Skip to content

Commit

Permalink
fix(js): add sequelize fallback (#470)
Browse files Browse the repository at this point in the history
  • Loading branch information
@elsapet
elsapet authored Dec 2, 2024
1 parent 56f295f commit 397cd53
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 61 deletions.
1 change: 1 addition & 0 deletions rules/javascript/lang/sql_injection.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ auxiliary:
- id: javascript_lang_sql_injection_sequelize_init
patterns:
- new Sequelize()
- sequelize # fallback
- id: javascript_lang_sql_injection_sqlite3_init
patterns:
- new sqlite3.Database()
Expand Down
119 changes: 58 additions & 61 deletions tests/javascript/lang/sql_injection/test.js
View file
Original file line number Diff line number Diff line change
@@ -1,90 +1,87 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
const { createNewInvoker, getEnvironment } = require("../../../helper.js");
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname);

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)
const invoke = createNewInvoker(ruleId, ruleFile, testBase);

test("knex_sql_injection", () => {
const testCase = "knex_sql_injection.js";

test("knex_sql_injection", () => {
const testCase = "knex_sql_injection.js"
const results = invoke(testCase);

const results = invoke(testCase)
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
test("mysql2_sql_injection", () => {
const testCase = "mysql2_sql_injection.js";

const results = invoke(testCase);

test("mysql2_sql_injection", () => {
const testCase = "mysql2_sql_injection.js"
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

const results = invoke(testCase)
test("ok_no_sql_injection", () => {
const testCase = "ok_no_sql_injection.js";

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
const results = invoke(testCase);

expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

test("ok_no_sql_injection", () => {
const testCase = "ok_no_sql_injection.js"
test("pg_sql_injection", () => {
const testCase = "pg_sql_injection.js";

const results = invoke(testCase)
const results = invoke(testCase);

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

test("sequelize_sql_injection", () => {
const testCase = "sequelize_sql_injection.js";

test("pg_sql_injection", () => {
const testCase = "pg_sql_injection.js"
const results = invoke(testCase);

const results = invoke(testCase)
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
test("sequelize_fallback_sql_injection", () => {
const testCase = "sequelize_fallback_sql_injection.js";

const results = invoke(testCase);

test("sequelize_sql_injection", () => {
const testCase = "sequelize_sql_injection.js"
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

const results = invoke(testCase)
test("sql_injection_juice", () => {
const testCase = "sql_injection_juice.js";

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
const results = invoke(testCase);

expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

test("sql_injection_juice", () => {
const testCase = "sql_injection_juice.js"
test("sql_injection_juice_safe", () => {
const testCase = "sql_injection_juice_safe.ts";

const results = invoke(testCase)
const results = invoke(testCase);

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});

test("sqlite3_sql_injection", () => {
const testCase = "sqlite3_sql_injection.js";

test("sql_injection_juice_safe", () => {
const testCase = "sql_injection_juice_safe.ts"
const results = invoke(testCase);

const results = invoke(testCase)

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})


test("sqlite3_sql_injection", () => {
const testCase = "sqlite3_sql_injection.js"

const results = invoke(testCase)

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})

})
expect(results.Missing).toEqual([]);
expect(results.Extra).toEqual([]);
});
});
14 changes: 14 additions & 0 deletions tests/javascript/lang/sql_injection/testdata/sequelize_fallback_sql_injection.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
const { sequelize, User, Password } = require("./init_db");

module.exports.fooBar = function (req, _res) {
var customerQuery =
"SELECT * FROM customers WHERE status = " + req.params.customer.status;
// bearer:expected javascript_lang_sql_injection
sequelize.query(customerQuery);
};

module.exports.bad = function (status) {
var customerQuery = "SELECT * FROM customers WHERE status = " + status;
// bearer:expected javascript_lang_sql_injection
sequelize.query(customerQuery);
};

0 comments on commit 397cd53

Please sign in to comment.