Replacing MySQL with MariaDb (OWASP#734)

Replacing MySQL with MariaDB

.env

@@ -1,7 +1,7 @@
 VERSION=3.1
 
 TOMCAT_DOCKER_VERSION=8-jre8-openjdk
-DB_VERSION=10.5.8
+DB_VERSION=10.6.11
 MONGODB_VERSION=4.1.13
 
 IMAGE_TOMCAT=owasp/security-shepherd

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 name: Release to Dockerhub
-on: 
+on:
   push:
     branches: [master, dev]
     paths-ignore:
@@ -118,4 +118,4 @@ jobs:
             TLS_KEYSTORE_FILE
             TLS_KEYSTORE_PASS
             ALIAS
-            HTTPS_PORT
+            HTTPS_PORT

Dockerfile

@@ -6,7 +6,7 @@ ARG TLS_KEYSTORE_FILE
 ARG TLS_KEYSTORE_PASS
 ARG ALIAS
 ARG HTTPS_PORT
-ARG DB_DRIVER=org.gjt.mm.mysql.Driver
+ARG DB_DRIVER=org.mariadb.jdbc.Driver
 ARG DB_SCHEMA=core
 ARG DB_USER
 ARG DB_PASS

docker-compose.yml

@@ -47,7 +47,7 @@ services:
         TOMCAT_DOCKER_VERSION: ${TOMCAT_DOCKER_VERSION}
         DB_USER: ${DB_USER}
         DB_PASS: ${DB_PASS}
-        MARIADB_URI: jdbc:mysql://${CONTAINER_MARIADB}:3306
+        MARIADB_URI: jdbc:mariadb://${CONTAINER_MARIADB}:3306
         MONGO_HOST: ${CONTAINER_MONGO}
         MONGO_PORT: 27017
         MONGO_CONN_TIMEOUT: 1000

pom.xml

@@ -102,9 +102,9 @@
 
 		<!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
 		<dependency>
-			<groupId>mysql</groupId>
-			<artifactId>mysql-connector-java</artifactId>
-			<version>5.1.49</version>
+			<groupId>org.mariadb.jdbc</groupId>
+			<artifactId>mariadb-java-client</artifactId>
+			<version>3.0.6</version>
 		</dependency>
 
 		<!-- https://mvnrepository.com/artifact/org.owasp.encoder/encoder -->

src/main/java/dbProcs/Database.java

@@ -301,7 +301,7 @@ public static Connection getDatabaseConnection(String ApplicationRoot, boolean a
       if (dbOptions.length() > 0) {
         dbOptions += "&";
       }
-      dbOptions += "allowMultiQueries=yes";
+      dbOptions += "allowMultiQueries=true";
     }
 
     conn = getConnection(driverType, connectionURL, dbOptions, username, password);

src/main/java/dbProcs/Getter.java

@@ -87,10 +87,11 @@ public static String[] authUser(String ApplicationRoot, String userName, String
     }
 
     // See if user Exists
+    PreparedStatement prestmt;
     CallableStatement callstmt;
     try {
-      callstmt =
-          conn.prepareCall(
+      prestmt =
+          conn.prepareStatement(
               "SELECT userId, userName, userPass, userRole, badLoginCount, tempPassword, classId,"
                   + " suspendedUntil, loginType, tempUsername FROM `users` WHERE userName = ?");
     } catch (SQLException e) {
@@ -101,8 +102,8 @@ public static String[] authUser(String ApplicationRoot, String userName, String
     log.debug("Gathering results from query");
     ResultSet userResult;
     try {
-      callstmt.setString(1, userName);
-      userResult = callstmt.executeQuery();
+      prestmt.setString(1, userName);
+      userResult = prestmt.executeQuery();
     } catch (SQLException e) {
       log.fatal("Could not execute db query: " + e.toString());
       throw new RuntimeException(e);
@@ -239,7 +240,6 @@ public static String[] authUser(String ApplicationRoot, String userName, String
    * the rest of the work, including Brute Force prevention.
    *
    * @param userName The submitted user name to be used in authentication process
-   * @param password The submitted password in plain text to be used in authentication
    * @return A string array made up of nothing or information to be consumed by the initiating
    *     authentication process.
    */
@@ -270,10 +270,10 @@ public static String[] authUserSSO(
       throw new RuntimeException(e);
     }
     // See if user Exists
-    CallableStatement callstmt;
+    PreparedStatement prestmt;
     try {
-      callstmt =
-          conn.prepareCall(
+      prestmt =
+          conn.prepareStatement(
               "SELECT userId, userName, userPass, badLoginCount, tempPassword, classId,"
                   + " suspendedUntil, loginType FROM `users` WHERE ssoName = ? AND"
                   + " loginType='saml'");
@@ -285,9 +285,9 @@ public static String[] authUserSSO(
     log.debug("Gathering userFind ResultSet");
     ResultSet userResult;
     try {
-      callstmt.setString(1, ssoName);
+      prestmt.setString(1, ssoName);
       log.debug("Executing query");
-      userResult = callstmt.executeQuery();
+      userResult = prestmt.executeQuery();
     } catch (SQLException e) {
       log.fatal("Could not execute db query: " + e.toString());
       throw new RuntimeException(e);
@@ -385,8 +385,8 @@ public static String[] authUserSSO(
 
