AikidoSec · bitterpanda63 · Apr 28, 2025 · Mar 10, 2025 · Mar 10, 2025 · Mar 10, 2025
diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ Zen operates autonomously on the same server as your Java app to:
 * ✅ [`Microsoft JDBC Driver For SQL Server`](https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc)
 * ✅ [`MySQL Connector/J`](https://mvnrepository.com/artifact/com.mysql/mysql-connector-j)
 * ✅ [`PostgreSQL JDBC Driver`](https://mvnrepository.com/artifact/org.postgresql/postgresql)
+* ✅ `SQLite JDBC Drivers`
 
 ### API Tools
 * ✅ [`OkHttp`](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp) (*no SSRF redirect coverage*)

diff --git a/agent/src/main/java/dev/aikido/agent/Wrappers.java b/agent/src/main/java/dev/aikido/agent/Wrappers.java
@@ -4,10 +4,7 @@
 import dev.aikido.agent.wrappers.file.FileConstructorMultiArgumentWrapper;
 import dev.aikido.agent.wrappers.file.FileConstructorSingleArgumentWrapper;
 import dev.aikido.agent.wrappers.javalin.*;
-import dev.aikido.agent.wrappers.jdbc.MSSQLWrapper;
-import dev.aikido.agent.wrappers.jdbc.MariaDBWrapper;
-import dev.aikido.agent.wrappers.jdbc.MysqlCJWrapper;
-import dev.aikido.agent.wrappers.jdbc.PostgresWrapper;
+import dev.aikido.agent.wrappers.jdbc.*;
 import dev.aikido.agent.wrappers.spring.SpringWebfluxWrapper;
 import dev.aikido.agent.wrappers.spring.SpringControllerWrapper;
 import dev.aikido.agent.wrappers.spring.SpringMVCWrapper;
@@ -39,6 +36,7 @@ private Wrappers() {}
             new PathsWrapper(),
             new JavalinWrapper(),
             new JavalinDataWrapper(),
-            new JavalinContextClearWrapper()
+            new JavalinContextClearWrapper(),
+            new SQLiteWrapper()
     );
 }
diff --git a/agent/src/main/java/dev/aikido/agent/wrappers/jdbc/SQLiteWrapper.java b/agent/src/main/java/dev/aikido/agent/wrappers/jdbc/SQLiteWrapper.java
@@ -0,0 +1,28 @@
+package dev.aikido.agent.wrappers.jdbc;
+
+import dev.aikido.agent.wrappers.Wrapper;
+import net.bytebuddy.description.method.MethodDescription;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+
+import java.sql.Connection;
+import java.sql.Statement;
+
+import static net.bytebuddy.matcher.ElementMatchers.isSubTypeOf;
+import static net.bytebuddy.matcher.ElementMatchers.nameContains;
+
+public class SQLiteWrapper implements Wrapper {
+    public String getName() {
+        return JDBCConnectionAdvice.class.getName();
+    }
+
+    public ElementMatcher<? super MethodDescription> getMatcher() {
+        return JDBCConnectionAdvice.getMatcher("org.sqlite.jdbc");
+    }
+
+    @Override
+    public ElementMatcher<? super TypeDescription> getTypeMatcher() {
+        return nameContains("org.sqlite.jdbc4").or(nameContains("org.sqlite.jdbc3"))
+                .and(isSubTypeOf(Connection.class).or(isSubTypeOf(Statement.class)));
+    }
+}
diff --git a/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/sql_injection/Dialect.java b/agent_api/src/main/java/dev/aikido/agent_api/vulnerabilities/sql_injection/Dialect.java
@@ -15,6 +15,9 @@
         } else if (Objects.equals(dialect, "microsoft sql server")) {
             rustDialectInt = 7;
             humanName = "Microsoft SQL";
+        } else if(Objects.equals(dialect, "sqlite")) {
+          rustDialectInt = 12;
+          humanName = "SQLite";
         } else {
             rustDialectInt = 0; // Default option
             humanName = "Generic";

diff --git a/sample-apps/README.md b/sample-apps/README.md
@@ -21,6 +21,7 @@ Here is an overview of all of our sample apps together with their port numbers.
 - [SpringBoot MVC with Microsoft SQL](./SpringBootMSSQL) on port [`8086`](http://localhost:8086/)
 - [SpringBoot MVC with Postgres (Kotlin)](./SpringMVCPostgresKotlin) on port [`8092`](http://localhost:8092/)
 - [SpringBoot MVC with Postgres (Groovy)](./SpringMVCPostgresGroovy) on port [`8094`](http://localhost:8094/)
+- [SpringBoot MVC With SQLite](./SpringBootSQLite) on port [`8100`](http://localhost:8100/)
 
