Ignore user input that is just alphanumeric

Author: hansott

library/vulnerabilities/sql-injection/config.test.ts

@@ -1,7 +1,6 @@
 import * as t from "tap";
 import {
   SQL_DANGEROUS_IN_STRING,
-  COMMON_SQL_KEYWORDS,
   SQL_ESCAPE_SEQUENCES,
   SQL_KEYWORDS,
   SQL_OPERATORS,
@@ -20,18 +19,6 @@ t.test("SQL_KEYWORDS are uppercase", async () => {
   });
 });
 
-t.test("COMMON_SQL_KEYWORDS are not empty", async () => {
-  COMMON_SQL_KEYWORDS.forEach((keyword) => {
-    t.ok(keyword.length > 0);
-  });
-});
-
-t.test("COMMON_SQL_KEYWORDS are uppercase", async () => {
-  COMMON_SQL_KEYWORDS.forEach((keyword) => {
-    t.same(keyword, keyword.toUpperCase());
-  });
-});
-
 t.test("SQL_OPERATORS are not empty", async () => {
   SQL_OPERATORS.forEach((operator) => {
     t.ok(operator.length > 0);

library/vulnerabilities/sql-injection/config.ts

@@ -75,49 +75,6 @@ export const SQL_KEYWORDS = [
   "IS",
 ];
 
-// This is a list of common SQL keywords that are not dangerous by themselves
-// They will appear in almost any SQL query
-// e.g. SELECT * FROM table WHERE column = 'value' LIMIT 1
-// If a query parameter is ?LIMIT=1 it would be blocked
-// If the body contains "LIMIT" or "SELECT" it would be blocked
-export const COMMON_SQL_KEYWORDS = [
-  "SELECT",
-  "INSERT",
-  "FROM",
-  "WHERE",
-  "DELETE",
-  "GROUP",
-  "BY",
-  "ORDER",
-  "LIMIT",
-  "OFFSET",
-  "HAVING",
-  "COUNT",
-  "SUM",
-  "AVG",
-  "MIN",
-  "MAX",
-  "DISTINCT",
-  "AS",
-  "AND",
-  "OR",
-  "NOT",
-  "IN",
-  "LIKE",
-  "BETWEEN",
-  "IS",
-  "NULL",
-  "ALL",
-  "ANY",
-  "EXISTS",
-  "UNIQUE",
-  "UPDATE",
-  "INTO",
-  "KEY",
-  "VALUES",
-  "VIEW",
-];
-
 export const SQL_OPERATORS = [
   "=",
   "!",

library/vulnerabilities/sql-injection/detectSQLInjection.sqlite.test.ts

@@ -3,7 +3,7 @@ import { detectSQLInjection } from "./detectSQLInjection";
 import { SQLDialectSQLite } from "./dialects/SQLDialectSQLite";
 
 t.test("It flags the VACUUM command as SQL injection", async () => {
-  isSqlInjection("VACUUM;", "VACUUM");
+  isNotSQLInjection("VACUUM;", "VACUUM");
 });
 
 t.test("It flags the ATTACH command as SQL injection", async () => {

library/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -58,10 +58,10 @@ const IS_NOT_INJECTION = [
   ["SELECT * FROM table", "*"],
   [`"COPY/*"`, "COPY/*"], // String encapsulated but dangerous chars
   [`'union'  is not "UNION--"`, "UNION--"], // String encapsulated but dangerous chars
+  [`'union'  is not UNION`, "UNION"], // String not always encapsulated
 ];
 
 const IS_INJECTION = [
-  [`'union'  is not UNION`, "UNION"], // String not always encapsulated
   [`UNTER;`, "UNTER;"], // String not encapsulated and dangerous char (;)
 ];
 

library/vulnerabilities/sql-injection/userInputContainsSQLSyntax.ts

@@ -1,13 +1,9 @@
 import { escapeStringRegexp } from "../../helpers/escapeStringRegexp";
-import {
-  COMMON_SQL_KEYWORDS,
-  SQL_DANGEROUS_IN_STRING,
-  SQL_KEYWORDS,
-  SQL_OPERATORS,
-} from "./config";
+import { SQL_DANGEROUS_IN_STRING, SQL_KEYWORDS, SQL_OPERATORS } from "./config";
 import { SQLDialect } from "./dialects/SQLDialect";
 
 const cachedRegexes = new Map<string, RegExp>();
+const alphaNumeric = /^[a-z0-9]+$/i;
 
 /**
  * This function is the first check in order to determine if a SQL injection is happening,
@@ -21,8 +17,8 @@ export function userInputContainsSQLSyntax(
   // e.g. SELECT * FROM table WHERE column = 'value' LIMIT 1
   // If a query parameter is ?LIMIT=1 it would be blocked
   // If the body contains "LIMIT" or "SELECT" it would be blocked
-  // These are common SQL keywords and appear in almost any SQL query
-  if (COMMON_SQL_KEYWORDS.includes(userInput.toUpperCase())) {
+  // If the user input is just alphanumeric, we can safely ignore it
+  if (alphaNumeric.test(userInput)) {
     return false;
   }