Lift (#109)

* address lift hint: resource leak, stream not closed

* lift: predictable random

* lift: sql injection

* lift null deference

* sql injection

Author: spolti

rebot-plugins/rebot-welcome-message-plugin/src/main/java/xyz/rebasing/rebot/plugin/welcome/kogito/WelcomeChallenge.java

@@ -1,7 +1,7 @@
 /*
  *   The MIT License (MIT)
  *
- *   Copyright (c) 2017 Rebasing.xyz ReBot 
+ *   Copyright (c) 2017 Rebasing.xyz ReBot
  *
  *   Permission is hereby granted, free of charge, to any person obtaining a copy of
  *   this software and associated documentation files (the "Software"), to deal in
@@ -23,9 +23,9 @@
 
 package xyz.rebasing.rebot.plugin.welcome.kogito;
 
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
 
 public class WelcomeChallenge {
 
@@ -46,6 +46,7 @@ public class WelcomeChallenge {
 
     /**
      * randomize two numbers and a math operator to start the challenge
+     *
      * @param user that will answer the challenge
      */
     public WelcomeChallenge(String user) {
@@ -196,7 +197,7 @@ private String defineMathOp() {
      * @return random integer number
      */
     private int randomNumber(int max) {
-        return new Random().nextInt(max);
+        return new SecureRandom().nextInt(max);
     }
 
     @Override

rebot-services/rebot-persistence-service/src/main/java/xyz/rebasing/rebot/service/persistence/repository/ApiRepository.java

@@ -62,20 +62,20 @@ public void persist(BotStatus botStatus) {
      */
     public void remove(long chatId) {
         log.debugv("Enabling bot for chat {0}", chatId);
-        Query q = em.createNativeQuery("DELETE FROM BOT_STATUS where ID=" + chatId + ";");
+        Query q = em.createNativeQuery("DELETE FROM BOT_STATUS where ID= :chatId").setParameter("chatId", chatId);
         q.executeUpdate();
         em.flush();
     }
 
     /**
-     * @return if the bot is enabled or not
-     * In case there is no state saved return true.
-     *
+     * Verify if the bot is enabled
      * @param chatId chat id to verify if the bos enabled
+     * @return true or false. In case there is no state saved return true.
      */
     public boolean isBotEnabled(long chatId) {
         try {
-            Query q = em.createNativeQuery("SELECT isEnabled from BOT_STATUS where ID=" + chatId + ";");
+            Query q = em.createNativeQuery("SELECT isEnabled from BOT_STATUS where ID= :chatId")
+                    .setParameter("chatId", chatId);
             return (boolean) q.getSingleResult();
         } catch (final Exception e) {
             return true;
@@ -85,9 +85,9 @@ public boolean isBotEnabled(long chatId) {
     /**
      * Check if the given command is active in the provided chat group
      *
-     * @param groupId chat group to be verified
+     * @param groupId     chat group to be verified
      * @param commandName command to verify
-     * @return if the given command is enabled is enabled or not
+     * @return if the given command is enabled or not
      */
     public boolean isCommandEnabled(long groupId, String commandName) {
         try {
@@ -101,7 +101,7 @@ public boolean isCommandEnabled(long groupId, String commandName) {
     /**
      * Enable the given command in the provided chatId
      *
-     * @param chatId chat id or group to be verified
+     * @param chatId      chat id or group to be verified
      * @param commandName command to be enabled
      */
     public void enableCommand(long chatId, String commandName) {

rebot-services/rebot-persistence-service/src/main/resources/application.properties

@@ -21,9 +21,9 @@ quarkus.log.category."org.hibernate.cache".level=DEBUG
 # dev
 %dev.quarkus.datasource.db-kind=h2
 %dev.quarkus.datasource.jdbc.url=jdbc:h2:mem:testdb
-#%dev.quarkus.hibernate-orm.log.sql=true
-#%dev.quarkus.log.category."org.hibernate".level=DEBUG
-#%dev.quarkus.log.category."org.hibernate.cache".level=DEBUG
+%dev.quarkus.hibernate-orm.log.sql=true
+%dev.quarkus.log.category."org.hibernate".level=DEBUG
+%dev.quarkus.log.category."org.hibernate.cache".level=DEBUG
 %dev.xyz.rebasing.rebot.telegram.userId=userid
 %dev.xyz.rebasing.rebot.telegram.token=token
 

rebot-telegram-api/rebot-telegram-api-spi/src/main/java/xyz/rebasing/rebot/api/i18n/BundleUTF8Control.java

@@ -3,6 +3,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.Locale;
@@ -22,13 +23,24 @@ public ResourceBundle newBundle(String baseName,
         String resourceName = toResourceName(bundleName, "properties");
         ResourceBundle bundle = null;
         InputStream stream = null;
+        URLConnection connection = null;
         if (reload) {
             URL url = loader.getResource(resourceName);
             if (url != null) {
-                URLConnection connection = url.openConnection();
-                if (connection != null) {
-                    connection.setUseCaches(false);
-                    stream = connection.getInputStream();
+                try {
+                    connection =  url.openConnection();
+                    if (connection != null) {
+                        connection.setUseCaches(false);
+                        stream = connection.getInputStream();
+                    }
+                } finally {
+                    if (stream != null) {
+                        connection.getInputStream().close();
+                        connection.getOutputStream().close();
+                        HttpURLConnection c = (HttpURLConnection) connection;
+                        c.disconnect();
+                        stream.close();
+                    }
                 }
             }
         } else {