Support for auto handling of SQL Injection in Mule closes #146

Co-authored-by: sanagaraj-pivotal <[email protected]>

Author: ashakirin

applications/spring-shell/src/test/java/org/springframework/sbm/BootifySimpleMuleAppIntegrationTest.java

@@ -80,13 +80,6 @@ public static void afterAll() {
         }
     }
 
-    @Test
-    @Tag("integration")
-    @DisabledIfSystemProperty(named= "os.arch", matches = "aarch64", disabledReason = "imbcom/mq image not supported with Apple Silicon")
-    void t1_testWebsphereMqMigration() throws JMSException, InterruptedException {
-        checkWmqIntegration(rabbitMqContainer.getNetwork());
-    }
-
     @Test
     @Tag("integration")
     public void  t0_springIntegrationWorks() throws IOException, TimeoutException, InterruptedException {
@@ -109,10 +102,15 @@ public void  t0_springIntegrationWorks() throws IOException, TimeoutException, I
         checkSendHttpMessage(container.getContainer().getMappedPort(9081));
         checkInboundGatewayHttpMessage(container.getContainer().getMappedPort(9081));
         checkRabbitMqIntegration(ampqChannel);
+        checkDbIntegration(container.getContainer().getMappedPort(9081));
     }
 
-
-
+    @Test
+    @Tag("integration")
+    @DisabledIfSystemProperty(named= "os.arch", matches = "aarch64", disabledReason = "imbcom/mq image not supported with Apple Silicon")
+    void t1_testWebsphereMqMigration() throws JMSException, InterruptedException {
+        checkWmqIntegration(rabbitMqContainer.getNetwork());
+    }
 
     private void checkRabbitMqIntegration(Channel amqpChannel)
             throws IOException, InterruptedException {
@@ -157,6 +155,12 @@ private void checkWmqIntegration(Network rabbitMqNetwork) throws InterruptedExce
         assertThat(latchResult).isTrue();
     }
 
+    private void checkDbIntegration(int port) {
+        ResponseEntity<String> responseEntity = restTemplate.getForEntity("http://localhost:" + port + "/db", String.class);
+        assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);
+        assertThat(responseEntity.getBody()).contains("{\"ID\":1,\"USERNAME\":\"TestUser\",\"PASSWORD\":\"secret\"");
+    }
+
     private void checkInboundGatewayHttpMessage(int port) {
         ResponseEntity<String> responseEntity = restTemplate.getForEntity("http://localhost:" + port + "/helloworld", String.class);
         assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK);

applications/spring-shell/src/test/resources/testcode/mule-app/spring-amqp-mule/src/main/resources/db-mule.xml

@@ -0,0 +1,20 @@
+<mule xmlns:db="http://www.mulesoft.org/schema/mule/db"
+      xmlns:http="http://www.mulesoft.org/schema/mule/http"
+      xmlns="http://www.mulesoft.org/schema/mule/core"
+      xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="
+http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd
+http://www.mulesoft.org/schema/mule/db http://www.mulesoft.org/schema/mule/db/current/mule-db.xsd
+http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd">
+    <flow name="get:/db:helloword-config">
+        <db:insert config-ref="Oracle_Configuration" doc:name="Database">
+            <db:parameterized-query>
+                <![CDATA[INSERT INTO USERS (username, password) VALUES ('TestUser', 'secret')]]></db:parameterized-query>
+        </db:insert>
+        <db:select config-ref="Oracle_Configuration" doc:name="Database">
+            <db:dynamic-query>
+                <![CDATA[select * from users where username='TestUser' and password='secret']]></db:dynamic-query>
+        </db:select>
+    </flow>
+</mule>

applications/spring-shell/src/test/resources/testcode/mule-app/spring-amqp-mule/src/main/resources/schema.sql

@@ -0,0 +1,7 @@
+DROP TABLE IF EXISTS USERS;
+
+CREATE TABLE USERS (
+                               id INT AUTO_INCREMENT  PRIMARY KEY,
+                               username VARCHAR(250) NOT NULL,
+                               password VARCHAR(250) NOT NULL
+);

components/sbm-recipes-mule-to-boot/src/main/java/org/springframework/sbm/mule/actions/javadsl/translators/db/DBCommons.java

@@ -15,8 +15,78 @@
  */
 package org.springframework.sbm.mule.actions.javadsl.translators.db;
 
