UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

102 lines (101 loc) 4.16 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.MySQL = void 0; const Context_1 = require("../agent/Context"); const wrapExport_1 = require("../agent/hooks/wrapExport"); const isPlainObject_1 = require("../helpers/isPlainObject"); const checkContextForSqlInjection_1 = require("../vulnerabilities/sql-injection/checkContextForSqlInjection"); const checkContextForIdor_1 = require("../vulnerabilities/idor/checkContextForIdor"); const SQLDialectMySQL_1 = require("../vulnerabilities/sql-injection/dialects/SQLDialectMySQL"); class MySQL { constructor() { this.dialect = new SQLDialectMySQL_1.SQLDialectMySQL(); } resolvePlaceholder(placeholder, placeholderNumber, params) { if (placeholder === "?" && placeholderNumber !== undefined && params) { if (placeholderNumber < params.length) { return params[placeholderNumber]; } } return undefined; } findParams(args) { if (args.length >= 2 && Array.isArray(args[1])) { return args[1]; } return undefined; } inspectQuery(args) { const context = (0, Context_1.getContext)(); if (args.length > 0 && typeof args[0] === "string" && args[0].length > 0) { const sql = args[0]; const params = this.findParams(args); // Check for SQL injection first to block malicious queries before parsing SQL query for IDOR analysis if (context) { const sqlInjectionResult = (0, checkContextForSqlInjection_1.checkContextForSqlInjection)({ sql: sql, context: context, operation: "MySQL.query", dialect: this.dialect, }); if (sqlInjectionResult) { return sqlInjectionResult; } } return (0, checkContextForIdor_1.checkContextForIdor)({ sql, dialect: this.dialect, resolvePlaceholder: (placeholder, placeholderNumber) => this.resolvePlaceholder(placeholder, placeholderNumber, params), }); } if (args.length > 0 && (0, isPlainObject_1.isPlainObject)(args[0]) && args[0].sql && typeof args[0].sql === "string") { const sql = args[0].sql; const params = this.findParams(args); // Check for SQL injection first to block malicious queries before parsing SQL query for IDOR analysis if (context) { const sqlInjectionResult = (0, checkContextForSqlInjection_1.checkContextForSqlInjection)({ sql: sql, context: context, operation: "MySQL.query", dialect: this.dialect, }); if (sqlInjectionResult) { return sqlInjectionResult; } } return (0, checkContextForIdor_1.checkContextForIdor)({ sql, dialect: this.dialect, resolvePlaceholder: (placeholder, placeholderNumber) => this.resolvePlaceholder(placeholder, placeholderNumber, params), }); } return undefined; } wrap(hooks) { hooks .addPackage("mysql") .withVersion("^2.0.0") .onFileRequire("lib/Connection.js", (exports, pkgInfo) => { (0, wrapExport_1.wrapExport)(exports.prototype, "query", pkgInfo, { kind: "sql_op", inspectArgs: (args) => this.inspectQuery(args), }); }) .addFileInstrumentation({ path: "lib/Connection.js", functions: [ { name: "Connection.prototype.query", nodeType: "FunctionAssignment", operationKind: "sql_op", bindContext: true, inspectArgs: (args) => this.inspectQuery(args), }, ], }); } } exports.MySQL = MySQL;