DEV Community: Arpan Bandyopadhyay

Potential path traversal vulnerability when using File class and its solution

Arpan Bandyopadhyay — Mon, 12 Jun 2023 11:53:31 +0000

What is path/directory traversal?

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

In Java, a file API can take a filename as the second argument and construct the file path based on the directory specified in the first argument. If the applications place user input into file paths, this could result in a path traversal attack. An attacker might try to manipulate the file path using special characters in the user input.

Here , I have created a small POC to demonstrate the vulnerability.
I have created a text file "pass" inside “C:\Users” and stored 1234 inside it .

Also I have created another text file named "test" inside “C:\Users\arpan.bandyopadhyay\myfiles” and stored “arpan” inside it.

Now assume that our requirement is to develop one java code using which we can access and read the files present inside “C:\Users\arpan.bandyopadhyay\myfiles” . In my case I am reading “test” file .

*Here is my java code . (Non Compliant) *



import java.io.*;
public class Filecano1 {
    public static void main(String[] args) throws IOException {
        File file = new File("C:\\Users\\arpan.bandyopadhyay\\myfiles", "test.txt");

            BufferedReader br
                    = new BufferedReader(new FileReader(file));

            // Declaring a string variable
            String st;
            // Condition holds true till
            // there is character in a string
            while ((st = br.readLine()) != null)

                // Print the string
                System.out.println(st);
        }
    }

If I execute the above code I can see content of the “test” file , which is well and good.

Then, where is the vulnerability ?

File class present inside java.io package is having below constructors :

File(File parent, String child)
Creates a new File instance from a parent abstract pathname and a child pathname string.
File(String pathname)
Creates a new File instance by converting the given pathname string into an abstract pathname.
File(String parent, String child)
Creates a new File instance from a parent pathname string and a child pathname string.
File(URI uri)
Creates a new File instance by converting the given file: URI into an abstract pathname.

Here , I am using File(String parent, String child) constructor ,where first argument of the constructor is the base directory, and second argument is child directory path . In the above example, if the user can influence the value of child directory path , he/she can manipulate the value start with "../". An attacker might also use various non-standard encoding, such as ..%c0%af, ..%252f, or a null byte to bypass the input filter.

Now I will show you How Attacker can access and read files which is not present in the base location using the same above code “C:\Users\arpan.bandyopadhyay\myfiles” but present in the system using the below code.




import java.io.*;
public class Filecano1 {
    public static void main(String[] args) throws IOException {
         File file = new File("C:\\Users\\arpan.bandyopadhyay\\myfiles", "..\\..\\pass.txt");
        System.out.println(file.getCanonicalPath());
            // process file
            BufferedReader br
                    = new BufferedReader(new FileReader(file));

            // Declaring a string variable
            String st;
            // Condition holds true till
            // there is character in a string
            while ((st = br.readLine()) != null)

                // Print the string
                System.out.println(st);
        }
    }

Here we can see though I have specified the different base location/base directory , I am able to see the data which is present inside “C:\Users” , This is vulnerable . Files present inside this location, might include application code and data, credentials for back-end systems, and sensitive operating system files.

Now how to prevent this attack ?

Ensure user inputs are properly sanitized by whitelisting permitted names and/or characters.
Use getCanonicalPath() method of the given file object and validate the file name against a list of valid benign for path names.

The getCanonicalPath() method is a part of Path class. This function returns the Canonical pathname of the given file object. If the pathname of the file object is Canonical, then it simply returns the path of the current file object. The Canonical path is always absolute and unique, the function removes the ‘.’ ‘..’ from the path, if present.

See the below code :



import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;

public class Filecano {

    public static void main(String[] args) throws IOException {
        File file = new File("C:\\Users\\arpan.bandyopadhyay\\myfiles", "..\\..\\pass.txt");

if(file.getCanonicalPath().startsWith("C:\\Users\\arpan.bandyopadhyay\\myfiles")) {
            // process file
            BufferedReader br
                    = new BufferedReader(new FileReader(file));

            // Declaring a string variable
            String st;
            // Condition holds true till
            // there is character in a string
            while ((st = br.readLine()) != null)

                // Print the string
                System.out.println(st);
        }
    }

}

Here I used getCanonicalPath() method of the given file object and validate the file name against Base directory path .

Now here you can see canonical path is printed and as the child path does not start with base directory path , it does not execute the code inside IF block and we cant access and read the content of pass.txt

This is how getCanonicalPath() helps us to prevent directory traversal attack.

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

** reference - internet, youtube vlogs.

Is it safe to use java.util.Random to generate random key ?

Arpan Bandyopadhyay — Mon, 05 Jun 2023 18:20:09 +0000

Why Random class is vulnerable? **
_Let me explain using a real-world example: **_
Every service has login mechanism also they have option to reset the password,
but how to do it?
Password reset functionality usually works more or less like below:
• The user provides an email address associated with the account on the website.
• At this point server checks whether such user exists at the data base or not.
• If so - it generates a unique string, which is then saved and sent in an email.
• Then user opens the mail and click on the link which contains the unique key.
• The server verifies if the unique string is present at the database and if everything is correct you can change the password.

*Now how to generate the unique string? *
Probably using Random function that lets us generate unique sequences.
So let us generate unique sequence. The implementation looks like below ,
Each time someone want to reset the password the generateToken() method is called and the result is saved to the database .
So where is the vulnerability ?
The Random **class is a pseudo random number generator, that means based on a small amount of information, called **seed, it generates deterministically consecutive pseudo random number.
The seed can be defined by the user or like in our case set automatically by java. So it is enough to guess what seed was used to be able to generate the next token on our computer.

Here is the sample code to generate the unique key using Random :



import java.util.Random;

public class PasswordGen {
    static  Random random = new Random();
    private static String generateToken(){
        return Integer.toString(random.nextInt());
    }

    public static void main(String[] args) {
        System.out.println(generateToken());
        System.out.println(generateToken());
        System.out.println(generateToken());

    }
}

Now ,To guess the seed, we use the below code :



import java.util.Random;

public class DetermineNextNumber {

    // implemented after https://docs.oracle.com/javase/7/docs/api/java/util/Random.html
    public static int next(long seed) {
        int bits=32;
        long seed2 = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);
        return (int)(seed2 >>> (48 - bits));
    }

    public static void main(String[] args) {
        System.out.println("Starting");
        long i1 = 260136873;
        long i2 = -4253664;
        long seed =0;
        for (int i = 0; i < 65536; i++) {
            seed = i1 *65536 + i;
            if (next(seed) == i2) {
                System.out.println("Seed found: " + seed);
                break;
            }
        }
        Random random = new Random((seed ^ 0x5DEECE66DL) & ((1L << 48) - 1));
        int o1 = random.nextInt();
        int o2 = random.nextInt();
        System.out.println("So we have that nextInt is: "+o1+" and the third one is: "+o2+" with seed: "+seed);

    }
}

It needs two consecutive numbers generated by the given Random class instances._ How to get it ?_

In our password reset functionality it is very simple .