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import org.mulesoft.schema.mule.db.AdvancedDbMessageProcessorType;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+class QueryWithParameters {
+    private String query = "";
+    private List<String> muleExpressions = new ArrayList<>();
+}
+
+@Data
+@AllArgsConstructor
+@NoArgsConstructor
+class QueryFunctionParameter {
+    private String query = "";
+    private String arguments = "";
+}
+
 public class DBCommons {
     public static String escapeDoubleQuotes(String str) {
         return str.replace("\"", "\\\"");
     }
+
+    private static final String regexPattern = "#\\[(.+?)]";
+    private static final Pattern pattern = Pattern.compile(regexPattern);
+
+    public static QueryWithParameters parseQueryParameter(String input) {
+
+        if (input == null) {
+            return new QueryWithParameters();
+        }
+
+        Matcher m = pattern.matcher(input);
+
+        List<String> muleExpressions = new ArrayList<>();
+
+        while (m.find()) {
+            muleExpressions.add(m.group(1));
+        }
+
+        return new QueryWithParameters(input
+                .replaceAll(regexPattern, "?")
+                .replace("'?'", "?")
+                , muleExpressions);
+    }
+
+    public static QueryFunctionParameter extractQueryAndParameters(AdvancedDbMessageProcessorType component) {
+
+        String query = component.getDynamicQuery() == null ? component.getParameterizedQuery()
+                : component.getDynamicQuery();
+        QueryWithParameters queryWithParameters = DBCommons.parseQueryParameter(query);
+        String argumentTemplate = "                                p.getFirst(\"%s\") /* TODO: Translate #[%s] to java expression*/";
+        String arguments = queryWithParameters
+                .getMuleExpressions()
+                .stream()
+                .map(muleExpression -> String.format(argumentTemplate, muleExpression, muleExpression))
+                .collect(Collectors.joining(",\n"));
+
+        if (!arguments.isEmpty()) {
+            arguments = ",\n" + arguments + "\n";
+        }
+
+        return new QueryFunctionParameter(queryWithParameters.getQuery(), arguments);
+    }
 }

components/sbm-recipes-mule-to-boot/src/main/java/org/springframework/sbm/mule/actions/javadsl/translators/db/InsertTranslator.java

@@ -40,21 +40,29 @@ public DslSnippet translate(int id,
                                 MuleConfigurations muleConfigurations,
                                 String flowName,
                                 Map<Class, MuleComponentToSpringIntegrationDslTranslator> translatorsMap) {
+
+        QueryFunctionParameter queryAndParameters = DBCommons.extractQueryAndParameters(component);
+
+        String translation =
+                "                .<LinkedMultiValueMap<String, String>>handle((p, h) -> {\n" +
+                "                      jdbcTemplate.update(\"" + DBCommons.escapeDoubleQuotes(queryAndParameters.getQuery()) + "\"" +
+                        queryAndParameters.getArguments() +
+                        ");\n" +
+                "                      return p;\n" +
+                "                })";
         return DslSnippet.builder()
                 .renderedSnippet(
                         "                 // TODO: payload type might not be always LinkedMultiValueMap please change it to appropriate type \n" +
                                 "                 // TODO: mule expression language is not converted to java, do it manually. example: #[payload] etc \n" +
-                                "                .<LinkedMultiValueMap<String, String>>handle((p, h) -> {\n" +
-                                "                      jdbcTemplate.execute(\"" + DBCommons.escapeDoubleQuotes(component.getParameterizedQuery()) + "\");\n" +
-                                "                      return p;\n" +
-                                "                })")
+                                translation)
                 .requiredImports(Set.of(
                         "org.springframework.util.LinkedMultiValueMap",
                         "org.springframework.jdbc.core.JdbcTemplate"
                 ))
                 .requiredDependencies(Set.of(
                         "org.springframework.boot:spring-boot-starter-jdbc:2.5.5",
-                        "org.springframework.integration:spring-integration-jdbc:5.5.4"
+                        "org.springframework.integration:spring-integration-jdbc:5.5.4",
+                        "com.h2database:h2:2.1.214"
                 ))
                 .beans(Set.of(new Bean("jdbcTemplate", "org.springframework.jdbc.core.JdbcTemplate")))
                 .build();

components/sbm-recipes-mule-to-boot/src/main/java/org/springframework/sbm/mule/actions/javadsl/translators/db/SelectTranslator.java

@@ -23,11 +23,10 @@
 import org.springframework.stereotype.Component;
 
 import javax.xml.namespace.QName;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import static org.springframework.sbm.mule.actions.javadsl.translators.db.DBCommons.escapeDoubleQuotes;
-
 @Component
 public class SelectTranslator implements MuleComponentToSpringIntegrationDslTranslator<SelectMessageProcessorType> {
 
@@ -43,18 +42,21 @@ public DslSnippet translate(int id, SelectMessageProcessorType component,
                                 String flowName,
                                 Map<Class, MuleComponentToSpringIntegrationDslTranslator> translatorsMap) {
 
-        String query = component.getDynamicQuery() == null ? component.getParameterizedQuery()
-                : component.getDynamicQuery();
+        QueryFunctionParameter queryAndParameters = DBCommons.extractQueryAndParameters(component);
 
