UNPKG

hana-cli

Version:

HANA Developer Command Line Interface

sap-samples.github.io/hana-developer-cli-tool-example/

SAP-samples/hana-developer-cli-tool-example

146 lines (122 loc) 7.28 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
// @ts-nocheck /** * @module SQLInjection Tests - Unit tests for SQL injection protection utilities */ import { assert } from '../base.js' import * as sqlInjection from '../../utils/sqlInjection.js' describe('SQL Injection Protection Utilities', function () { describe('whitespaceTable', function () { it('should contain standard whitespace characters', function () { assert.strictEqual(sqlInjection.whitespaceTable[' '], true) assert.strictEqual(sqlInjection.whitespaceTable['\t'], true) assert.strictEqual(sqlInjection.whitespaceTable['\n'], true) assert.strictEqual(sqlInjection.whitespaceTable['\r'], true) }) it('should contain unicode whitespace characters', function () { assert.strictEqual(sqlInjection.whitespaceTable['\u00A0'], true) assert.strictEqual(sqlInjection.whitespaceTable['\u2000'], true) }) }) describe('separatorTable', function () { it('should contain common SQL separators', function () { assert.strictEqual(sqlInjection.separatorTable[','], true) assert.strictEqual(sqlInjection.separatorTable['('], true) assert.strictEqual(sqlInjection.separatorTable[')'], true) assert.strictEqual(sqlInjection.separatorTable[';'], true) }) it('should contain SQL operators', function () { assert.strictEqual(sqlInjection.separatorTable['+'], true) assert.strictEqual(sqlInjection.separatorTable['-'], true) assert.strictEqual(sqlInjection.separatorTable['*'], true) assert.strictEqual(sqlInjection.separatorTable['/'], true) assert.strictEqual(sqlInjection.separatorTable['='], true) }) }) describe('isAcceptableQuotedParameter', function () { it('should accept strings without unmatched quotes', function () { assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('normalstring'), true) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('normal string'), true) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('123'), true) }) it('should reject strings with unmatched quotes', function () { assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('test"value'), false) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('"test'), false) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter('test"'), false) }) it('should reject empty or non-string values', function () { assert.strictEqual(sqlInjection.isAcceptableQuotedParameter(''), false) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter(null), false) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter(undefined), false) assert.strictEqual(sqlInjection.isAcceptableQuotedParameter(123), false) }) }) describe('isAcceptableParameter', function () { it('should accept single token parameters', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('TABLE_NAME'), true) assert.strictEqual(sqlInjection.isAcceptableParameter('USER123'), true) assert.strictEqual(sqlInjection.isAcceptableParameter('SCHEMA'), true) }) it('should accept parameters with double quotes', function () { // Note: Quoted strings count as tokens, so need to specify maxToken appropriately assert.strictEqual(sqlInjection.isAcceptableParameter('"MY_TABLE"', 1), true) assert.strictEqual(sqlInjection.isAcceptableParameter('"Schema"."Table"', 3), true) }) it('should reject SQL comments', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('TABLE--comment'), false) assert.strictEqual(sqlInjection.isAcceptableParameter('TABLE/*comment*/'), false) assert.strictEqual(sqlInjection.isAcceptableParameter('--comment'), false) }) it('should respect maxToken parameter', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('one', 1), true) assert.strictEqual(sqlInjection.isAcceptableParameter('one two', 1), false) assert.strictEqual(sqlInjection.isAcceptableParameter('one two', 2), true) assert.strictEqual(sqlInjection.isAcceptableParameter('one, two', 3), true) }) it('should reject empty or non-string values', function () { assert.strictEqual(sqlInjection.isAcceptableParameter(''), false) assert.strictEqual(sqlInjection.isAcceptableParameter(null), false) assert.strictEqual(sqlInjection.isAcceptableParameter(undefined), false) assert.strictEqual(sqlInjection.isAcceptableParameter(123), false) }) it('should handle escaped double quotes', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('"value""with""quotes"'), true) }) it('should count tokens correctly with separators', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('TABLE.COLUMN', 3), true) assert.strictEqual(sqlInjection.isAcceptableParameter('SCHEMA.TABLE', 3), true) assert.strictEqual(sqlInjection.isAcceptableParameter('(value)', 3), true) }) it('should reject unclosed quotes', function () { assert.strictEqual(sqlInjection.isAcceptableParameter('"unclosed'), false) assert.strictEqual(sqlInjection.isAcceptableParameter('unclosed"'), false) }) }) describe('escapeDoubleQuotes', function () { it('should escape double quotes', function () { assert.strictEqual(sqlInjection.escapeDoubleQuotes('value'), 'value') assert.strictEqual(sqlInjection.escapeDoubleQuotes('my"value'), 'my""value') assert.strictEqual(sqlInjection.escapeDoubleQuotes('"test"'), '""test""') }) it('should handle multiple double quotes', function () { assert.strictEqual(sqlInjection.escapeDoubleQuotes('a"b"c'), 'a""b""c') assert.strictEqual(sqlInjection.escapeDoubleQuotes('"""'), '""""""') }) it('should handle strings without quotes', function () { assert.strictEqual(sqlInjection.escapeDoubleQuotes('normal string'), 'normal string') }) }) describe('escapeSingleQuotes', function () { it('should escape single quotes', function () { assert.strictEqual(sqlInjection.escapeSingleQuotes('value'), 'value') assert.strictEqual(sqlInjection.escapeSingleQuotes("my'value"), "my''value") assert.strictEqual(sqlInjection.escapeSingleQuotes("'test'"), "''test''") }) it('should handle multiple single quotes', function () { assert.strictEqual(sqlInjection.escapeSingleQuotes("a'b'c"), "a''b''c") assert.strictEqual(sqlInjection.escapeSingleQuotes("'''"), "''''''") }) it('should handle strings without quotes', function () { assert.strictEqual(sqlInjection.escapeSingleQuotes('normal string'), 'normal string') }) }) })