@aikidosec/firewall/vulnerabilities/attack-wave-detection/queryParamsContainDangerousPayload.js

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.queryParamsContainDangerousPayload = queryParamsContainDangerousPayload;
const extractStringsFromUserInputCached_1 = require("../../helpers/extractStringsFromUserInputCached");
const keywords = [
    "SELECT (CASE WHEN",
    "SELECT COUNT(",
    "SLEEP(",
    "WAITFOR DELAY",
    "SELECT LIKE(CHAR(",
    "INFORMATION_SCHEMA.COLUMNS",
    "INFORMATION_SCHEMA.TABLES",
    "MD5(",
    "DBMS_PIPE.RECEIVE_MESSAGE",
    "SYSIBM.SYSTABLES",
    "RANDOMBLOB(",
    "SELECT * FROM",
    "1'='1",
    "PG_SLEEP(",
    "UNION ALL SELECT",
    "../",
];
/**
 * Check the query for some common SQL or path traversal patterns.
 */
function queryParamsContainDangerousPayload(context) {
    const queryStrings = (0, extractStringsFromUserInputCached_1.extractStringsFromUserInputCached)(context, "query");
    if (!queryStrings) {
        return false;
    }
    for (const str of queryStrings) {
        // Performance optimization
        // Some keywords like ../ are shorter than this min length check
        // However, they are part of a larger string in the most cases
        // e.g. ../etc/passwd or MD5(something)
        if (str.length < 5 || str.length > 1000) {
            continue;
        }
        const upperStr = str.toUpperCase();
        for (const keyword of keywords) {
            if (upperStr.includes(keyword)) {
                return true;
            }
        }
    }
    return false;
}