+            new SQLiteWrapper(),
+            new HyperSQLWrapper()
     );
 }

agent/src/main/java/dev/aikido/agent/wrappers/jdbc/HyperSQLWrapper.java

@@ -0,0 +1,27 @@
+package dev.aikido.agent.wrappers.jdbc;
+
+import dev.aikido.agent.wrappers.Wrapper;
+import net.bytebuddy.description.method.MethodDescription;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+
+import java.sql.Connection;
+import java.sql.Statement;
+
+import static net.bytebuddy.matcher.ElementMatchers.isSubTypeOf;
+import static net.bytebuddy.matcher.ElementMatchers.nameContains;
+
+public class HyperSQLWrapper implements Wrapper {
+    public String getName() {
+        return JDBCConnectionAdvice.class.getName();
+    }
+    public ElementMatcher<? super MethodDescription> getMatcher() {
+        return JDBCConnectionAdvice.getMatcher("org.hsqldb.jdbc");
+    }
+
+    @Override
+    public ElementMatcher<? super TypeDescription> getTypeMatcher() {
+        return nameContains("org.hsqldb.jdbc")
+                .and(isSubTypeOf(Connection.class).or(isSubTypeOf(Statement.class)));
+    }
+}

agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/sql_injection/Dialect.java

@@ -18,6 +18,11 @@ public Dialect(String dialect) {
         } else if(Objects.equals(dialect, "sqlite")) {
           rustDialectInt = 12;
           humanName = "SQLite";
+        } else if(Objects.equals(dialect, "hsql database engine")) {
+            // HyperSQL dialect doesn't exist yet on our tokenizer, so we use generic dialect,
+            // which is SQL:2016, HyperSQL is closest to this variant.
+          rustDialectInt = 0;
+          humanName = "HyperSQL";
         } else {
             rustDialectInt = 0; // Default option
             humanName = "Generic";

end2end/spring_boot_hypersql.py

@@ -0,0 +1,10 @@
+from utils import App, Request
+
+spring_boot_hsql_app = App(8108)
+
+spring_boot_hsql_app.add_payload("sql",
+    safe_request=Request("/api/pets/create", body={"name": "Bobby"}),
+    unsafe_request=Request("/api/pets/create", body={"name": "Malicious Pet', 'Gru from the Minions') -- "})
+)
+
+spring_boot_hsql_app.test_all_payloads()

sample-apps/README.md

@@ -24,6 +24,7 @@ Here is an overview of all of our sample apps together with their port numbers.
 - [SpringBoot MVC With SQLite](./SpringBootSQLite) on port [`8100`](http://localhost:8100/)
 - [SpringBoot MVC v2.7 With Postgres](./SpringBoot2.7Postgres) on port [`8104`](http://localhost:8104/)
 - [SpringBoot MVC With MongoDB](./SpringBootMongo) on port [`8106`](http://localhost:8106/)
+- [SpringBoot MVC With HyperSQL](./SpringBootPostgres) on port [`8108`](http://localhost:8108/)
 
 #### Webflux Apps
 - [SpringBoot Webflux with Postgres](./SpringWebfluxSampleApp) on port [`8090`](http://localhost:8090/)

sample-apps/SpringBootHyperSQL/.gitignore

@@ -0,0 +1,2 @@
+**output**.log
+dd-java-agent**

sample-apps/SpringBootHyperSQL/Makefile

@@ -0,0 +1,38 @@
+# Define variables
+GRADLEW = ./gradlew
+JAR_FILE = build/libs/demo-0.0.1-SNAPSHOT.jar
+JAVA_AGENT = ../../dist/agent.jar
+
+# Default target
+.PHONY: all
+all: build
+
+# Build the project
+.PHONY: build
+build:
+	@echo "Building the project..."
+	chmod +x $(GRADLEW)
+	$(GRADLEW) build
+
+# Run the application with the Java agent
+.PHONY: run
+run: build
+	@echo "Running SpringBootHyperSQL with Zen & ENV (http://localhost:8108)"
+	AIKIDO_LOG_LEVEL="error" \
+	AIKIDO_TOKEN="token" \
+	AIKIDO_REALTIME_ENDPOINT="http://localhost:5000/realtime" \
+	AIKIDO_ENDPOINT="http://localhost:5000" \
+	AIKIDO_BLOCK=1 \
+	java -javaagent:$(JAVA_AGENT) -jar $(JAR_FILE) --server.port=8108
+
+# Run the application without Zen
+.PHONY: runWithoutZen
+runWithoutZen: build
+	@echo "Running SpringBootHyperSQL without Zen & ENV (http://localhost:8109)"
+	AIKIDO_TOKEN="random-invalid-token" java -jar $(JAR_FILE) --server.port=8109
+
+# Clean the project
+.PHONY: clean
+clean:
+	@echo "Cleaning the project..."
+	$(GRADLEW) clean

sample-apps/SpringBootHyperSQL/README.md

@@ -0,0 +1,2 @@
+# SpringBoot+HyperSQL vulnerable sample app
+- Inserting a malicious dog : `Malicious Pet', 'Gru from the Minions') -- `

sample-apps/SpringBootHyperSQL/build.gradle

@@ -0,0 +1,27 @@
+plugins {
+	id 'java'
+	id 'org.springframework.boot' version '3.3.4'
+	id 'io.spring.dependency-management' version '1.1.6'
+}
+
+java {
+	sourceCompatibility = '17'
+	targetCompatibility = '17'
+}
+
+group = 'com.example'
+version = '0.0.1-SNAPSHOT'
+
+repositories {
+	mavenCentral()
+}
+
+dependencies {
+	implementation files('../../dist/agent_api.jar')
+	implementation 'org.springframework.boot:spring-boot-starter'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	compileOnly 'org.projectlombok:lombok'
+    implementation 'org.hsqldb:hsqldb:2.7.2'
+	annotationProcessor 'org.projectlombok:lombok'
+}