It is enough to ask for reset of the account to which we hold the permits for consecutive two times :

Reset the account password
Reset the account password

and the third time try to reset the admin account.

Reset the admin account password

Next, we will read the first two unique keys from the email that we have access to and using those keys we can get the third (admin password reset key) key

Now I am going to simulate the process by calling generateToken() function 3 times .

Here are the Three unique keys generated by above code :
1272513916
-342388298
-1733595076

Now, I will introduce first two values into DetermineNextNumber class.

Executing the code :

As you can see after few second, I can get potential value of the seeds as well as next pseudo number. In our case it is exactly same as the third key from our first code execution. In fact this is the unique identifier using which attacker can reset the admin account and exploit the application.

Now , what is the solution ?
Using SecureRandom class from java.security package.

Difference between java.util.Random and java.security.SecureRandom

The java.security.SecureRandom is a more secure version of java.util.Random, which provides a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) in Java.

java.security.SecureRandom is always preferred over java.util.Random for generating sensitive random numbers, such as generating an encryption key in a cryptographic application or session ID on a web server or in password generators to create highly secure passwords.

Here are a few reasons why java.security.SecureRandom should be used in sensitive applications:

java.util.Random implementations use a Linear Congruential Generator (LCG) to produce pseudorandom values, which are highly predictable.

On the other hand, most java.security.SecureRandom implementations use a pseudorandom number generator (PRNG), which uses a deterministic algorithm to produce a pseudorandom sequence from a truly random seed.

java.util.Random uses the system time for the seed. java.security.SecureRandom takes random data from an underlying operating system. In Linux/Solaris, the random numbers are created from the entropy pool by reading from /dev/random and /dev/urandom files.
If two instances of java.util.Random are created with the same seed, and the same sequence of method calls is made for each, they will generate and return identical sequences of numbers. This is not the case with java.security.SecureRandom, which seeds itself from sources of entropy obtained from the operating system, such as timings of I/O events, which are practically undetectable.
The java.util.Random class uses a 48-bit seed, whereas java.security.SecureRandom usually uses a 128-bit or 160-bit seed. Therefore, only 248 attempts are required to break the Random class, which might not even take a second on modern computers. On the other hand, 2128 or 2160 attempts will be required for SecureRandom, which would take years to break even with today’s CPUs computational power.
java.security.SecureRandom produces non-deterministic output as it doesn’t depend upon the system clock for a seed value. So it is impossible to predict previous and future random numbers. java.util.Random, on the other hand, uses the system clock as the seed and can be easily reproduced if the time at which the seed was generated is known.
LCGs are very fast and typically require only 32- or 64-bits to retain state. On the other hand, creating a java.security.SecureRandom instance is quite expensive than creating a java.util.Random instance and is about 30-50 times slower than Random.

Also, the generateSeed() and nextBytes() methods of SecureRandom may get blocked on Linux if not enough entropy is available and as entropy is being gathered in /dev/random file. Here’s what Wikipedia has to say:

The generator keeps an estimate of the total number of bits of noise in the entropy pool. From this entropy pool, random numbers are created. When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high-quality randomness, such as a one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.

It is worth noting that java.security.SecureRandom is a subclass of java.util.Random and inherits all nextX() methods from it, where X can be Boolean, Double, Float, Gaussian, Int, and Long.
Initialization of java.util.Random and java.security.SecureRandom:

Random can be initialized as :

Random rand = new Random(System.nanoTime());

SecureRandom can be initialized as:

SecureRandom rand = new SecureRandom(SecureRandom.getSeed(20));

Here, the number 20 denotes 160-bit seed as 20 bytes = 160 bits.

Javadoc itself suggests to use java.security.SecureRandom to get a cryptographically secure pseudorandom number generator in security-sensitive applications.

That’s all about the differences between java.util.Random and java.security.SecureRandom.

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

** reference - internet, youtube vlogs.

Memory Leak in Java

Arpan Bandyopadhyay — Tue, 30 Aug 2022 10:30:00 +0000

What is Memory Leak in Java ?

A Java memory leak happens when an application holds object references that are no longer required. These accidental object references prevent the built-in Java garbage collection mechanism from freeing up the memory consumed by these objects , which eventually leads to a fatal OutOfMemoryError.

In short Memory Leak is - Object reference which are no longer required , still present in HEAP memory and Garbage Collector is not able to remove them.

Most common scenarios where Memory Leak happens :

Not properly use of Static Members.
Unclosed resources.
Adding Objects with no hashCode() and equals() into a HashSet.
Excessive session objects.
Poorly writing of custom Data Structure.

Here we will discuss few of the above :

1. Not properly use of Static Members:

Fields that have the static modifier in their declaration are called static fields or class variables. They are associated with the class, rather than with any object. When a variable is declared as static, then a single copy of the variable is created and shared among all objects at the class level. In Java, static fields have a life that usually matches the entire lifetime of the running application .Hence static members are related to Class , So Garbage collector can’t clean the memory space occupied by static members.

Here is one example :

You can see here I have created one static ArrayList member called list and used that variable to store the String at line 10 . At line 19 , I have called Garbage Collector . Here I will demonstrate, though I have called Garbage Collector at line 19, garbage collector will not be able to clean up the Memory space for it . To do this I have added debug point on line 12, line 16, line 18, line 20 .

Lets execute the program :

At Line 18 , Notice how, at the very beginning, all memory is, of course, free. Then, the iteration process runs and finishes – loading everything into the list (naturally this will depend on the machine you’re running the test on). We can see the spike in the Graph (Right side).

At line 20 ,After a full garbage collection cycle is triggered, and the test continues to execute, to allow this cycle time to run and finish. As you can see, the list is not reclaimed and the memory consumption doesn’t go down.

Let’s now see the exact same example, only this time, the ArrayList isn’t referenced by a static variable. Instead, it’s a non-static instance variable that gets created, used and then garbage collected .

At line 20 ,After a full garbage collection cycle is triggered, and the test continues to execute, to allow this cycle time to run and finish. You can see, Notice how the GC is now able to reclaim some of the memory utilized by the JVM. (Right side)

2. Unclosed streams:

Forgetting to close a stream is a very common scenario, and certainly, one that most developers can relate to. The problem was partially removed in Java 7 when the ability to automatically close all types of streams was introduced into the try-with-resource clause.

Let’s see how the memory of the application looks when loading a large file from an URL:

As we can see, the heap usage is gradually increasing over time – which is the direct impact of the memory leak caused by not closing the stream.
Let’s dig a bit deeper into this scenario because it’s not as clear-cut as the rest. Technically, an unclosed stream will result in two types of leaks – a low-level resource leak and memory leak.
The low-level resource leak is simply the leak of an OS-level resource – such as file descriptors, open connections, etc. These resources can also leak, just like memory does.

Of course, the JVM uses memory to keep track of these underlying resources as well, which is why this also results in a memory leak.

Here you can see Used Metaspace while starting execution of the Program.

Here you can see Used Metaspace while ending of execution of the Program.

Here you can see the used heap memory

We always need to remember to close streams manually, or to make a use of the auto-close feature. In this case, the BufferedReader will be automatically closed at the end of the try statement, without the need to close it in an explicit finally block.

