Add more tests

AikidoSec · Jul 30, 2024 · 2811e30 · 2811e30
1 parent 3956d95
commit 2811e30
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 1 deletion.
diff --git a/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts b/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
@@ -2,7 +2,7 @@ import { basename, join } from "path";
 import * as t from "tap";
 import { readFileSync } from "fs";
 import { escapeStringRegexp } from "../../helpers/escapeStringRegexp";
-import { SQL_DANGEROUS_IN_STRING } from "./config";
+import { SQL_DANGEROUS_IN_STRING, SQL_KEYWORDS } from "./config";
 import { detectSQLInjection } from "./detectSQLInjection";
 import { SQLDialectMySQL } from "./dialects/SQLDialectMySQL";
 import { SQLDialectPostgres } from "./dialects/SQLDialectPostgres";
@@ -361,6 +361,36 @@ t.test("It does not match VIEW keyword", async () => {
   isNotSqlInjection(query2, "view");
 });
 
+t.test("It does not flag SQL keyword if part of another word", async () => {
+  SQL_KEYWORDS.forEach((keyword) => {
+    isNotSqlInjection(
+      `
+      SELECT id,
+             business_id,
+             name,
+             created_at,
+             updated_at
+        FROM ${keyword}
+        WHERE business_id = ?
+    `,
+      keyword
+    );
+
+    isNotSqlInjection(
+      `
+      SELECT id,
+             business_id,
+             name,
+             created_at,
+             updated_at
+        FROM ${keyword.toLowerCase()}
+        WHERE business_id = ?
+    `,
+      keyword
+    );
+  });
+});
+
 const files = [
   // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
   join(__dirname, "payloads", "Auth_Bypass.txt"),

diff --git a/library/vulnerabilities/sql-injection/userInputContainsSQLSyntax.test.ts b/library/vulnerabilities/sql-injection/userInputContainsSQLSyntax.test.ts
@@ -1,6 +1,7 @@
 import { readFileSync } from "fs";
 import { join } from "path";
 import * as t from "tap";
+import { SQL_KEYWORDS } from "./config";
 import { SQLDialectMySQL } from "./dialects/SQLDialectMySQL";
 import { SQLDialectPostgres } from "./dialects/SQLDialectPostgres";
 import { userInputContainsSQLSyntax } from "./userInputContainsSQLSyntax";
@@ -13,6 +14,29 @@ t.test("it does not flag common SQL keywords", async () => {
   t.same(userInputContainsSQLSyntax("SELECT", new SQLDialectMySQL()), false);
 });
 
+t.test("it ignores alphanumeric input", async () => {
+  t.same(userInputContainsSQLSyntax("1", new SQLDialectMySQL()), false);
+  t.same(userInputContainsSQLSyntax("123", new SQLDialectMySQL()), false);
+  t.same(userInputContainsSQLSyntax("1313", new SQLDialectMySQL()), false);
+  t.same(userInputContainsSQLSyntax("0", new SQLDialectMySQL()), false);
+  t.same(userInputContainsSQLSyntax("abc", new SQLDialectMySQL()), false);
+  t.same(userInputContainsSQLSyntax("ABC", new SQLDialectMySQL()), false);
+});
+
+t.test("it does not flag SQL keyword as dangerous", async () => {
+  // They just contain alpha characters
+  SQL_KEYWORDS.forEach((keyword) => {
+    t.same(
+      userInputContainsSQLSyntax(keyword.toLowerCase(), new SQLDialectMySQL()),
+      false
+    );
+    t.same(
+      userInputContainsSQLSyntax(keyword.toUpperCase(), new SQLDialectMySQL()),
+      false
+    );
+  });
+});
+
 const files = [
   // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
   join(__dirname, "payloads", "Auth_Bypass.txt"),