UNPKG

@ordojs/security

Version:

Security package for OrdoJS with XSS, CSRF, and injection protection

173 lines 6.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
/** * SQL Injection Prevention * Provides comprehensive protection against SQL injection attacks */ export class SqlInjectionPrevention { static SQL_INJECTION_PATTERNS = [ // Union-based injection patterns { pattern: /(\bunion\b.*\bselect\b)|(\bselect\b.*\bunion\b)/gi, severity: 'critical', description: 'UNION-based SQL injection attempt detected' }, // Boolean-based blind injection { pattern: /(\b(and|or)\b\s*\d+\s*[=<>]\s*\d+)|(\b(and|or)\b\s*['"]?\w+['"]?\s*[=<>]\s*['"]?\w+['"]?)/gi, severity: 'high', description: 'Boolean-based blind SQL injection attempt detected' }, // Time-based blind injection { pattern: /\b(sleep|waitfor|delay|benchmark)\s*\(/gi, severity: 'critical', description: 'Time-based blind SQL injection attempt detected' }, // Error-based injection { pattern: /\b(extractvalue|updatexml|exp|floor|rand)\s*\(/gi, severity: 'high', description: 'Error-based SQL injection attempt detected' }, // Stacked queries { pattern: /;\s*(drop|delete|insert|update|create|alter|exec|execute)\b/gi, severity: 'critical', description: 'Stacked query SQL injection attempt detected' }, // Comment-based evasion { pattern: /(\/\*.*?\*\/)|(--.*)|(#.*)/g, severity: 'medium', description: 'SQL comment-based evasion attempt detected' }, // Information schema access { pattern: /\binformation_schema\b/gi, severity: 'high', description: 'Information schema access attempt detected' }, // System function calls { pattern: /\b(xp_cmdshell|sp_oacreate|sp_oamethod|openrowset|opendatasource)\b/gi, severity: 'critical', description: 'System function SQL injection attempt detected' }, // Hex encoding evasion { pattern: /0x[0-9a-f]+/gi, severity: 'medium', description: 'Hex-encoded SQL injection attempt detected' }, // Concatenation-based evasion { pattern: /\bconcat\s*\(|(\|\|)|(\+\s*['"])/gi, severity: 'medium', description: 'Concatenation-based SQL injection attempt detected' } ]; /** * Validates input for SQL injection patterns */ static validateInput(input) { if (typeof input !== 'string') { return { isValid: true, threats: [] }; } const detectedThreats = []; for (const pattern of this.SQL_INJECTION_PATTERNS) { if (pattern.pattern.test(input)) { detectedThreats.push(pattern); } } return { isValid: detectedThreats.length === 0, threats: detectedThreats }; } /** * Sanitizes input by removing or escaping SQL injection patterns */ static sanitizeInput(input, options = {}) { if (typeof input !== 'string') { return String(input); } let sanitized = input; if (options.strict) { // In strict mode, remove any detected patterns entirely for (const pattern of this.SQL_INJECTION_PATTERNS) { sanitized = sanitized.replace(pattern.pattern, ''); } } else { // In normal mode, escape dangerous characters sanitized = sanitized .replace(/'/g, "''") // Escape single quotes .replace(/"/g, '""') // Escape double quotes .replace(/\\/g, '\\\\') // Escape backslashes .replace(/;/g, '\\;') // Escape semicolons .replace(/--/g, '\\-\\-') // Escape SQL comments .replace(/\/\*/g, '\\/\\*') // Escape block comments .replace(/\*\//g, '\\*\\/'); // Escape block comments } return sanitized.trim(); } /** * Creates a parameterized query-safe version of input */ static createSafeParameter(input) { if (typeof input === 'string') { return this.sanitizeInput(input, { strict: true }); } if (typeof input === 'number' || typeof input === 'boolean') { return input; } if (input === null || input === undefined) { return null; } if (Array.isArray(input)) { return input.map(item => this.createSafeParameter(item)); } if (typeof input === 'object') { const safeObject = {}; for (const [key, value] of Object.entries(input)) { safeObject[this.sanitizeInput(key)] = this.createSafeParameter(value); } return safeObject; } return String(input); } /** * Validates and sanitizes multiple inputs */ static validateAndSanitizeInputs(inputs) { const allThreats = []; const sanitizedInputs = {}; for (const [field, value] of Object.entries(inputs)) { try { const sanitized = this.createSafeParameter(value); sanitizedInputs[field] = sanitized; if (typeof value === 'string') { const validation = this.validateInput(value); if (!validation.isValid) { allThreats.push({ field, threats: validation.threats }); } } } catch (error) { allThreats.push({ field, threats: [{ pattern: /.*/, severity: 'critical', description: error instanceof Error ? error.message : 'Unknown SQL injection threat' }] }); } } return { isValid: allThreats.length === 0, threats: allThreats, sanitizedInputs }; } } //# sourceMappingURL=sql-injection-prevention.js.map