Here you can see Used Metaspace while starting of execution of the Program.

Here you can see Used Metaspace after ending of execution of the Program which is lesser than the previous program where we have not closed the stream .

Here you can see the used heap memory , which is lesser than the previous program where we have not closed the stream .

3. Adding Objects with no hashCode() and equals() into a HashSet:
A simple but very common example that can lead to a memory leak is to use a HashSet with objects that are missing their hashCode() or equals() implementations.
Specifically, when we start adding duplicate objects into a Set – this will only ever grow, instead of ignoring duplicates as it should. We also won’t be able to remove these objects, once added.

Here we have created one Class Country without hashCode() & equals() method .

Here we have created one HashSet Object in which we can store Country objects . Now we are storing Multiple duplicate Country objects.

We can see duplicate objects are added into a Set – this will only ever grow, instead of ignoring duplicates as it should.

We can see the heap memory usage here.

Now we overridden equals() & hashCode() methods.

Here we can see no duplicate objects added .

Here we can see very less heap space has been used .

So, here is the short note on how to prevent memory leak in java

Do not create unnecessary objects.
Avoid use String concatenation and use StringBuilder.
Do not store massive amount of data in the Session.
Timeout the Session when no longer used.
Avoid use of static members (if not required) because it lives entire life of the application.
Always close the streams & any resources in the finally blocks.

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

** reference - internet, youtube vlogs.

Data and Graphql..

Arpan Bandyopadhyay — Tue, 07 Jun 2022 07:35:57 +0000

Now a days all of our application is storing data for different purpose (it can be operational purpose , it can be analytics purpose) and data is evolving day by day and companies are growing by analyzing those data .

The Evolution Of Data Platforms:

It is important to understand the evolution of data platform within the enterprise.

First Generation data platform – Data Warehouse
Second Generation data platform – Data lakes
Third Generation data platform – Batch and Streams

Let’s quickly understand what these three types of data generation platforms means :

1. Data Warehouse : It’s a centralized location where all data of enterprise company is stored. But before storing data into the Data warehouse we need to define the business requirement i.e. why we are going to store this data in to Data warehouse .

Here we need to extract data from different source system as per business need and using ETL pipeline we store all these data into Data Warehouse and now different consumers are now started consuming data from warehouse and perform their activities .

** An ETL pipeline is the set of processes used to move data from a source or multiple sources into a database such as a data warehouse.

Data warehouse is very successful, but it has some drawbacks :

• It can store only structured data
• It is very costly because lot of ETL pipeline need to be applied
• Technical expertise required
• We need to define business requirement first then set up Data warehouse and load data into it.
• As it is centralized the Data Platform team needs to have broad experience regarding the all domains and supports Consumers in term of domains Which is a bottleneck .
• Access control is implemented centrally.

2.Data lake :

Now a days with growing technology advancement , data volume is also increasing. Now every small system, application is generating data .It can be structured data , semi- structured data and unstructured data .Also every business/company wants all of these data as for them only operation data is not enough to grow . They want data to perform analysis so that they can grow and understand customer requirement in better way . Now we cant do all of these using Data warehouse as it supports only structured data and before storing data to Data Warehouse we need to define business requirement first .

Now Data lake tells : Load first , analysis later . means we will load all the data (structured, semi- structured and unstructured ) to a centralized space then we will analyze the data how to use it .

Now let’s think about a lake. There can be different source of water for a lake . It can be rainwater , It can be sea water , It can be River water etc etc.

Same way from different source system data can be stored in Data lake in raw format. Hence data lake acts as a central reservoir which stores all kind of data (it can be structured, semi- structured and unstructured, images , videos etc) without pre-analysis of data . Like lake water can be used for drinking purpose after purifying it , it can be used in industry and many other purpose , Once data is in data lake we can use in for multiple purpose as per business need.

But there are few drawbacks of data lake :

• We should be very careful while storing data to data lakes otherwise it will soon become data swamps
• It does not support ACID properties
• Very specialized skill set required to build and maintain data lake
• As it is centralized the Data Platform team needs to have broad experience regarding the all domains and supports Consumers in term of domains Which is a bottleneck .
• Access control is implemented centrally.

3.Batch & Streaming :

Data from multiple source systems(it can be structured, semi- structured and unstructured, images , videos etc) will be stored in to one centralized storage and then served those data to different consumers.

There are few disadvantages here:

• Huge time and effort needed to integrate new data source.
• Huge effort in specialized skill set to manage.
• As it is centralized the Data Platform team needs to have broad experience regarding the all domains and supports Consumers in term of domains Which is a bottleneck .
• Access control is implemented centrally.

Now to resolve all of these issues one new architecture came into the picture called Data Mesh .

What is Data mesh :

Data Mesh tells instead of flowing data from different domains and putting all these together into a centralized storage , we will divide in different domain .

Earlier it was centralized, and it has single ownership and control.

Now we have segregated data into different data domains and it’s not centralized . Access control is maintained by different data domain separately not in centralized way .

Below are the key characteristics of the Data Mesh architecture:

• Data Mesh is decentralized, so each domain has its own resources and implementation, they don’t influence each other.
• The Data Platform team doesn’t need to have broad experience regarding the domains but should be skilled in Software Development and Data Engineering (act also as support for the domain in terms of technical knowledge).
• Ownership is clear, Domain Teams are responsible to provide reliable data from the sources to consumers, with Platform Teams supporting the integration.

The idea of Data Mesh isn’t much different from a lot of current “Software as a Service” applications. It offers a service, like let’s say an online banking system. It helps to gather customers, online transactions, offer the different products, sell them .It’s done by the experts in all these domains, so other experts can focus on their products – improving them, adjust the offer to their customers’ needs.

Now a days we can see underlying database technologies , logics ,pipeline are evolving rapidly . They are also fragmenting continuously . we need a way so that our customers/analytics can access data easily because if we generate data and don’t use them it’s useless for business . Here we need one separate API layer which integrates Presentation layer with data layer .

But before developing API layer we need to keep below points in our mind :

• API should be flexible that keeps up with data evolution .
• It should be secured.
• It should assure good performance.

GraphQL can help us on above aspects .

Now question is “Can GraphQL ships data faster to consumers?”

Ans is : Yes .

It is not like that we can’t achieve this with other technologies . There are no such technical constraints .

Here are some key benefits of GraphQL :

(Source: hasura.io/enterprisegraphql/build-a-graphql-powered-data-mesh-for-your-polyglot-data/)

What should be our API building strategy ?

Domain Models : Which creates direct or indirect mapping with underlying data models
We should query our required data based on business need .
API should support streaming data.
API should be secured :

Row level security
Column level security

API documentation should be generated automatically without an extra effort .

All of the above we can achieve using GraphQL .

