DR-112 - New Feature #29

tsviz · 2024-03-22T01:34:46Z

This pull request includes changes to the GitHub Actions workflow file .github/workflows/ci.yml, pom.xml, src/main/java/net/codejava/SalesDAO.java, and src/main/resources/static/js/styles.js. The changes mainly involve the renaming and simplification of debugging steps, addition of JavaScript as a language in the CodeQL analysis, downgrading of CodeQL and Autobuild actions, modification of the test splitting glob pattern, removal of the publish-test-results job, and changes in the save method in SalesDAO.java. Additionally, a new dependency was added to pom.xml and the color scheme in styles.js was updated.
CI Workflow modifications:

.github/workflows/ci.yml: Renamed the ssh_debug_enabled input to debug_enabled and updated its description.
.github/workflows/ci.yml: Added 'javascript' to the language matrix.
.github/workflows/ci.yml: Downgraded the version of github/codeql-action/init, github/codeql-action/autobuild, and github/codeql-action/analyze from v3 to v2. [1] [2]
.github/workflows/ci.yml: Updated the if condition in the Setup tmate session step to use the new debug_enabled input.
.github/workflows/ci.yml: Removed the publish-test-results job.
.github/workflows/ci.yml: Removed the debug input from the with section of the deploy-to-aws job.

Addition of a new dependency:

pom.xml: Added a new dependency for spring-security-core.

Changes in the SalesDAO.java file:

src/main/java/net/codejava/SalesDAO.java: Simplified the save method by removing the checks for duplicate keys and null values, and changed the SQL statement.

Changes in the styles.js file:

src/main/resources/static/js/styles.js: Changed the color of headers when the search feature is enabled.

src/main/java/net/codejava/SalesDAO.java

-		}
+	public void save(Sale sale) {
+		String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
+		jdbcTemplate.update(sql);


To fix the problem, we need to replace the string concatenation in the save method with a parameterized query using PreparedStatement. This will ensure that user input is properly escaped and prevent SQL injection attacks.

Change the SQL query construction in the save method to use placeholders (?) for the values.

Use jdbcTemplate.update with the SQL query and the values from the Sale object as parameters.

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 suggestions.

Files not reviewed (1)

pom.xml: Language not supported

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

2024-11-14T16:51:47Z

src/main/java/net/codejava/SalesDAO.java

-			e.printStackTrace(); // log any other exceptions
-		}
+	public void save(Sale sale) {
+		String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";


The new save method introduces a potential SQL injection vulnerability. Use parameterized queries to prevent SQL injection.

Suggested change

String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";

String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";

jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());

2024-11-14T16:51:48Z

src/main/java/net/codejava/SalesDAO.java

-		} catch (Exception e) {
-			e.printStackTrace(); // log any other exceptions
-		}
+	public void save(Sale sale) {


The removal of the null check for the sale object might lead to a NullPointerException. Re-add the null check for the sale object.

tsviz added 2 commits March 21, 2024 20:30

Add spring-security-core dependency and update save method in SalesDAO

ff24541

Update CI workflow and CodeQL actions

4744482

github-advanced-security bot found potential problems Mar 22, 2024

View reviewed changes

updated styles.js

258833f

tsviz closed this May 13, 2024

tsviz deleted the DR-112 branch May 13, 2024 16:02

tsviz restored the DR-112 branch May 13, 2024 16:06

tsviz reopened this May 13, 2024

tsviz added 2 commits November 14, 2024 09:45

Update SalesDAO.java

5d6b789

Merge branch 'main' into DR-112

d201499

tsviz requested a review from Copilot November 14, 2024 16:50

Copilot AI reviewed Nov 14, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DR-112 - New Feature #29

DR-112 - New Feature #29

tsviz commented Mar 22, 2024 •

edited

Loading

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Copilot AI left a comment

Copilot AI Nov 14, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Copilot AI Nov 14, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

	String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")";
	String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)";
	jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount());

DR-112 - New Feature #29

Are you sure you want to change the base?

DR-112 - New Feature #29

Conversation

tsviz commented Mar 22, 2024 • edited Loading

Copilot AI left a comment

Choose a reason for hiding this comment

Copilot AI Nov 14, 2024

Choose a reason for hiding this comment

Copilot AI Nov 14, 2024

Choose a reason for hiding this comment

tsviz commented Mar 22, 2024 •

edited

Loading