@aikidosec/firewall/vulnerabilities/sql-injection/checkContextForSqlInjection.js

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkContextForSqlInjection = checkContextForSqlInjection;
const attackPath_1 = require("../../helpers/attackPath");
const extractStringsFromUserInputCached_1 = require("../../helpers/extractStringsFromUserInputCached");
const getSourceForUserString_1 = require("../../helpers/getSourceForUserString");
const shouldBlockInvalidSqlQueries_1 = require("../../helpers/shouldBlockInvalidSqlQueries");
const detectSQLInjection_1 = require("./detectSQLInjection");
/**
 * This function goes over all the different input types in the context and checks
 * if it's a possible SQL Injection, if so the function returns an InterceptorResult
 */
function checkContextForSqlInjection({ sql, operation, context, dialect, }) {
    for (const str of (0, extractStringsFromUserInputCached_1.extractStringsFromUserInputCached)(context)) {
        const result = (0, detectSQLInjection_1.detectSQLInjection)(sql, str, dialect);
        if (result === detectSQLInjection_1.SQLInjectionDetectionResult.INJECTION_DETECTED) {
            const source = (0, getSourceForUserString_1.getSourceForUserString)(context, str);
            if (source) {
                return {
                    operation: operation,
                    kind: "sql_injection",
                    source: source,
                    pathsToPayload: (0, attackPath_1.getPathsToPayload)(str, context[source]),
                    metadata: {
                        sql: sql,
                        dialect: dialect.getHumanReadableName(),
                    },
                    payload: str,
                };
            }
        }
        if (result === detectSQLInjection_1.SQLInjectionDetectionResult.FAILED_TO_TOKENIZE) {
            // If our tokenizer can't handle the query, we can't detect SQL injection.
            // Attackers can exploit this (e.g. ClickHouse ignores invalid SQL after `;`,
            // SQLite allows `/*` without closing `*/`).
            if ((0, shouldBlockInvalidSqlQueries_1.shouldBlockInvalidSqlQueries)()) {
                const source = (0, getSourceForUserString_1.getSourceForUserString)(context, str);
                if (source) {
                    return {
                        operation: operation,
                        kind: "sql_injection",
                        source: source,
                        pathsToPayload: (0, attackPath_1.getPathsToPayload)(str, context[source]),
                        metadata: {
                            sql: sql,
                            dialect: dialect.getHumanReadableName(),
                            failedToTokenize: "true",
                        },
                        payload: str,
                    };
                }
            }
        }
    }
}