• We can make use of Data virtualization tool like “Denodo” (which exposes its own GraphQL endpoint) to generate domain models with the help of meta data from underlying data models automatically .
• We can query data based on business need in GraphQL. We can ask only our required part of data not the whole data . It reduces network load.
• In GraphQL there is an operation called Subscription which helps to keep up with revolving the data.
• We can apply Row level and Column level security in GraphQL .
• API documentation can be generated automatically in GraphQL.
• We can apply aggregation of data in GraphQL easily which helps analytics to analyze data.
• All data/domain models from different source system are documented into one single document in GraphQL so that they are discoverable easily .
• Also consumer can fetch data easily based on their role from different domains using one single API call using GraphQL. No need to call multiple API calls to retrieve data from multiple data domains.

Thus GraphQL acts as an Unified API is an abstraction layer that easily handles communication with backend data models / data domains from different/ same data storage and supports Data Mesh architecture.

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

** Image reference - internet

Denodo Platform-"Develop Rest & GraphQL service using no-code/low-code approach with me 😀😀"

Arpan Bandyopadhyay — Wed, 12 Jan 2022 11:57:31 +0000

What Is Denodo?
The Denodo Platform is a data virtualization system that allows applications to use data from multiple, heterogeneous data sources.

If you have multiple resource from where you are retrieving enterprise data , Denodo as a data virtualization tool offers you single point of access to your enterprise data without moving it to a centralized repository .

If any data change happens in any of the data-source , changes will be synced automatically in denodo. No need to manually add the changes.

• If any column data is modified then nothing is required from our side.
• If any new column is added or any column is deleted we need to click on Source Refresh link on Edit section of Json Base View . That’s it.

You can install denodo by referring official site (Full instruction present here) :

https://community.denodo.com/docs/

We can call denodo platform as No-Code/Low-Code Platform :

Denodo platform allows developers to create Services (REST/SOAP/GRAPHQL ETC..) through graphical user interfaces and configuration instead of writing traditional code.

Here are the benefits :

Improved agility. Operating at digital speed means creating the app capabilities users require to function smoothly across multiple devices.
Decreased costs.
Higher productivity.
Better customer experience.
Effective risk management and governance.
Change easily.
Faster transformation.

There are many modules in Denodo . One of those are “Virtual DataPort” .

Virtual DataPort :
The main module of the Denodo Platform. This is the module where developers create “virtual views” that integrate data from multiple sources: databases, SAP BW servers, XML files, JSON files, CSV files, etc.
Virtual DataPort provides several ways to query these virtual views:

• A JDBC and an ODBC driver
• By publishing SOAP and REST web services
• By using GraphQL queries

Use Denodo by installing it to local system :

Note : We need to start Virtual DataPort server before launching Virtual DataPort Administration Tool .

After starting Virtual dataPort server , we need to click on Launch button to launch Virtual DataPort Administration Tool. Here is how Virtual DataPort Administration Tool looks like:

Denodo has many features , It supports not only SOAP service ,but also Rest API and GraphQL. It can connect & integrate with different data-source.

Steps to use different Denodo services:

1.Connect External Database with Denodo JDBC.

Using Denodo we can connect with any Database using JDBC then query data from those databases .

Step1: Create JDBC data source and provide all the data resource information click save (Highlighted).

In my case I am going to connect with Postgres DB

Step2: Need To create JDBC Base View by selecting the Table and save.(Highlighted)

Step3: Once Base view is created we can query data from the view to get the data.(Highlighted)

Now we are connected with Data-source.

2.How Denodo supports Rest service by exposing its own rest endpoint.

Denodo exposes its own Rest endpoint.

In my case I want to use Rest service which can connect to my data source which I have integrated with Denodo and return the result in JSON format .

Step1 : Create JSON data source and fill following details , Select Data route as HTTP Client and click on configure

Step2: Complete the configuration part. In URL section we need to enter Denodo rest URL(using mentioned format beow) and save it.

Examples of how to invoke the RESTful Web service

o http://localhost:9090/denodo-restfulws/admin returns the list of views of the database admin.

o http://localhost:9090/denodo-restfulws/admin/views/customer returns the content of the view customer of the database admin.

o http://localhost:9090/denodo-restfulws/admin/views/customer/1/orders browses through the mapping orders of the row of the table customer whose primary key is 1.

Format :
• http://host:port/denodo-restfulws//views/?$format=json // (For JSON response)
• http://host:port/denodo-restfulws//views/?$format=xml // (For XML response)

Step3: Create Base view by clicking on Create base view

After creating base view you can execute query from that view to cross check data is coming or not.

We can execute it from here also. But we are going to deploy this to use it from browser .

Step4: Click on deploy.

Step5: Copy the URL from Web Service container and enter that URL in browser by concatenating with “?$format=json or ?$format=xml” . you will get the result.

3.Denodo supports External Rest service (masks external rest service).

We can use denodo to mask an external Rest API also and access it using Denodo exposed Rest endpoint .

4.How Denodo supports GraphQL.

Denodo supports GraphQL service .

Denodo GraphQL Service
GraphQL is a data query language, and a runtime for executing those queries against your data.
• It gives clients the power to ask for exactly what they need.
• It gets many resources in a single request, reducing the number of API requests.
Denodo GraphQL Service enables the execution of GraphQL queries against the Denodo virtual data model, allowing graphQL-like queries on top of any data source.
This service is always available once you start Virtual DataPort.
Denodo GraphQL Service follows a bottom-up approach where the API specifications are automatically generated from the metadata of the Denodo views and stored procedures.
The GraphQL Service creates a query type for each view and stored procedure of a Denodo database. The view fields appear as children of the view object, and the same occurs for the parameters, in the case of stored procedure objects. Associations in Denodo are mapped to nested relationships between the different objects, so the GraphQL queries will fetch related objects and their fields in one request.

Features
The Denodo GraphQL Service provides:
• Read-only access to Denodo databases
• Pagination
• Filtering
• Sorting
• Group by and aggregation functions
• HTTP Authentication
o Basic
o SPNEGO (Kerberos)
o OAuth 2.0

Denodo exposes its GraphQL endpoint like :

http://localhost:9090/denodo-graphql-service/graphql/

In my case Database name is “Admin”. All the Tables, Views present under this Database will be accessible by the Denodo-exposed GraphQL endpoint .

Here no need to configure any other thing.

Open Altair and hit the GraphQL endpoint (using above format) and see the schema documentation . We can see documentation is already generated . And we can run GraphQL query with filters also. Filters will be based on each field.

Denodo will be generated all type of filters.

Here are few sample query to show how to apply filters:

query{
member(_filter: {
or:[
{expression: {field :"umi",eq:"4085624876909"}},
{expression: {field :"umi",eq:"4085624876980"}}
]
})
{
umi
firstname
}
}

query{
member(_orderBy :
[{asc:"firstname"},{desc:"umi"}]
)
{
umi
firstname
}
}

Here one sample query is executed in Altair tool using GraphQL endpoint exposed by Denodo.

Till now We have discussed how to use Denodo by installing it to our own machine . Now we will discuss how to use denodo which is deployed in Google Cloud Platform.

Deploy Denodo instance in GCP :

Here are the steps :

1.Open GCP console and go to marketplace.
2.Search for “Denodo Standard 8.0 VDP on Linux”
3.Fill all the required details based on requirement and create instance .
4.It will take some time to deploy.
5.After successfully deployment you can see the username,password and external public IP address of the instance

It looks like this after creating and deployment of the instance .

