@nodesecure/js-x-ray/dist/probes/sql-injection.js

JavaScript AST XRay analysis

// Import Internal Dependencies
import { toLiteral } from "../estree/index.js";
import { generateWarning } from "../warnings.js";
// CONSTANTS
const kSqlInjectionRegex = /(select\s+.*\s+from|insert\s+into|delete\s+from|update\s+.*\s+set)/i;
function validateNode(node, { sourceFile: { tracer } }) {
    if (node.type !== "CallExpression") {
        return [false];
    }
    for (const argNode of node.arguments) {
        switch (argNode.type) {
            case "Identifier": {
                if (!tracer.literalIdentifiers.has(argNode.name)) {
                    break;
                }
                const literalIdentifier = tracer.literalIdentifiers.get(argNode.name);
                if (literalIdentifier.type !== "TemplateLiteral" ||
                    !kSqlInjectionRegex.test(literalIdentifier.value)) {
                    break;
                }
                return [true, tracer.literalIdentifiers.get(argNode.name)?.value];
            }
            case "TemplateLiteral": {
                if (argNode.expressions.length === 0) {
                    break;
                }
                const literal = toLiteral(argNode);
                if (!kSqlInjectionRegex.test(literal)) {
                    break;
                }
                return [true, literal];
            }
        }
    }
    return [false];
}
function main(node, ctx) {
    ctx.sourceFile.warnings.push(generateWarning("sql-injection", {
        value: ctx.data,
        location: node.loc
    }));
}
export default {
    name: "sql-injection",
    validateNode,
    main,
    breakOnMatch: false
};
//# sourceMappingURL=sql-injection.js.map