fed connection established

Author: nahsra

src/main/java/com/acme/search/FederalConnection.java

@@ -0,0 +1,37 @@
+package com.acme.search;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+
+@Service
+public class FederalConnection {
+
+    @Autowired
+    private FederalConnectionLoader fedConnectionLoader;
+
+    // connect to the federal database and search the forecasts table for entries with the given query
+    String doSearch(final String searchTerm) throws SQLException {
+        // connect to the federal database
+        Connection conn = fedConnectionLoader.getConnection();
+        // search the forecasts table for entries with the given query
+        String query = "SELECT * FROM forecasts WHERE entry_desc LIKE '%" + searchTerm + "%'";
+        Statement stmt = conn.createStatement();
+        ResultSet rs = stmt.executeQuery(query);
+        List<String> ids = new ArrayList<>();
+        while(rs.next()) {
+            String id = rs.getString("entry_id");
+            ids.add(id);
+        }
+        rs.close();
+        stmt.close();
+        conn.close();
+        return String.join(",", ids);
+    }
+}

src/main/java/com/acme/search/FederalConnectionLoader.java

@@ -0,0 +1,7 @@
+package com.acme.search;
+
+import java.sql.Connection;
+
+public interface FederalConnectionLoader {
+    Connection getConnection();
+}

src/main/java/com/acme/search/SearchController.java

@@ -0,0 +1,23 @@
+package com.acme.search;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@Controller
+public final class SearchController {
+
+    private SearchService searchService;
+
+    @GetMapping("/search/federal")
+    public String searchFederal(@RequestParam String q) {
+        return searchService.searchFederal(q);
+    }
+
+    /** Change the code given. */
+    @GetMapping("/search/federify")
+    public String createFedSearchToken(@RequestParam String searchCode) {
+        return "<html><body>FEDSEARCH:" + searchCode.toUpperCase().trim() + "</body></html>";
+    }
+
+}

src/main/java/com/acme/search/SearchService.java

@@ -0,0 +1,32 @@
+package com.acme.search;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import java.sql.SQLException;
+import java.util.logging.Logger;
+
+@Service
+final class SearchService {
+
+    @Autowired
+    private FederalConnection fedConnection;
+
+    String searchFederal(final String query) {
+        log.info("Searching federal for query: " + '"' + query + '"');
+        String fedQuery = "FEDSEARCH:" + query.toUpperCase().trim();
+
+        // stop sqli that was reported by the security team
+        if(fedQuery.contains("DROP") || fedQuery.contains("UNION") || fedQuery.contains("DELETE") || fedQuery.contains("1=1")) {
+            throw new IllegalArgumentException("Commands detected");
+        }
+        try {
+            return fedConnection.doSearch(fedQuery);
+        } catch (SQLException e) {
+            log.info("Error searching federal for query: " + '"' + query + '"');
+            return "error";
+        }
+    }
+
+    private static final Logger log = Logger.getAnonymousLogger();
+}