MultipartUtil.java

package com.jsql.util;

import com.jsql.model.InjectionModel;
import com.jsql.model.exception.JSqlException;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class MultipartUtil {

    /**
     * Log4j logger sent to view.
     */
    private static final Logger LOGGER = LogManager.getRootLogger();

    private final InjectionModel injectionModel;

    public MultipartUtil(InjectionModel injectionModel) {
        this.injectionModel = injectionModel;
    }

    public boolean testParameters(boolean hasFoundInjection) {

        if (!hasFoundInjection) {
            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Checking multipart params...");
        } else {
            return true;
        }
        
        String rawHeader = this.injectionModel.getMediatorUtils().getParameterUtil().getRawHeader();
        String rawRequest = this.injectionModel.getMediatorUtils().getParameterUtil().getRawRequest();

        Matcher matcherBoundary = Pattern.compile("boundary=([^;]*)").matcher(rawHeader);

        if (!matcherBoundary.find()) {
            return false;
        }
        
        String boundary = matcherBoundary.group(1);

        Matcher matcherFormDataParameters = Pattern
            .compile("Content-Disposition\\s*:\\s*form-data\\s*;\\s*name\\s*=\"(.*?)\"(.*?)--" + boundary, Pattern.DOTALL)
            .matcher(rawRequest);

        while (matcherFormDataParameters.find()) {
            if (isBoundaryInjectable(rawRequest, boundary, matcherFormDataParameters)) {
                return true;
            }
        }

        return false;
    }

    private boolean isBoundaryInjectable(String rawRequest, String boundary, Matcher matcherFormDataParameters) {

        String nameParameter = matcherFormDataParameters.group(1);
        String valueParameter = matcherFormDataParameters.group(2);

        String rawRequestWithStar = rawRequest.replaceAll(
            "(?i)(Content-Disposition\\s*:\\s*form-data\\s*;\\s*name\\s*=\\s*\"" + nameParameter + "\".*?)([\\\\r\\\\n]*--" + boundary + ")",
            "$1" + InjectionModel.STAR + "$2"
        );

        this.injectionModel.getMediatorUtils().getParameterUtil().initializeRequest(rawRequestWithStar);

        try {
            LOGGER.log(
                LogLevelUtil.CONSOLE_INFORM,
                "Checking Multipart boundary injection for {}={}",
                () -> nameParameter,
                () -> valueParameter.replace(InjectionModel.STAR, StringUtils.EMPTY)
            );

            return this.injectionModel.getMediatorMethod().getRequest().testParameters();

        } catch (JSqlException e) {
            LOGGER.log(
                LogLevelUtil.CONSOLE_ERROR,
                String.format(
                    "No Multipart boundary injection for %s=%s",
                    nameParameter,
                    valueParameter.replace(InjectionModel.STAR, StringUtils.EMPTY)
                )
            );
        }

        return false;
    }
}















Active mutators

CONDITIONALS_BOUNDARY
EMPTY_RETURNS
FALSE_RETURNS
INCREMENTS
INVERT_NEGS
MATH
NEGATE_CONDITIONALS
NULL_RETURNS
PRIMITIVE_RETURNS
TRUE_RETURNS
VOID_METHOD_CALLS

