UNPKG

sql-injection-v2

Version:

This module checks for sql injection using regex and rejects requests with 403 response if sql is found

github.com/RatanNarayanHegde/sql-injection

RatanNarayanHegde/sql-injection

77 lines (65 loc) 1.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
process.env.NODE_ENV = "test"; var request = require("supertest"); var xpect = require("chai").expect; var express = require("express"); var app = express(); var sqlinjection = require("../lib/index"); describe("basic tests", function () { it("returns function", function (done) { xpect(sqlinjection).to.be.a("function"); done(); }); }); describe("supertests", function () { before(function (done) { app.use(sqlinjection); app.get("/test", function (req, res) { res.status(200).send({}); }); app.get("/users/:uid", function (req, res) { res.status(200).send({}); }); app.post("/body", function (req, res) { res.status(200).send({}); }); done(); }); after(function (done) { done(); }); it("can call app", function (done) { request(app).get("/test").expect(200, done); }); it("querystring no sql", function (done) { request(app).get("/test?attack=noattack").expect(200, done); }); it("param no sql", function (done) { request(app).get("/users/1").expect(200, done); }); it("body no sql", function (done) { request(app) .post("/body") .send({ stuff: "somestuff", }) .expect(200, done); }); it("querystring with sql", function (done) { request(app) .get("/test?attack=" + escape("WHERE field = 'anything' OR 'x'='x''")) .expect(403, done); }); it("param with sql", function (done) { request(app) .get("/users/" + escape("WHERE field = 'anything' OR 'x'='x''")) .expect(403, done); }); it("body with sql", function (done) { request(app) .post("/body") .send({ stuff: "WHERE field = 'anything' OR 'x'='x''", }) .expect(403, done); }); });