From 397cd53546eb166f12a772ff6778feed857f424b Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 2 Dec 2024 12:45:26 +0200 Subject: [PATCH] fix(js): add sequelize fallback (#470) --- rules/javascript/lang/sql_injection.yml | 1 + tests/javascript/lang/sql_injection/test.js | 119 +++++++++--------- .../sequelize_fallback_sql_injection.js | 14 +++ 3 files changed, 73 insertions(+), 61 deletions(-) create mode 100644 tests/javascript/lang/sql_injection/testdata/sequelize_fallback_sql_injection.js diff --git a/rules/javascript/lang/sql_injection.yml b/rules/javascript/lang/sql_injection.yml index 3a91979d..5b1f2214 100644 --- a/rules/javascript/lang/sql_injection.yml +++ b/rules/javascript/lang/sql_injection.yml @@ -103,6 +103,7 @@ auxiliary: - id: javascript_lang_sql_injection_sequelize_init patterns: - new Sequelize() + - sequelize # fallback - id: javascript_lang_sql_injection_sqlite3_init patterns: - new sqlite3.Database() diff --git a/tests/javascript/lang/sql_injection/test.js b/tests/javascript/lang/sql_injection/test.js index 75b798ce..3111f0b4 100644 --- a/tests/javascript/lang/sql_injection/test.js +++ b/tests/javascript/lang/sql_injection/test.js @@ -1,90 +1,87 @@ -const { - createNewInvoker, - getEnvironment, -} = require("../../../helper.js") -const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) +const { createNewInvoker, getEnvironment } = require("../../../helper.js"); +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname); describe(ruleId, () => { - const invoke = createNewInvoker(ruleId, ruleFile, testBase) + const invoke = createNewInvoker(ruleId, ruleFile, testBase); + test("knex_sql_injection", () => { + const testCase = "knex_sql_injection.js"; - test("knex_sql_injection", () => { - const testCase = "knex_sql_injection.js" + const results = invoke(testCase); - const results = invoke(testCase) + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("mysql2_sql_injection", () => { + const testCase = "mysql2_sql_injection.js"; + const results = invoke(testCase); - test("mysql2_sql_injection", () => { - const testCase = "mysql2_sql_injection.js" + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - const results = invoke(testCase) + test("ok_no_sql_injection", () => { + const testCase = "ok_no_sql_injection.js"; - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase); + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - test("ok_no_sql_injection", () => { - const testCase = "ok_no_sql_injection.js" + test("pg_sql_injection", () => { + const testCase = "pg_sql_injection.js"; - const results = invoke(testCase) + const results = invoke(testCase); - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); + test("sequelize_sql_injection", () => { + const testCase = "sequelize_sql_injection.js"; - test("pg_sql_injection", () => { - const testCase = "pg_sql_injection.js" + const results = invoke(testCase); - const results = invoke(testCase) + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + test("sequelize_fallback_sql_injection", () => { + const testCase = "sequelize_fallback_sql_injection.js"; + const results = invoke(testCase); - test("sequelize_sql_injection", () => { - const testCase = "sequelize_sql_injection.js" + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - const results = invoke(testCase) + test("sql_injection_juice", () => { + const testCase = "sql_injection_juice.js"; - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + const results = invoke(testCase); + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); - test("sql_injection_juice", () => { - const testCase = "sql_injection_juice.js" + test("sql_injection_juice_safe", () => { + const testCase = "sql_injection_juice_safe.ts"; - const results = invoke(testCase) + const results = invoke(testCase); - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); + test("sqlite3_sql_injection", () => { + const testCase = "sqlite3_sql_injection.js"; - test("sql_injection_juice_safe", () => { - const testCase = "sql_injection_juice_safe.ts" + const results = invoke(testCase); - const results = invoke(testCase) - - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - - - test("sqlite3_sql_injection", () => { - const testCase = "sqlite3_sql_injection.js" - - const results = invoke(testCase) - - expect(results.Missing).toEqual([]) - expect(results.Extra).toEqual([]) - }) - -}) \ No newline at end of file + expect(results.Missing).toEqual([]); + expect(results.Extra).toEqual([]); + }); +}); diff --git a/tests/javascript/lang/sql_injection/testdata/sequelize_fallback_sql_injection.js b/tests/javascript/lang/sql_injection/testdata/sequelize_fallback_sql_injection.js new file mode 100644 index 00000000..dd86a3bf --- /dev/null +++ b/tests/javascript/lang/sql_injection/testdata/sequelize_fallback_sql_injection.js @@ -0,0 +1,14 @@ +const { sequelize, User, Password } = require("./init_db"); + +module.exports.fooBar = function (req, _res) { + var customerQuery = + "SELECT * FROM customers WHERE status = " + req.params.customer.status; + // bearer:expected javascript_lang_sql_injection + sequelize.query(customerQuery); +}; + +module.exports.bad = function (status) { + var customerQuery = "SELECT * FROM customers WHERE status = " + status; + // bearer:expected javascript_lang_sql_injection + sequelize.query(customerQuery); +};