Enhance SQL injection detection and improve regex handling

Yannis-S-Standaert · Yannis-S-Standaert · commit 87a060833262 · 2025-01-17T11:55:38.000+01:00
- Updated ReportingAPIResponse to handle null BlockedUserAgents gracefully.
- Modified SQLInjectionDetector to convert query and user input to lowercase for more robust SQL injection detection.
- Expanded test data for SQL injection detection, adding new cases for various user input scenarios, including safe and attack cases with different casing.

These changes improve the reliability of the SQL injection detection mechanism and ensure better handling of user agent patterns.
diff --git a/Aikido.Zen.Core/Api/Models/ReportingAPIResponse.cs b/Aikido.Zen.Core/Api/Models/ReportingAPIResponse.cs
@@ -53,6 +53,6 @@ public class ReportingAPIResponse : APIResponse
         /// <summary>
         /// Gets the regex pattern for blocked user agents.
         /// </summary>
-        public Regex BlockedUserAgentsRegex => new Regex(BlockedUserAgents);
+        public Regex BlockedUserAgentsRegex => BlockedUserAgents != null ? new Regex(BlockedUserAgents) : null;
     }
 }
diff --git a/Aikido.Zen.Core/Vulnerabilities/SQLInjectionDetector.cs b/Aikido.Zen.Core/Vulnerabilities/SQLInjectionDetector.cs
@@ -10,13 +10,16 @@ public class SQLInjectionDetector
     {
         /// <summary>
         /// Detects potential SQL injection vulnerabilities in a query string
+        /// the query and userInput are converted to lowercase before being processed
         /// </summary>
         /// <param name="query">The SQL query to analyze</param>
         /// <param name="userInput">The user input to check for injection attempts</param>
         /// <param name="dialect">The SQL dialect identifier</param>
         /// <returns>True if SQL injection is detected, false otherwise</returns>
         public static bool IsSQLInjection(string query, string userInput, SQLDialect dialect)
         {
+            query = query?.ToLower();
+            userInput = userInput?.ToLower();
             return ZenInternals.IsSQLInjection(query, userInput, dialect.ToRustDialectInt());
         }
     }
diff --git a/Aikido.Zen.Test/testdata/data.SQLInjectionDetector.json b/Aikido.Zen.Test/testdata/data.SQLInjectionDetector.json
@@ -10,7 +10,7 @@
         "command": "SELECT * FROM users WHERE id = '1'; DROP TABLE users; -- '",
         "dialect": 0,
         "userInput": "1'; DROP TABLE users; -- ",
-        "description": "ATTACK: Command chaining with comment", 
+        "description": "ATTACK: Command chaining with comment",
         "isInjection": true
     },
     {
@@ -52,7 +52,7 @@
         "command": "INSERT INTO dbo.pets (pet_name, owner) VALUES ('Malicious Pet', 'Aikido Security'), ('Gru from the Minions', 'Evil Corp'); -- '",
         "dialect": 7,
         "userInput": "Malicious Pet', 'Aikido Security'), ('Gru from the Minions', 'Evil Corp'); -- ",
-        "description": "ATTACK: Microsoft SQL injection with multiple values", 
+        "description": "ATTACK: Microsoft SQL injection with multiple values",
         "isInjection": true
     },
     {
@@ -89,5 +89,47 @@
         "userInput": "' OR 1=1 -- ",
         "description": "SAFE: PostgreSQL named dollar sign quotes",
         "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'USER'",
+        "dialect": 0,
+        "userInput": "USER",
+        "description": "SAFE: Uppercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'user'",
+        "dialect": 0,
+        "userInput": "USER",
+        "description": "SAFE: Lowercase query with uppercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'user'",
+        "dialect": 0,
+        "userInput": "user",
+        "description": "SAFE: Uppercase query with lowercase user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'USER'",
+        "dialect": 0,
+        "userInput": "user",
+        "description": "SAFE: Uppercase query and user input",
+        "isInjection": false
+    },
+    {
+        "command": "SELECT * FROM users WHERE id = 'user' OR 1=1 --",
+        "dialect": 0,
+        "userInput": "USER' OR 1=1 --",
+        "description": "ATTACK: Uppercase user input with SQL injection",
+        "isInjection": true
+    },
+    {
+        "command": "SELECT * FROM USERS WHERE ID = 'user' OR 1=1 --",
+        "dialect": 0,
+        "userInput": "user' OR 1=1 --",
+        "description": "ATTACK: Uppercase query with lowercase user input and SQL injection",
+        "isInjection": true
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@ public class ReportingAPIResponse : APIResponse`
`53`	`53`	`/// <summary>`
`54`	`54`	`/// Gets the regex pattern for blocked user agents.`
`55`	`55`	`/// </summary>`
`56`		`- public Regex BlockedUserAgentsRegex => new Regex(BlockedUserAgents);`
	`56`	`+ public Regex BlockedUserAgentsRegex => BlockedUserAgents != null ? new Regex(BlockedUserAgents) : null;`
`57`	`57`	`}`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,13 +10,16 @@ public class SQLInjectionDetector`
`10`	`10`	`{`
`11`	`11`	`/// <summary>`
`12`	`12`	`/// Detects potential SQL injection vulnerabilities in a query string`
	`13`	`+ /// the query and userInput are converted to lowercase before being processed`
`13`	`14`	`/// </summary>`
`14`	`15`	`/// <param name="query">The SQL query to analyze</param>`
`15`	`16`	`/// <param name="userInput">The user input to check for injection attempts</param>`
`16`	`17`	`/// <param name="dialect">The SQL dialect identifier</param>`
`17`	`18`	`/// <returns>True if SQL injection is detected, false otherwise</returns>`
`18`	`19`	`public static bool IsSQLInjection(string query, string userInput, SQLDialect dialect)`
`19`	`20`	`{`
	`21`	`+ query = query?.ToLower();`
	`22`	`+ userInput = userInput?.ToLower();`
`20`	`23`	`return ZenInternals.IsSQLInjection(query, userInput, dialect.ToRustDialectInt());`
`21`	`24`	`}`
`22`	`25`	`}`