     // Find the generated userID and username by asking the database
     try {
-      callstmt =
-          conn.prepareCall(
+      prestmt =
+          conn.prepareStatement(
               "SELECT userId, userName, classID, tempUsername FROM `users` WHERE ssoName = ? AND"
                   + " loginType='saml'");
 
@@ -398,9 +398,9 @@ public static String[] authUserSSO(
     log.debug("Gathering userResult ResultSet");
 
     try {
-      callstmt.setString(1, ssoName);
+      prestmt.setString(1, ssoName);
       log.debug("Executing query");
-      userResult = callstmt.executeQuery();
+      userResult = prestmt.executeQuery();
     } catch (SQLException e) {
       log.fatal("Could not execute db query: " + e.toString());
       throw new RuntimeException(e);
@@ -1839,9 +1839,10 @@ public static String getOpenCloseCategoryMenu(String ApplicationRoot) {
       Connection conn = Database.getCoreConnection(ApplicationRoot);
 
       // Get the modules
-      CallableStatement callstmt =
-          conn.prepareCall("SELECT DISTINCT moduleCategory FROM modules ORDER BY moduleCategory");
-      ResultSet modules = callstmt.executeQuery();
+      PreparedStatement prestmt =
+          conn.prepareStatement(
+              "SELECT DISTINCT moduleCategory FROM modules ORDER BY moduleCategory");
+      ResultSet modules = prestmt.executeQuery();
       while (modules.next()) {
         String theModule =
             "<option value='"
@@ -1871,7 +1872,6 @@ public static String getOpenCloseCategoryMenu(String ApplicationRoot) {
    * is 'validClass' will Error, = 'validclass' must be used.<br>
    * So there are two procedures this method calls. One that handles null classes, one that does not
    *
-   * @param ClassId Identifier of class
    * @param ApplicationRoot The current running context of the application
    * @return ResultSet that contains users for the selected class in the formate {userId, userName,
    *     userAddress}
@@ -2045,7 +2045,6 @@ private static int getTounnamentSectionFromRankNumber(int rankNumber) {
    *
    * @param ApplicationRoot The running context of the application.
    * @param userId The user identifier of the user.
-   * @param csrfToken The cross site request forgery token
    * @return A HTML menu of a users current module progress and a script for interaction with this
    *     menu
    */
@@ -2188,9 +2187,7 @@ public static String getTournamentModules(String ApplicationRoot, String userId,
   /**
    * Return all modules in JSON for specific User
    *
-   * @param ApplicationRoot
    * @param userId
-   * @param lang
    * @return
    */
   public static JSONArray getModulesJson(String userId, String floor, Locale locale) {
@@ -2361,7 +2358,6 @@ public static String getUserName(String ApplicationRoot, String userId) {
    * been completed
    *
    * @param applicationRoot Running context of the application
-   * @param moduleHash Hash ID of the CSRF module you wish to check if a user has completed
    * @param userId the ID of the user to check
    * @return True or False value depicting if the user has completed the module
    */
@@ -2375,7 +2371,7 @@ public static boolean isCsrfLevelComplete(
       Connection conn = Database.getCoreConnection(applicationRoot);
 
       log.debug("Preparing csrfLevelComplete call");
-      CallableStatement callstmnt = conn.prepareCall("call csrfLevelComplete(?, ?)");
+      PreparedStatement callstmnt = conn.prepareCall("call csrfLevelComplete(?, ?)");
       callstmnt.setString(1, moduleId);
       callstmnt.setString(2, userId);
       log.debug("moduleId: " + moduleId);
@@ -2405,7 +2401,7 @@ public static boolean isModuleOpen(String ApplicationRoot, String moduleId) {
 
