@aikidosec/firewall
Version:
Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.
40 lines (39 loc) • 2.07 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkContextForSqlInjection = checkContextForSqlInjection;
const AgentSingleton_1 = require("../../agent/AgentSingleton");
const attackPath_1 = require("../../helpers/attackPath");
const extractStringsFromUserInputCached_1 = require("../../helpers/extractStringsFromUserInputCached");
const getSourceForUserString_1 = require("../../helpers/getSourceForUserString");
const detectSQLInjection_1 = require("./detectSQLInjection");
/**
* This function goes over all the different input types in the context and checks
* if it's a possible SQL Injection, if so the function returns an InterceptorResult
*/
function checkContextForSqlInjection({ sql, operation, context, dialect, }) {
var _a;
for (const str of (0, extractStringsFromUserInputCached_1.extractStringsFromUserInputCached)(context)) {
const result = (0, detectSQLInjection_1.detectSQLInjection)(sql, str, dialect);
if (result === detectSQLInjection_1.SQLInjectionDetectionResult.INJECTION_DETECTED) {
const source = (0, getSourceForUserString_1.getSourceForUserString)(context, str);
if (source) {
return {
operation: operation,
kind: "sql_injection",
source: source,
pathsToPayload: (0, attackPath_1.getPathsToPayload)(str, context[source]),
metadata: {
sql: sql,
dialect: dialect.getHumanReadableName(),
},
payload: str,
};
}
}
if (result === detectSQLInjection_1.SQLInjectionDetectionResult.FAILED_TO_TOKENIZE) {
// We don't want to block queries that fail to tokenize.
// This counter helps us monitor how often our SQL tokenizer fails.
(_a = (0, AgentSingleton_1.getInstance)()) === null || _a === void 0 ? void 0 : _a.getInspectionStatistics().onSqlTokenizationFailure();
}
}
}