JDBC SQL statement interceptor

java/jdbc/statement-interceptor/build.gradle

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates.
+ *
+ *   This software is dual-licensed to you under the Universal Permissive License
+ *   (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License
+ *   2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+ *   either license.
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ *
+ */
+

java/jdbc/statement-interceptor/demo-app/.gitignore

@@ -0,0 +1,37 @@
+HELP.md
+.gradle
+build/
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/

java/jdbc/statement-interceptor/demo-app/README.md

@@ -0,0 +1,112 @@
+# JDBC interceptor demo application
+
+How to transparently secure database exchanges by filtering out bad or insecure SQL statements
+issued by an application ?
+
+This simple web application fulfill that use case and demonstrates how JDBC trace event listener
+can be used to analyse and may be intercept SQL statements that are sent by an application
+to oracle database server. 
+
+=================================================================================================
+
+![Screenshot of a demo application](assets/img/demoapp.png)
+
+=================================================================================================
+
+In this application we leverage the event listener (aka interceptor) delivered by project
+https://orahub.oci.oraclecorp.com/ora-jdbc-dev/jdbc-interceptor
+That is a simple standalone SpringBoot application that performs search
+on an employee table. This simple table contains 5 employees like
+
+```oracle-sql
+CREATE TABLE employees (
+        id NUMBER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
+        full_name VARCHAR2(60),
+        visible NUMBER(1) DEFAULT 0
+       )
+```
+
+Employees with 'visible' attributes set to 0 must not be seen. This flag will be 
+used to demonstrate how SQL injection can lead to unexpected response.
+See section [Testing the interceptor]()
+
+The SQL statement sent to the server are intercept and analyse according the "security" rules.
+
+## The statement interceptor
+
+This application uses a customized UCP connection pool.
+> see _com.oracle.jdbc.samples.statementinterceptordemo.TracedDataSourceConfig_
+
+
+The pool configuration is taken from
+> src/main/resources/oracle-pooled-ds.properties
+
+Please change it accordingly.
+
+Each connection delivered by this pool will have the Statement
+interceptor trace event listener  attached. 
+
+The interceptor rules are defined in 
+> src/main/resources/statementRules.json
+
+## build 
+
+Be sure that you use gradle 8.5 or above.
+
+We require the following dependency to be available
+
+>dependencies {
+>    implementation 'com.oracle.database.jdbc:JDBCInterceptor:0.1-SNAPSHOT'
+>}
+
+## Running the application
+
+Information for the remote datasource must be correctly set.
+By default, the following environment variables are used
+> DATABASE_USER
+> DATABASE_PASSWORD 
+> DATABASE_URL
+
+You can change this behavior by setting correct values in oracle-pooled-ds.properties file 
+
+You can then start the application by running
+> gradle bootRun
+
+Once the application is started, open a web browser and go to
+http://localhost:8080/
+
+Note: 
+    To change the default port number, change server.port value in the 
+    application.properties file.
+
+### Testing the interceptor
+This application host two datasources, one with an interceptor in place.
+There is a checkbox that allow you to switch from one datasource to another
+
+
+You can issue some search that will be intercepted by the listener
+
+#### SQL injection example
+An example is a search like 
+>_' or 'a'='a_
+
+When the interceptor is not enabled you will see that this search return all 
+employees including the ones that are not supposed to be visible 
+
+![SQL injection not intercepted](assets/img/injection_1.png)
+
+When the interceptor is enabled you will see the security error thrown
+by the interceptor and that the request do not reach the server.
+
+![SQL injection not intercepted](assets/img/injection_2.png)
+
+#### fixed token example
+
+By issuing "BabEmployee" as search criteria you will see how security log record  can be intercepted.
+
+![token sample](assets/img/token_1.png)
+
+### From intelliJ 
+_Run_ > _Run statement-interceptor-demo [bootRun]_ 
+### From command line
+#gradle bootRun

java/jdbc/statement-interceptor/demo-app/build.gradle

@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates.
+ *
+ *   This software is dual-licensed to you under the Universal Permissive License
+ *   (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License
+ *   2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+ *   either license.
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ *
+ */
+
+plugins {
+    id 'org.springframework.boot' version '3.3.2'
+    id 'io.spring.dependency-management' version '1.1.6'
+    id 'java'
+    id 'maven-publish'
+}
+
+
+
+java {
+    toolchain {
+        languageVersion = JavaLanguageVersion.of(17)
+    }
+}
+
+repositories {
+    mavenCentral()
+}
+
+
+
+dependencies {
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+    implementation 'org.springframework.boot:spring-boot-starter-jdbc'
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+
+    implementation("org.webjars:jquery:3.7.1")
+    implementation("org.webjars:bootstrap:5.3.3")
+    implementation("org.webjars.npm:htmx.org:2.0.0")
+
+    implementation("org.webjars:webjars-locator:0.52")
+
+    implementation 'com.oracle.database.jdbc:ojdbc11:23.4.0.24.05'
+    implementation 'com.oracle.database.jdbc:ucp11:23.4.0.24.05'
+
+    implementation 'com.oracle.database.security:oraclepki:23.4.0.24.05'
+
+    compileOnly 'org.projectlombok:lombok'
+
+    implementation 'com.google.code.gson:gson:2.11.0'
+
+    developmentOnly 'org.springframework.boot:spring-boot-devtools'
+
+    annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'
+    annotationProcessor 'org.projectlombok:lombok'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+
+    implementation project(':interceptor')
+    //implementation 'com.oracle.database.jdbc:JDBCInterceptor:0.2-SNAPSHOT'
+}
+
+tasks.named('test') {
+    useJUnitPlatform()
+}

java/jdbc/statement-interceptor/demo-app/gradle.properties

@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2024, Oracle and/or its affiliates.
+#
+#   This software is dual-licensed to you under the Universal Permissive License
+#   (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License
+#   2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+#   either license.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+#
+#
+
+group = com.oracle.jdbc.samples
+version = 0.0.1-SNAPSHOT

java/jdbc/statement-interceptor/demo-app/settings.gradle

@@ -0,0 +1,32 @@
+
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates.
+ *
+ *   This software is dual-licensed to you under the Universal Permissive License
+ *   (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License
+ *   2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose
+ *   either license.
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ *
+ */
+
+pluginManagement {
+    repositories {
+        maven { url 'https://repo.spring.io/snapshot' }
+        gradlePluginPortal()
+    }
+}
+rootProject.name = 'statement-interceptor-demo'
+