       // Get the modules
       PreparedStatement prepStmt =
-          conn.prepareCall("SELECT moduleStatus FROM modules WHERE moduleId = ?");
+          conn.prepareStatement("SELECT moduleStatus FROM modules WHERE moduleId = ?");
       prepStmt.setString(1, moduleId);
       ResultSet rs = prepStmt.executeQuery();
       if (rs.next()) {

src/main/java/dbProcs/Setter.java

@@ -310,7 +310,7 @@ public static boolean setCoreDatabaseInfo(
       File siteProperties = new File(applicationRoot + "/WEB-INF/database.properties");
       DataOutputStream writer = new DataOutputStream(new FileOutputStream(siteProperties, false));
       String theProperties =
-          new String("databaseConnectionURL=" + url + "\nDriverType=org.gjt.mm.mysql.Driver");
+          new String("databaseConnectionURL=" + url + "\nDriverType=org.mariadb.jdbc.Driver");
       writer.write(theProperties.getBytes());
       writer.close();
       // Update Core Schema Settings
@@ -401,11 +401,11 @@ public static boolean setCsrfChallengeSevenCsrfToken(
 
       boolean updateToken = false;
       log.debug("Preparing setCsrfChallengeSevenToken call");
-      PreparedStatement callstmnt =
+      PreparedStatement prestmnt =
           conn.prepareStatement("SELECT csrfTokenscol FROM csrfTokens WHERE userId = ?");
-      callstmnt.setString(1, userId);
+      prestmnt.setString(1, userId);
       log.debug("Executing setCsrfChallengeSevenToken");
-      ResultSet rs = callstmnt.executeQuery();
+      ResultSet rs = prestmnt.executeQuery();
       if (rs.next()) {
         // Need to Update CSRF token rather than Insert
         log.debug("CSRF token Found for Challenge 7... Updating");
@@ -415,7 +415,7 @@ public static boolean setCsrfChallengeSevenCsrfToken(
       }
       rs.close();
 
-      String whatToDo = new String();
+      String whatToDo;
       if (updateToken) {
         whatToDo =
             "UPDATE `csrfChallengeEnumTokens`.`csrfTokens` SET csrfTokenscol = ? WHERE userId = ?";
@@ -424,13 +424,13 @@ public static boolean setCsrfChallengeSevenCsrfToken(
             "INSERT INTO `csrfChallengeEnumTokens`.`csrfTokens` (`csrfTokenscol`, `userId`) VALUES"
                 + " (?, ?)";
       }
-      callstmnt = conn.prepareStatement(whatToDo);
-      callstmnt.setString(1, csrfToken);
-      callstmnt.setString(2, userId);
+      prestmnt = conn.prepareStatement(whatToDo);
+      prestmnt.setString(1, csrfToken);
+      prestmnt.setString(2, userId);
       log.debug("Executing: " + whatToDo);
-      callstmnt.execute();
+      prestmnt.execute();
       result = true;
-      callstmnt.close();
+      prestmnt.close();
       Database.closeConnection(conn);
 
     } catch (SQLException e) {
@@ -733,18 +733,18 @@ public static boolean updateUsername(
     boolean result = false;
 
     log.debug("Preparing username change call from username " + userName + " to " + newUsername);
-    CallableStatement callstmnt;
+    PreparedStatement prestmnt;
     try {
       Connection conn = Database.getCoreConnection(ApplicationRoot);
 
-      callstmnt =
-          conn.prepareCall(
+      prestmnt =
+          conn.prepareStatement(
               "UPDATE users SET userName = ?, tempUsername = FALSE WHERE userName = ?;");
-      callstmnt.setString(1, newUsername);
+      prestmnt.setString(1, newUsername);
 
-      callstmnt.setString(2, userName);
+      prestmnt.setString(2, userName);
       log.debug("Executing name change query");
-      callstmnt.execute();
+      prestmnt.execute();
       result = true;
       Database.closeConnection(conn);
 