Tests examined

Report generated by PIT 1.16.1

1		package com.jsql.util;
2
3		import com.jsql.model.InjectionModel;
4		import com.jsql.model.exception.JSqlException;
5		import org.apache.commons.lang3.StringUtils;
6		import org.apache.logging.log4j.LogManager;
7		import org.apache.logging.log4j.Logger;
8
9		import java.util.regex.Matcher;
10		import java.util.regex.Pattern;
11
12		public class MultipartUtil {
13
14		/**
15		* Log4j logger sent to view.
16		*/
17		private static final Logger LOGGER = LogManager.getRootLogger();
18
19		private final InjectionModel injectionModel;
20
21		public MultipartUtil(InjectionModel injectionModel) {
22		this.injectionModel = injectionModel;
23		}
24
25		public boolean testParameters(boolean hasFoundInjection) {
26
27	1 1. testParameters : negated conditional → NO_COVERAGE	if (!hasFoundInjection) {
28		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Checking multipart params...");
29		} else {
30	1 1. testParameters : replaced boolean return with false for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE	return true;
31		}
32
33		String rawHeader = this.injectionModel.getMediatorUtils().getParameterUtil().getRawHeader();
34		String rawRequest = this.injectionModel.getMediatorUtils().getParameterUtil().getRawRequest();
35
36		Matcher matcherBoundary = Pattern.compile("boundary=([^;]*)").matcher(rawHeader);
37
38	1 1. testParameters : negated conditional → NO_COVERAGE	if (!matcherBoundary.find()) {
39	1 1. testParameters : replaced boolean return with true for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE	return false;
40		}
41
42		String boundary = matcherBoundary.group(1);
43
44		Matcher matcherFormDataParameters = Pattern
45		.compile("Content-Disposition\\s:\\sform-data\\s;\\sname\\s=\"(.?)\"(.*?)--" + boundary, Pattern.DOTALL)
46		.matcher(rawRequest);
47
48	1 1. testParameters : negated conditional → NO_COVERAGE	while (matcherFormDataParameters.find()) {
49	1 1. testParameters : negated conditional → NO_COVERAGE	if (isBoundaryInjectable(rawRequest, boundary, matcherFormDataParameters)) {
50	1 1. testParameters : replaced boolean return with false for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE	return true;
51		}
52		}
53
54	1 1. testParameters : replaced boolean return with true for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE	return false;
55		}
56
57		private boolean isBoundaryInjectable(String rawRequest, String boundary, Matcher matcherFormDataParameters) {
58
59		String nameParameter = matcherFormDataParameters.group(1);
60		String valueParameter = matcherFormDataParameters.group(2);
61
62		String rawRequestWithStar = rawRequest.replaceAll(
63		"(?i)(Content-Disposition\\s:\\sform-data\\s;\\sname\\s=\\s\"" + nameParameter + "\".?)([\\\\r\\\\n]--" + boundary + ")",
64		"$1" + InjectionModel.STAR + "$2"
65		);
66
67	1 1. isBoundaryInjectable : removed call to com/jsql/util/ParameterUtil::initializeRequest → NO_COVERAGE	this.injectionModel.getMediatorUtils().getParameterUtil().initializeRequest(rawRequestWithStar);
68
69		try {
70		LOGGER.log(
71		LogLevelUtil.CONSOLE_INFORM,
72		"Checking Multipart boundary injection for {}={}",
73	1 1. lambda$isBoundaryInjectable$0 : replaced return value with null for com/jsql/util/MultipartUtil::lambda$isBoundaryInjectable$0 → NO_COVERAGE	() -> nameParameter,
74	1 1. lambda$isBoundaryInjectable$1 : replaced return value with null for com/jsql/util/MultipartUtil::lambda$isBoundaryInjectable$1 → NO_COVERAGE	() -> valueParameter.replace(InjectionModel.STAR, StringUtils.EMPTY)
75		);
76
77	2 1. isBoundaryInjectable : replaced boolean return with false for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE 2. isBoundaryInjectable : replaced boolean return with true for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE	return this.injectionModel.getMediatorMethod().getRequest().testParameters();
78
79		} catch (JSqlException e) {
80		LOGGER.log(
81		LogLevelUtil.CONSOLE_ERROR,
82		String.format(
83		"No Multipart boundary injection for %s=%s",
84		nameParameter,
85		valueParameter.replace(InjectionModel.STAR, StringUtils.EMPTY)
86		)
87		);
88		}
89
90	1 1. isBoundaryInjectable : replaced boolean return with true for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE	return false;
91		}
92		}
		Mutations
27		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
30		1.1 Location : testParameters Killed by : none replaced boolean return with false for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE
38		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
39		1.1 Location : testParameters Killed by : none replaced boolean return with true for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE
48		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
49		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
50		1.1 Location : testParameters Killed by : none replaced boolean return with false for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE
54		1.1 Location : testParameters Killed by : none replaced boolean return with true for com/jsql/util/MultipartUtil::testParameters → NO_COVERAGE
67		1.1 Location : isBoundaryInjectable Killed by : none removed call to com/jsql/util/ParameterUtil::initializeRequest → NO_COVERAGE
73		1.1 Location : lambda$isBoundaryInjectable$0 Killed by : none replaced return value with null for com/jsql/util/MultipartUtil::lambda$isBoundaryInjectable$0 → NO_COVERAGE
74		1.1 Location : lambda$isBoundaryInjectable$1 Killed by : none replaced return value with null for com/jsql/util/MultipartUtil::lambda$isBoundaryInjectable$1 → NO_COVERAGE
77		1.1 Location : isBoundaryInjectable Killed by : none replaced boolean return with false for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE 2.2 Location : isBoundaryInjectable Killed by : none replaced boolean return with true for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE
90		1.1 Location : isBoundaryInjectable Killed by : none replaced boolean return with true for com/jsql/util/MultipartUtil::isBoundaryInjectable → NO_COVERAGE

MultipartUtil.java

Mutations

Active mutators

Tests examined