6.Now open browser and enter URL :
format - :9090/denodo-design-studio/#/
In my case its : http://35.201.128.114:9090/denodo-design-studio/#/
Enter username password and connect .

7.Now you will see the Denodo Design Studio dashboard. Which looks like this . And now you are all set up.

8.After completing all of the above set up I need to connect to the source system using JDBC(Steps already mentioned above) and created JSON base view .

In my case I have created one postgres SQL instance in GCP and used that as my source system.

Post that I have executed GraphQL query by entering GraphQL endpoint using externally exposed IP and I am able to see the result.

Here is one sample GraphQL endpoint.
http://35.201.128.114:9090/denodo-graphql-service/graphql/admin

username & password you will get post deployment of denodo instance . Using that username & password
add header .

First encode that username & password using Base64 format

Add header : Key : Authorization, value : Basic

Important Note : While connecting with Postgres DB from Denodo instance which is deployed in GCP you might get Connection refused error. To solve this you need to whitelist the external IP address of denodo instance in Postgres in GCP.

Conclusion: You have seen I have not used any single line or code . I have just configured few things and connected to data-source. Only with that I am able to develop Rest / GraphQL service. It will help for rapid development and we can concentrate more on business.

Reference Taken : https://community.denodo.com/docs/

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

Is GraphQL better option than Rest ?

Arpan Bandyopadhyay — Mon, 27 Dec 2021 12:33:59 +0000

GraphQL is great if you want to work in a declarative approach because it enables you to select only the information you need. You need to choose it by depending on your use case for your project. For some user case Rest is a great fit , also for some use case you can see GraphQL will play well .

Here I am discussing when you need to choose what in terms of use case one by one :

If you are planning to use GraphQL, in below situations, you should use it without thinking twice :

DEVELOPING MOBILE APPS
It would be best to use GraphQL when you are designing UI/UX rich applications for smartphones, smartwatches and IoT devices. GraphQL can help in loading content that the user actually needs and preserving the user experience under slow network speeds.

WHEN YOU HAVE TO HANDLE COMPLEX SCHEMA
GraphQL can assist in managing the complex schemas. If your application is based on numerous schemas that use multiple nested models and associations, you should go with GraphQL. REST is very weak in this section if you are likely to come in contact with complex queries. Being a query language, GraphQL can access the nested objects easily with a single API request and return structured data correctly tagged along with JSON.

As an example:

Assume I have two database tables:

*Employee *- Having follwing columns - name, id (PK), email, mobile ,city , deptid(FK references deptid of Department table)
*Department *- Having follwing columns - deptname, deptid(PK)

Now

"I want to fetch Employee name associated with HR department"

If I use Rest then I have to write Join query . But in case of GraphQL I can directly query the employee name like below with one single endpoint

query{
  searchDeptByName(deptName:"HR"){
    employee{
      employeeName****
    }
  }
}

and I will get Response like below :

{
  "data": {
    "searchDeptByName": {
      "employee": [
        {
          "employeeName": "Arya"
        },
        {
          "employeeName": "Tushar"
        },
        {
          "employeeName": "Rekha"
        },
        {
          "employeeName": "Roshan"
        }
      ]
    }
  }
}

This way GraphQL simplifies managing complex schema (Though above is not too complex but in real time we can have more complex schema)

WHEN YOU WANT TO TO HIDE BACKEND COMPLEXITIES
GraphQL has two prominent features that make it a perfect situation for microservice orchestration.
• The first feature lets you abstract your RESTful API and create a unified and fully optimized public API for your microservices. The benefit of this feature is that you can handle future versions of your API smoothly.
• The second feature deals with the situation when you are creating a single GraphQL schema by stitching schemas together from multiple underlying GraphQL APIs.
These both features help in hiding code complexities from the clients.

BETTER DEVELOPING EXPERIENCE
The best scenario to use GraphQL is when you want to provide a better experience to your developers. With the descriptive language to handle complex queries, the capability to simplify the loading of state management and facility to manipulate types instead of tweaking with JSON data.

WHEN YOUR APPLICATION RECEIVE DATA FROM MULTIPLE RESOURCES
GraphQL exposes a single endpoint that allows you to access multiple resources. Also, resources are not exposed according to the views that you have inside your app. So if your UI changes — i.e., requires either more or less data — it doesn’t have an impact or require changes on the server.

Now you should drop your idea to use GraphQL in the following situations.

WHEN YOU ALREADY HAVE REST
GraphQL is an effective alternative to REST, so if you are acquainted with REST, why to settle for replacement? The primary feature of GraphQL is to send a query specified with the exact information that you need. But, this can be easily achieved using REST – from passing the name of the field to utilizing it in the URL. On top, there are a lot of JSON libraries available that can help you in implementing and supporting this specification.

WHEN YOU WANT TO USE WEB CACHE
Implementing a web cache at the database level or the client level with in-memory cache implementation can be an easy task. A cache implementation at the HTTP level with a reverse proxy server that stores the content of a request – can reduce the amount of traffic that reaches a server. Since a REST offers numerous endpoints, which facilitates to configure web-cache to a URL easily.

WHEN PERFORMANCE IS YOUR PRIORITY
GraphQL gives the power to execute queries to get the exact results. But, if a client sends a query for numerous fields and resources, you might face a performance issue. For complex queries, GraphQL must be designed very carefully, and you can’t just put it over the REST API or database. You have to define each endpoint and tune queries to retrieve specific data. All this designing and defining can affect the performance of the API.

As an example :

“Give me the information about the users that posted a review for all the books of this author”

author(id: '1234') {
  id
  name
  books {
    id
    title
    reviews {
      text
      date
      user {
        id
        name
      }
    }
  }
}

You can simply let your users run any query they want. A GraphQL API must be carefully designed; it’s not just about putting it on top of a REST API or a database.

For complex queries, a REST API might be easier to design because you can establish multiple endpoints for specific needs, and for each, you can fine-tune specific queries to retrieve the data in an efficient way.

This might be a bit controversial because multiple network calls can also take a lot of time. But if you’re not careful, a few big queries can bring your server down. In that sense, GraphQL’s greatest strength can also be its greatest weakness.

REST is better for error handling and tooling
Error handling in REST is easier when compared to GraphQL. RESTful APIs follow the HTTP spec with regards to resources
and returns various HTTP statues for various API request states. GraphQL, on the other hand, returns the 200 Ok status for every API request, including for errors. This makes it difficult to manage errors and makes it hard to integrate with monitoring tools.

Now coming back to security.
Is GraphQL less secured than Rest?

No not at all!!
GraphQL is a very powerful query language that does a great many things right. When implemented properly, GraphQL offers an extremely elegant methodology for data retrieval, more backend stability, and increased query efficiency.

The key here though is that simple phrase — when implemented properly.

There are many ways to secure GraphQL query:

1. Authentication
Authentication is determining whether a given user is logged in and subsequently remembering who they are. Authentication can provide context to a session and personalize the type of data that a user sees.