+        String translation = ".<LinkedMultiValueMap<String, String>>handle((p, h) ->\n" +
+                "                        jdbcTemplate.queryForList(\n" +
+                "                                \"" + DBCommons.escapeDoubleQuotes(queryAndParameters.getQuery()) + "\"" +
+                queryAndParameters.getArguments() + "))";
         return DslSnippet.builder()
-                .renderedSnippet(
-                        " // TODO: substitute expression language with appropriate java code \n" +
-                        " // TODO: use appropriate translation for pagination for more information visit: https://bit.ly/3xlqByv \n" +
-                        "                .handle((p, h) -> jdbcTemplate.queryForList(\"" +
-                        escapeDoubleQuotes(query) + "\"))")
+                .renderedSnippet("// TODO: substitute expression language with appropriate java code \n" +
+                        "// TODO: The datatype might not be LinkedMultiValueMap please substitute the right type for payload\n" +
+                        translation
+                )
                 .requiredDependencies(Set.of(
                         "org.springframework.boot:spring-boot-starter-jdbc:2.5.5",
-                        "org.springframework.integration:spring-integration-jdbc:5.5.4"
+                        "org.springframework.integration:spring-integration-jdbc:5.5.4",
+                        "com.h2database:h2:2.1.214"
                 ))
                 .beans(
                         Set.of(

components/sbm-recipes-mule-to-boot/src/test/java/org/springframework/sbm/mule/actions/MuleToJavaDSLChoiceTest.java

@@ -369,7 +369,13 @@ public void otherwiseStatementShouldDoImportsBeansAndDependencies() {
                         "                                        // TODO: payload type might not be always LinkedMultiValueMap please change it to appropriate type \n" +
                         "                                        // TODO: mule expression language is not converted to java, do it manually. example: #[payload] etc \n" +
                         "                                        .<LinkedMultiValueMap<String, String>>handle((p, h) -> {\n" +
-                        "                                            jdbcTemplate.execute(\"INSERT INTO ${ORA_SCHEMA}.CHANGE_REQUEST_DETAILS (CHANGE_REQUEST_ID, CR_ATTRIBUTE_ID, SECONDARY_ATTRIBUTE, OLD_VALUE, NEW_VALUE) VALUES (#[flowVars.changeRequestId], #[payload.crAttributeId], #[payload.secondaryAttribute], #[payload.oldValue], #[payload.newValue])\");\n" +
+                        "                                            jdbcTemplate.update(\"INSERT INTO ${ORA_SCHEMA}.CHANGE_REQUEST_DETAILS (CHANGE_REQUEST_ID, CR_ATTRIBUTE_ID, SECONDARY_ATTRIBUTE, OLD_VALUE, NEW_VALUE) VALUES (?, ?, ?, ?, ?)\",\n" +
+                        "                                                    p.getFirst(\"flowVars.changeRequestId\") /* TODO: Translate #[flowVars.changeRequestId] to java expression*/,\n" +
+                        "                                                    p.getFirst(\"payload.crAttributeId\") /* TODO: Translate #[payload.crAttributeId] to java expression*/,\n" +
+                        "                                                    p.getFirst(\"payload.secondaryAttribute\") /* TODO: Translate #[payload.secondaryAttribute] to java expression*/,\n" +
+                        "                                                    p.getFirst(\"payload.oldValue\") /* TODO: Translate #[payload.oldValue] to java expression*/,\n" +
+                        "                                                    p.getFirst(\"payload.newValue\") /* TODO: Translate #[payload.newValue] to java expression*/\n" +
+                        "                                            );\n" +
                         "                                            return p;\n" +
                         "                                        }))\n" +
                         "                )\n" +

components/sbm-recipes-mule-to-boot/src/test/java/org/springframework/sbm/mule/actions/db/MuleToJavaDSLDBInsertTest.java

@@ -65,7 +65,11 @@ public void dbInsert() {
                         "                // TODO: payload type might not be always LinkedMultiValueMap please change it to appropriate type \n" +
                         "                // TODO: mule expression language is not converted to java, do it manually. example: #[payload] etc \n" +
                         "                .<LinkedMultiValueMap<String, String>>handle((p, h) -> {\n" +
-                        "                    jdbcTemplate.execute(\"INSERT INTO STUDENTS (NAME, AGE, CITY) VALUES (#[payload.name], #[payload.age], #[payload.city])\");\n" +
+                        "                    jdbcTemplate.update(\"INSERT INTO STUDENTS (NAME, AGE, CITY) VALUES (?, ?, ?)\",\n" +
+                        "                            p.getFirst(\"payload.name\") /* TODO: Translate #[payload.name] to java expression*/,\n" +
+                        "                            p.getFirst(\"payload.age\") /* TODO: Translate #[payload.age] to java expression*/,\n" +
+                        "                            p.getFirst(\"payload.city\") /* TODO: Translate #[payload.city] to java expression*/\n" +
+                        "                    );\n" +
                         "                    return p;\n" +
                         "                })\n" +
                         "                .get();\n" +