@aikidosec/firewall/sinks/SQLite3.js

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SQLite3 = void 0;
const Context_1 = require("../agent/Context");
const wrapExport_1 = require("../agent/hooks/wrapExport");
const checkContextForPathTraversal_1 = require("../vulnerabilities/path-traversal/checkContextForPathTraversal");
const checkContextForSqlInjection_1 = require("../vulnerabilities/sql-injection/checkContextForSqlInjection");
const SQLDialectSQLite_1 = require("../vulnerabilities/sql-injection/dialects/SQLDialectSQLite");
class SQLite3 {
    constructor() {
        this.dialect = new SQLDialectSQLite_1.SQLDialectSQLite();
    }
    inspectQuery(operation, args) {
        const context = (0, Context_1.getContext)();
        if (!context) {
            return undefined;
        }
        if (args.length > 0) {
            if (typeof args[0] === "string" && args[0].length > 0) {
                const sql = args[0];
                return (0, checkContextForSqlInjection_1.checkContextForSqlInjection)({
                    operation: operation,
                    sql: sql,
                    context: context,
                    dialect: this.dialect,
                });
            }
        }
        return undefined;
    }
    /**
     * Inspect path of sqlite3.backup for path traversal
     */
    inspectPath(operation, args) {
        const context = (0, Context_1.getContext)();
        if (!context) {
            return undefined;
        }
        if (args.length === 0 || typeof args[0] !== "string") {
            return undefined;
        }
        const filename = args[0];
        const result = (0, checkContextForPathTraversal_1.checkContextForPathTraversal)({
            filename: filename,
            operation: operation,
            context: context,
            checkPathStart: true,
        });
        if (result) {
            return result;
        }
        return undefined;
    }
    wrap(hooks) {
        const sqlFunctions = [
            "run",
            "get",
            "all",
            "each",
            "exec",
            "prepare",
            "map",
        ];
        hooks
            .addPackage("sqlite3")
            .withVersion("^5.0.0")
            .onRequire((exports, pkgInfo) => {
            const db = exports.Database.prototype;
            for (const func of sqlFunctions) {
                (0, wrapExport_1.wrapExport)(db, func, pkgInfo, {
                    kind: "sql_op",
                    inspectArgs: (args) => {
                        return this.inspectQuery(`sqlite3.${func}`, args);
                    },
                });
            }
            (0, wrapExport_1.wrapExport)(db, "backup", pkgInfo, {
                kind: "fs_op",
                inspectArgs: (args) => {
                    return this.inspectPath(`sqlite3.backup`, args);
                },
            });
        });
    }
}
exports.SQLite3 = SQLite3;