2. Authorization
Authorization is then determining what a given user has permission to do or see. In GraphQL, we’d use this to manage access to particular queries and mutations based on identity, role, or permissions.

To implement authentication & authorization we can make use of Spring security with Oauth2/JWT . There are many other tools which can be used. If we deploy our application to Google Cloud we can make use of Apigee as an API gateway to perform authentication , authorization .

3. Limit query depth
GraphQL gives clients the ability to ask for data in a variety of different ways. Because of the various entry-points ava

ilable to request data, it’s possible to write exceptionally large nested queries like the following.

query{
  searchDeptByName(deptName:"HR"){
    employee{
      employeeName
      department{
        deptName
        employee{
          employeeName
          department{
            deptName
            employee{
              employeeName
              # and so on
            }
          }
        }
      }
    }
  }
}

Queries like this are dangerous because they’re expensive to compute. They could crash our API and take up all available resources.

We can specify the max depth across your queries to mitigate this problem by added below propertiy in Spring application.properties

graphql.servlet.maxQueryDepth= 3 # Here 3 is max Query depth

Now If we execute the above query we will get error:

{
  "errors": [
    {
      "message": "maximum query depth exceeded 7 > 3",
      "extensions": {
        "classification": "ExecutionAborted"
      }
    }
  ]
}

3. Paginate list fields where appropriate

Query depth isn’t the only thing to worry about. We should also be conscious of how query amount could affect the performance of our API.

In the following example, if there were 10 Department, each with 100 Employees, this query would attempt to return 100,000 nodes.

query{
  searchAllDepartments( {
      deptName
      employee{
        employeeName
        city
        country
        deptId
        dob
        email
        employeeId
      }
    }
}

To solve this we can make use of Pagination . With Spring boot its very easy . Just we need to extend PagingAndSortingRepository interface from our Repository and use the implement the methods
in Service class

4. Improve validation and sanitization
Validation and sanitization are standard web application security practices. When you accept data from a user, you should always validate and filter that user-provided data because it could be malicious.

5. Use timeouts
When we request data from downstream services or data sources, there are various reasons why it may take a long time to respond. The services may be down, queries may be expensive, or something else might be going on. Regardless of the reason, we don’t want our GraphQL API to hang for too long, waiting for a response.

To prevent this, we need to use timeouts to keep from slow or unresponsive services impacting performance for subsequent
queries.

We can make use of below property to set timeout from Spring application.properties.

spring.jpa.properties.javax.persistence.query.timeout=60000 #The value is the timeout period in milliseconds

6. Mask errors

When server or downstream service errors occur, it’s a good idea to mask/hide the exact specifics of what went wrong from the client. Rather we should display custom exception message

Informing the client about error details in the server exposes the current server vulnerabilities and opens the door for more concentrated attacks.

Is GraphQL application stable as Rest?

Apps using GraphQL are fast and stable because they control the data they get, not the server.

Summary:

Conclusion:

GraphQL is an excellent alternative for REST, but not in all situations. Thus, evaluate your application and features that you want to incorporate in it before using the GraphQL. When GraphQL is used in the right scenario, the results can be great!

Log4j vulnerability

Arpan Bandyopadhyay — Sun, 19 Dec 2021 19:49:35 +0000

What is Log4j?

log4j is a logging framework written in Java which is distributed under the Apache Software License.

Log4j2 is an updated version of Log4j.

Description of the vulnerability:
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution.

What is RCE?
It stands for Remote code execution. It allows hacker to run any code in your application by hacking your application which is using log4j. This vulnerability nicknamed as Log4Shell.

What is Log4Shell vulnerability?
Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet, if the device is running certain versions of Log4j 2.

There are multiple things that have happened all together resulted in this vulnerability

Log4j log expression: Log4j allows you to log expression.

Here is the example :



private static final Logger logger = LogManager.getLogger(TestController.class);
logger.error("error message: {}",exception.getMessage());

Here first we are getting Logger object then in 2nd line , exception message from exception.getMessage() will be plugged in to “error message” inside {}- curly braces .

JNDI: It stands for Java Naming Directory Interface. JNDI allows you to store your java objects in a remote location and streaming them to your JVM.

Here is one example:

This is an sample LDAP URL :

ldap://192.168.3.2:8034/user=Arpan,city=bangalore,country=india
I can invoke this URL I will get serialized profile of Arpan from active directory.

This is not Log4j . This is Java feature.

JNDI Look up in log message: In 2013 JNDI lookup was introduced in log4j.

The JNDI look up allows variables to be retrieved via JNDI.

Good use case is centralized log configuration.

Here Log4j is going to look up the Value (Getting the prefix for logging message for my log message from JNDI by passing JNDI url as an argument) and inserted the value in the {}- curly braces .

This is the vulnerability:

How?

Lets say I have one search API which takes input from User and search it at server and returns response .

http://localhost:8080/search?data=

If we pass ${jndi:ldap://127.0.0.1:3089/} as a request parameter for data here , then log4j will make a JNDI call to it. This is a problem.

Here is a simple diagram which explains the vulnerability

Lets assume Hacker sets up one malicious JNDI server and sends a request which contains JNDI url for which end point is a malicious java class present in malicious JNDI server . Now Log4j will look up the url and makes an JNDI request to the JNDI server and JNDI server returns back a serialized malicious object which contains malicious content which can destroy and exploit the application. This is how hackers can have ability to put malicious code in the application's JVM .

This is what the vulnerability is.

Here I have prepared one demo to show the vulnerability .
To do this I have created one spring boot project , in which I have used log4j 2.14 dependency which is vulnerable and I have created one very simple API which returns String .



@RestController
public class TestController {
    private static final Logger logger = LogManager.getLogger(TestController.class);

    @GetMapping("/search")
    public String search(@RequestParam("data") String data) {
        logger.info("user input to search data : " + data);
        return data;
    }
}

Now I will start my spring boot server and hit the server with data as "google". As a result it will return "google". Nothing issue in that.

In server logs also quite clean. No issue.