 #### Webflux Apps
 - [SpringBoot Webflux with Postgres](./SpringWebfluxSampleApp) on port [`8090`](http://localhost:8090/)

diff --git a/sample-apps/SpringBootSQLite/.gitignore b/sample-apps/SpringBootSQLite/.gitignore
@@ -0,0 +1,2 @@
+*.log
+db.sqlite
diff --git a/sample-apps/SpringBootSQLite/Makefile b/sample-apps/SpringBootSQLite/Makefile
@@ -0,0 +1,43 @@
+# Define variables
+GRADLEW = ./gradlew
+JAR_FILE = build/libs/demo-0.0.1-SNAPSHOT.jar
+JAVA_AGENT = ../../dist/agent.jar
+
+# Default target
+.PHONY: all
+all: build
+
+# Build the project
+.PHONY: build
+build:
+	@echo "Building the project..."
+	chmod +x $(GRADLEW)
+	$(GRADLEW) build
+
+# Run the application with the Java agent
+.PHONY: run
+run: build
+	@echo "Running SpringBootSQLite with Zen & ENV (http://localhost:8100)"
+	AIKIDO_TOKEN="token" \
+	AIKIDO_REALTIME_ENDPOINT="http://localhost:5000/realtime" \
+	AIKIDO_ENDPOINT="http://localhost:5000" \
+	AIKIDO_BLOCK=1 \
+	AIKIDO_LOG_LEVEL="debug" \
+	nohup java -javaagent:$(JAVA_AGENT) -jar $(JAR_FILE) --server.port=8100 > output1.log &
+
+# Run the application without Zen
+.PHONY: runWithoutZen
+runWithoutZen: build
+	@echo "Running SpringBootSQLite without Zen & ENV (http://localhost:8101)"
+	AIKIDO_TOKEN="random-invalid-token" \
+	nohup java -jar $(JAR_FILE) --server.port=8101 > output2.log &
+
+# Clean the project
+.PHONY: clean
+clean:
+	@echo "Cleaning the project..."
+	$(GRADLEW) clean
+
+.PHONY: kill
+kill:
+	pkill -f java
diff --git a/sample-apps/SpringBootSQLite/README.md b/sample-apps/SpringBootSQLite/README.md
@@ -0,0 +1,2 @@
+# SpringBoot+SQLite vulnerable sample app
+- Inserting a malicious dog : `Malicious Pet", "Gru from the Minions") -- `
diff --git a/sample-apps/SpringBootSQLite/build.gradle b/sample-apps/SpringBootSQLite/build.gradle
@@ -0,0 +1,27 @@
+plugins {
+	id 'java'
+	id 'org.springframework.boot' version '3.3.4'
+	id 'io.spring.dependency-management' version '1.1.6'
+}
+
+group = 'com.example'
+version = '0.0.1-SNAPSHOT'
+
+java {
+	sourceCompatibility = '17'
+	targetCompatibility = '17'
+}
+
+repositories {
+	mavenCentral()
+}
+
+dependencies {
+	implementation files('../../dist/agent_api.jar')
+	implementation 'org.springframework.boot:spring-boot-starter'
+	implementation 'org.springframework.boot:spring-boot-starter-web'
+	implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
+	compileOnly 'org.projectlombok:lombok'
+	implementation 'org.xerial:sqlite-jdbc:3.43.2.0'
+	annotationProcessor 'org.projectlombok:lombok'
+}
diff --git a/sample-apps/SpringBootSQLite/gradle/gradle-daemon-jvm.properties b/sample-apps/SpringBootSQLite/gradle/gradle-daemon-jvm.properties
@@ -0,0 +1,2 @@
+#This file is generated by updateDaemonJvm
+toolchainVersion=21
diff --git a/sample-apps/SpringBootSQLite/gradle/wrapper/gradle-wrapper.jar b/sample-apps/SpringBootSQLite/gradle/wrapper/gradle-wrapper.jar
diff --git a/sample-apps/SpringBootSQLite/gradle/wrapper/gradle-wrapper.properties b/sample-apps/SpringBootSQLite/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,7 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.1-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# SpringBoot+SQLite vulnerable sample app
		- Inserting a malicious dog : `Malicious Pet", "Gru from the Minions") -- `
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#This file is generated by updateDaemonJvm
		toolchainVersion=21