@@ -946,12 +946,12 @@ public static boolean updateUserPoints(String ApplicationRoot, String userId, in
       Connection conn = Database.getCoreConnection(ApplicationRoot);
 
       log.debug("Preparing updateUserPoints call");
-      CallableStatement callstmnt =
-          conn.prepareCall("UPDATE users SET userScore = userScore + ? WHERE userId = ?");
-      callstmnt.setInt(1, points);
-      callstmnt.setString(2, userId);
+      PreparedStatement prestmnt =
+          conn.prepareStatement("UPDATE users SET userScore = userScore + ? WHERE userId = ?");
+      prestmnt.setInt(1, points);
+      prestmnt.setString(2, userId);
       log.debug("Executing updateUserPoints");
-      callstmnt.execute();
+      prestmnt.execute();
       result = true;
       Database.closeConnection(conn);
 
@@ -1093,12 +1093,12 @@ public static String userCreateSSO(
 
       while (isDuplicate) {
 
-        CallableStatement callstmt =
-            conn.prepareCall("SELECT ssoName FROM `users` WHERE userName = ?");
+        PreparedStatement prestmt =
+            conn.prepareStatement("SELECT ssoName FROM `users` WHERE userName = ?");
 
-        callstmt.setString(1, newUsername);
+        prestmt.setString(1, newUsername);
 
-        ResultSet checkDuplicate = callstmt.executeQuery();
+        ResultSet checkDuplicate = prestmt.executeQuery();
         log.debug("Opening result set");
 
         if (checkDuplicate.next()) {

src/main/java/servlets/Setup.java

@@ -96,7 +96,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         }
       } else {
         // Override db properties from request parameters
-        connectionURL = "jdbc:mysql://" + dbHost + ":" + dbPort + "/";
+        connectionURL = "jdbc:mariadb://" + dbHost + ":" + dbPort + "/";
 
         // Store the overridden data in properties file
         saveMysqlProperties = true;
@@ -108,7 +108,7 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
       }
       driverType = mysql_props.getProperty("DriverType");
       if (driverType == null) {
-        driverType = "org.gjt.mm.mysql.Driver";
+        driverType = "org.mariadb.jdbc.Driver";
       }
       if (dbUser.isEmpty()) {
         dbUser = mysql_props.getProperty("databaseUsername");
@@ -123,8 +123,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         }
       }
     } else {
-      connectionURL = "jdbc:mysql://" + dbHost + ":" + dbPort + "/";
-      driverType = "org.gjt.mm.mysql.Driver";
+      connectionURL = "jdbc:mariadb://" + dbHost + ":" + dbPort + "/";
+      driverType = "org.mariadb.jdbc.Driver";
       dbOptions = "useUnicode=true&character_set_server=utf8mb4";
       validateInput = true;
       saveMysqlProperties = true;

src/test/java/dbProcs/GetterTest.java

@@ -3162,7 +3162,7 @@ public void testSSOAuthSuspended() {
     String userName = new String("SSOSuspendedUser Lastname");
     String ssoName = new String("[email protected]");
 
-    String user[] = Getter.authUserSSO(applicationRoot, null, userName, ssoName, "player");
+    String[] user = Getter.authUserSSO(applicationRoot, null, userName, ssoName, "player");
     if (user == null || user[0].isEmpty()) {
       TestProperties.failAndPrint("Test Failed. Initial SSO auth did not succeed");
     }

src/test/java/dbProcs/SetterTest.java

@@ -304,7 +304,7 @@ public void testSetCsrfChallengeSevenCsrfToken() throws SQLException {
       String userId = Getter.getUserIdFromName(applicationRoot, userName);
       String csrfToken = new String("CsrfTokenTest");
       if (!Setter.setCsrfChallengeSevenCsrfToken(userId, csrfToken, applicationRoot)) {
-        fail("Could not Set CSRF Chalenge 7 Token");
+        fail("Could not Set CSRF Challenge 7 Token");
       }
     } else {
       fail("Could not Verify User");

src/test/java/testUtils/TestProperties.java

@@ -397,9 +397,9 @@ public static void createMysqlResource(
     file.getParentFile().mkdirs();
     FileWriter writer = new FileWriter(file);
     BufferedWriter bw = new BufferedWriter(writer);
-    bw.write("databaseConnectionURL=jdbc:mysql://" + dbHost + ":" + dbPort + "/");
+    bw.write("databaseConnectionURL=jdbc:mariadb://" + dbHost + ":" + dbPort + "/");
     bw.newLine();
-    bw.write("DriverType=org.gjt.mm.mysql.Driver");
+    bw.write("DriverType=org.mariadb.jdbc.Driver");
     bw.newLine();
     bw.write("databaseOptions=useUnicode=true&character_set_server=utf8mb4");
     bw.newLine();