2021-12-20 00:58:36.307  INFO 17028 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/]                        : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-20 00:58:36.307  INFO 17028 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
2021-12-20 00:58:36.309  INFO 17028 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 1 ms
2021-12-20 00:58:36.402  INFO 17028 --- [nio-8080-exec-1] c.l.v.l.c.TestController                 : user input to search data : google

Now I am going to send JNDI url in data as request param .
Lets see what will happen
(Before sending the JNDI url , I have encoded the url)

From service response I have received whatever I have sent that's fine . But let's look in to the server log



2021-12-20 01:01:35,258 http-nio-8080-exec-3 WARN Error looking up JNDI resource [ldap://127.0.0.1:3089/]. javax.naming.CommunicationException: 127.0.0.1:3089 [Root exception is java.net.ConnectException: Connection refused: connect]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.url.ldap.ldapURLContextFactory.getUsingURLIgnoreRootDN(ldapURLContextFactory.java:60)
    at com.sun.jndi.url.ldap.ldapURLContext.getRootURLContext(ldapURLContext.java:61)
    at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:202)
    at com.sun.jndi.url.ldap.ldapURLContext.lookup(ldapURLContext.java:94)
    at javax.naming.InitialContext.lookup(InitialContext.java:417)
    at org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
    at org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
    at org.apache.logging.log4j.core.lookup.Interpolator.lookup(Interpolator.java:221)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.resolveVariable(StrSubstitutor.java:1110)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:1033)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.substitute(StrSubstitutor.java:912)
    at org.apache.logging.log4j.core.lookup.StrSubstitutor.replace(StrSubstitutor.java:467)
    at org.apache.logging.log4j.core.pattern.MessagePatternConverter.format(MessagePatternConverter.java:132)
    at org.apache.logging.log4j.core.pattern.PatternFormatter.format(PatternFormatter.java:38)
    at org.apache.logging.log4j.core.layout.PatternLayout$PatternSerializer.toSerializable(PatternLayout.java:344)
    at org.apache.logging.log4j.core.layout.PatternLayout.toText(PatternLayout.java:244)
    at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:229)
    at org.apache.logging.log4j.core.layout.PatternLayout.encode(PatternLayout.java:59)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.directEncodeEvent(AbstractOutputStreamAppender.java:197)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.tryAppend(AbstractOutputStreamAppender.java:190)
    at org.apache.logging.log4j.core.appender.AbstractOutputStreamAppender.append(AbstractOutputStreamAppender.java:181)
    at org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:156)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:129)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:120)
    at org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
    at org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:540)
    at org.apache.logging.log4j.core.config.LoggerConfig.processLogEvent(LoggerConfig.java:498)
    at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:481)
    at org.apache.logging.log4j.core.config.LoggerConfig.log(LoggerConfig.java:456)
    at org.apache.logging.log4j.core.config.AwaitCompletionReliabilityStrategy.log(AwaitCompletionReliabilityStrategy.java:82)
    at org.apache.logging.log4j.core.Logger.log(Logger.java:161)
    at org.apache.logging.log4j.spi.AbstractLogger.tryLogMessage(AbstractLogger.java:2205)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessageTrackRecursion(AbstractLogger.java:2159)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessageSafely(AbstractLogger.java:2142)
    at org.apache.logging.log4j.spi.AbstractLogger.logMessage(AbstractLogger.java:2017)
    at org.apache.logging.log4j.spi.AbstractLogger.logIfEnabled(AbstractLogger.java:1983)
    at org.apache.logging.log4j.spi.AbstractLogger.info(AbstractLogger.java:1320)
    at com.log4j2.vulnerabilities.log4jdemo.controller.TestController.search(TestController.java:15)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.connect0(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:375)
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
    ... 92 more

2021-12-20 01:01:33.090  INFO 17028 --- [nio-8080-exec-3] c.l.v.l.c.TestController                 : user input to search data : ${jndi:ldap://127.0.0.1:3089/}

Here we can see Log4j is trying to access the JNDI url to get the value to inject it in to the log message. With the same way hacker can send his/her malicious JNDI server details as an input and send their malicious object to the actual running application and can exploit it .

Now question is how to solve this :

You can update the version of log4j2 to 2.17

How?
To do this just add below property to your build.gradle
ext['log4j2.version'] = '2.17.0'

You can disable the look up by passing the JVM arguments in the configuration.

How?

Go to Edit configuration and do the following and add VM option and add below
-Dlog4j2.formatMsgNoLookups=true

Click apply & ok. Then Restart the server.
After doing the above changes I will hit the same URL again. Now we can see the logs that JNDI look up does not happen.



2021-12-20 01:12:37.671  INFO 20384 --- [nio-8080-exec-1] o.a.c.c.C.[.[.[/]                        : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-12-20 01:12:37.672  INFO 20384 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Initializing Servlet 'dispatcherServlet'
2021-12-20 01:12:37.674  INFO 20384 --- [nio-8080-exec-1] o.s.w.s.DispatcherServlet                : Completed initialization in 2 ms
2021-12-20 01:12:37.761  INFO 20384 --- [nio-8080-exec-1] c.l.v.l.c.TestController                 : user input to search data : ${jndi:ldap://127.0.0.1:3089/}

I hope log4j vulnerability is clear to all now .

This is the github link where I kept this code .
https://github.com/ArpanForGeek/log4jdemo.git

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Happy learning

Thanks
Arpan

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

Basics of GraphQL

Arpan Bandyopadhyay — Thu, 16 Dec 2021 11:54:58 +0000

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/

GraphQL with Spring Boot

Arpan Bandyopadhyay — Tue, 14 Dec 2021 16:05:38 +0000

What Is GraphQL?
Traditional REST APIs work with the concept of Resources that the server manages. These resources can be manipulated in some standard ways, following the various HTTP verbs. This works very well as long as our API fits the resource concept, but quickly falls apart when we need to deviate from it.

This also suffers when the client needs data from multiple resources at the same time. For example, requesting a blog post and the comments. Typically, this is solved by either having the client make multiple requests or by having the server supply extra data that might not always be required, leading to larger response sizes.

GraphQL offers a solution to both of these problems. It allows for the client to specify exactly what data is desired, including from navigating child resources in a single request, and allows for multiple queries in a single request.

Here I am going to discuss how to integrate GraphQL with Spring boot.

I am going to use below to achieve this :

Spring boot libraries
GraphQL libraries
Spring JPA
Hibernate
Lombok
Postgres

What is GraphiQL?
GraphQL also has a companion tool called GraphiQL. This is a UI that is able to communicate with any GraphQL Server and execute queries and mutations against it

GraphQL Server with Connected Database
This architecture has a GraphQL Server with an integrated database and can often be used with new projects. On the receipt of a Query, the server reads the request payload and fetches data from the database. This is called resolving the query. The response returned to the client adheres to the format specified in the official GraphQL specification.

In the above diagram, GraphQL server and the database are integrated on a single node. The client (desktop/mobile) communicates with GraphQL server over HTTP. The server processes the request, fetches data from the database and returns it to the client.

