@aikidosec/firewall
Version:
Zen by Aikido is an embedded Web Application Firewall that autonomously protects Node.js apps against common and critical attacks
43 lines (42 loc) • 2.1 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkContextForSqlInjection = checkContextForSqlInjection;
const AgentSingleton_1 = require("../../agent/AgentSingleton");
const Source_1 = require("../../agent/Source");
const attackPath_1 = require("../../helpers/attackPath");
const extractStringsFromUserInputCached_1 = require("../../helpers/extractStringsFromUserInputCached");
const detectSQLInjection_1 = require("./detectSQLInjection");
/**
* This function goes over all the different input types in the context and checks
* if it's a possible SQL Injection, if so the function returns an InterceptorResult
*/
function checkContextForSqlInjection({ sql, operation, context, dialect, }) {
var _a;
for (const source of Source_1.SOURCES) {
const userInput = (0, extractStringsFromUserInputCached_1.extractStringsFromUserInputCached)(context, source);
if (!userInput) {
continue;
}
for (const str of userInput) {
const result = (0, detectSQLInjection_1.detectSQLInjection)(sql, str, dialect);
if (result === detectSQLInjection_1.SQLInjectionDetectionResult.INJECTION_DETECTED) {
return {
operation: operation,
kind: "sql_injection",
source: source,
pathsToPayload: (0, attackPath_1.getPathsToPayload)(str, context[source]),
metadata: {
sql: sql,
dialect: dialect.getHumanReadableName(),
},
payload: str,
};
}
if (result === detectSQLInjection_1.SQLInjectionDetectionResult.FAILED_TO_TOKENIZE) {
// We don't want to block queries that fail to tokenize.
// This counter helps us monitor how often our SQL tokenizer fails.
(_a = (0, AgentSingleton_1.getInstance)()) === null || _a === void 0 ? void 0 : _a.getInspectionStatistics().onSqlTokenizationFailure();
}
}
}
}