Here is the full list of dependencies , I have used to work with GraphQL & Spring Boot

implementation group: 'io.leangen.graphql', name: 'graphql-spqr-spring-boot-starter', version: '0.0.6'
implementation group: 'org.postgresql', name: 'postgresql', version: '42.2.20'
implementation 'org.apache.commons:commons-collections4:4.4'
implementation 'org.jdal:jdal-core:2.0.0'
implementation group: 'com.graphql-java', name: 'graphql-java-extended-scalars', version: '2021-06-29T01-19-32-8e19827'
implementation group: 'org.hibernate', name: 'hibernate-core', version: '5.5.2.Final'
    implementation group: 'commons-net', name: 'commons-net', version: '3.8.0'
    implementation group: 'com.graphql-java-kickstart', name: 'graphiql-spring-boot-starter', version: '7.1.0'
    compileOnly group: 'org.projectlombok', name: 'lombok', version: '1.18.20'
    implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'
    implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.12.3'
    implementation group: 'com.graphql-java-kickstart', name: 'graphql-spring-boot-starter', version: '7.0.1'
    implementation group: 'org.springframework', name: 'spring-web', version: '5.3.6'
    implementation group: 'com.graphql-java-kickstart', name: 'graphql-spring-boot-starter-test', version: '7.0.1'
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa', version: '2.5.0'
    implementation group: 'commons-io', name: 'commons-io', version: '2.10.0'
    compileOnly group: 'org.hibernate.orm', name: 'hibernate-jpamodelgen', version: '6.0.0.Alpha6'
    implementation group: 'org.modelmapper', name: 'modelmapper', version: '2.4.4'
    implementation group: 'org.postgresql', name: 'postgresql', version: '42.2.20'
    implementation group: 'com.graphql-java-kickstart', name: 'playground-spring-boot-starter', version: '5.10.0'
    implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.12.0'
    compileOnly 'org.hibernate:hibernate-jpamodelgen'
    annotationProcessor('org.hibernate:hibernate-jpamodelgen')
    implementation 'org.springframework.boot:spring-boot-starter'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    compileOnly 'org.projectlombok:lombok'
    annotationProcessor 'org.projectlombok:lombok'

My Sample Project Structure

My Entity Classes

Employee.java

package com.example.demo.entities;

import io.leangen.graphql.annotations.GraphQLNonNull;
import io.leangen.graphql.annotations.types.GraphQLType;
import lombok.Data;

import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import java.math.BigInteger;
import java.time.LocalDate;

@Entity
@Data
@GraphQLType
@Table(name = "employee")
public class Employee {

    @Id
    @Column(name = "emp_id")
    private BigInteger employeeId;
    @Column(name = "ename")
    @GraphQLNonNull
    private String employeeName;
    @Column(name = "email_id")
    private String email;
    @Column(name = "city")
    private String city;
    @Column(name = "country")
    private String country;
    @Column(name = "dept_id")
    private Integer deptId;
    @Column(name = "dob")
    private LocalDate dob;

    @OneToOne(fetch = FetchType.LAZY)
    @JoinColumn(name = "dept_id", insertable = false, updatable = false)
    private Department department;
}

2. Department.java

package com.example.demo.entities;

import io.leangen.graphql.annotations.GraphQLQuery;
import io.leangen.graphql.annotations.types.GraphQLType;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;

import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.Id;
import javax.persistence.OneToMany;
import javax.persistence.Table;
import java.util.List;

@Entity
@Data
@AllArgsConstructor
@NoArgsConstructor
@GraphQLType(description = "This is Department")
@Table(name = "department")
public class Department {

    @Id
    @Column(name = "dept_id")
    @GraphQLQuery(description = "This is deptID")
    private Integer deptId;
    @Column(name = "dname")
    private String deptName;

    @OneToMany(fetch = FetchType.LAZY, mappedBy = "department")
    private List<Employee> employee;
}

My Repositories **
**1. DepartmentDao.java

package com.example.demo.dao;

import com.example.demo.entities.Department;
import org.springframework.data.repository.CrudRepository;
import org.springframework.stereotype.Repository;

import java.util.List;

@Repository
public interface DepartmentDao extends CrudRepository<Department, Integer> {

    public Department findByDeptName(String deptName);
}

2.EmployeeDao.java

package com.example.demo.dao;

import com.example.demo.entities.Employee;
import org.springframework.data.repository.CrudRepository;
import org.springframework.stereotype.Repository;

import java.math.BigInteger;
import java.util.List;

@Repository
public interface EmployeeDao extends CrudRepository<Employee, BigInteger> {
    public List<Employee> findByEmployeeName(String ename);
}

My Service classes
1.EmployeeService.java

package com.example.demo.service;

import com.example.demo.dao.EmployeeDao;
import com.example.demo.entities.Employee;
import com.example.demo.entities.EmployeeDto;
import com.example.demo.exception.ResourceNotFoundException;
import org.apache.commons.collections4.IteratorUtils;
import org.apache.commons.lang.RandomStringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import java.math.BigInteger;
import java.util.List;

@Service
public class EmployeeService {

    @Autowired
    private EmployeeDao employeeDao;


    public List<Employee> getAllEmployee() {
        return IteratorUtils.toList(employeeDao.findAll().iterator());
    }

    public Employee getEmployeeByID(BigInteger eid) {
        return employeeDao.findById(eid).orElseGet(() -> {
            throw new ResourceNotFoundException("No Employee found");
        });
    }

    public List<Employee> getEmployeeByName(String ename) {
        return employeeDao.findByEmployeeName(ename);
    }

}

2. DepartmentService.java

package com.example.demo.service;

import com.example.demo.dao.DepartmentDao;
import com.example.demo.entities.Department;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
public class DepartmentService {

    @Autowired
    private DepartmentDao departmentDao;

    public Department getDeptByName(String deptName) {
        return departmentDao.findByDeptName(deptName);
    }
}

My Query classes
1.EmployeeQuery.java

package com.example.demo.queries;

import com.example.demo.entities.Employee;
import com.example.demo.service.EmployeeService;
import io.leangen.graphql.annotations.GraphQLArgument;
import io.leangen.graphql.annotations.GraphQLQuery;
import io.leangen.graphql.spqr.spring.annotations.GraphQLApi;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

import java.math.BigInteger;
import java.util.List;

@Component
@GraphQLApi
public class EmployeeQuery {

    @Autowired
    private EmployeeService employeeService;

    @GraphQLQuery(description = "This query is used to fetch all Employee ")
    public List<Employee> searchAllEmployee() {
        return employeeService.getAllEmployee();
    }

    @GraphQLQuery(description = "This query is used to fetch Employee by employeeId")
    public Employee searchEmployeeById(@GraphQLArgument(name = "employeeId") BigInteger eid) {
        return employeeService.getEmployeeByID(eid);
    }

    @GraphQLQuery(description = "This query is used to fetch employeeId by employeeName")
    public List<Employee> searchEmployeeByName(@GraphQLArgument(name = "employeeName") String eName) {
        return employeeService.getEmployeeByName(eName);
    }
}

2.DepartmentQuery.java

package com.example.demo.queries;

import com.example.demo.entities.Department;
import com.example.demo.service.DepartmentService;
import io.leangen.graphql.annotations.GraphQLArgument;
import io.leangen.graphql.annotations.GraphQLQuery;
import io.leangen.graphql.spqr.spring.annotations.GraphQLApi;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
@GraphQLApi
public class DepartmentQuery {

    @Autowired
    private DepartmentService departmentService;

    @GraphQLQuery(description = "This query is used to fetch department by department name")
    public Department searchDeptByName(@GraphQLArgument(name = "deptName") String deptName) {
        return departmentService.getDeptByName(deptName);
    }
}

*Now we can see the graphql schema documentation after starting the server : *

URL : http://localhost:8080/graphiql

Execute few of queries

Here I have shared all the steps to integrate Spring boot with graphQL. I will come with other topics in my coming posts.

Thank you..
Arpan

Let's connect:
LinkedIn : https://www.linkedin.com/in/arpan-bandyopadhyay-bb5b1a54/