■ ■ ■ ■ ■ ■
pkg/commands/process/settings/rules/javascript/express/sql_injection.yml
1 | | - | patterns: |
2 | | - | - pattern: | |
3 | | - | $<KNEX_CLIENT>.$<METHOD>($<...>$<USER_INPUT>$<...>) |
4 | | - | filters: |
5 | | - | - variable: USER_INPUT |
6 | | - | detection: javascript_express_sql_injection_request_input |
7 | | - | - variable: KNEX_CLIENT |
8 | | - | values: |
9 | | - | - knex |
10 | | - | - knexClient |
11 | | - | - client |
12 | | - | - variable: METHOD |
13 | | - | values: |
14 | | - | - fromRaw |
15 | | - | - whereRaw |
16 | | - | - raw |
17 | | - | - pattern: | |
18 | | - | $<PG_CLIENT>.query($<...>$<USER_INPUT>$<...>) |
19 | | - | filters: |
20 | | - | - variable: PG_CLIENT |
21 | | - | detection: javascript_express_sql_injection_pg_client |
22 | | - | - variable: USER_INPUT |
23 | | - | detection: javascript_express_sql_injection_request_input |
24 | | - | - pattern: | |
25 | | - | $<SEQUELIZE>.query($<USER_INPUT>) |
26 | | - | filters: |
27 | | - | - variable: SEQUELIZE |
28 | | - | detection: javascript_express_sql_injection_sequelize_init |
29 | | - | - variable: USER_INPUT |
30 | | - | detection: javascript_express_sql_injection_request_input |
31 | | - | - pattern: | |
32 | | - | $<MYSQL_CONN>.$<METHOD>($<...>$<USER_INPUT>$<...>) |
33 | | - | filters: |
34 | | - | - variable: MYSQL_CONN |
35 | | - | detection: javascript_express_sql_injection_mysql_conn |
36 | | - | - variable: USER_INPUT |
37 | | - | detection: javascript_express_sql_injection_request_input |
38 | | - | - variable: METHOD |
39 | | - | values: |
40 | | - | - query |
41 | | - | - execute |
42 | | - | - pattern: | |
43 | | - | $<MYSQL_POOL>.query($<...>$<USER_INPUT>$<...>) |
44 | | - | filters: |
45 | | - | - variable: MYSQL_POOL |
46 | | - | detection: javascript_express_sql_injection_mysql_pool |
47 | | - | - variable: USER_INPUT |
48 | | - | detection: javascript_express_sql_injection_request_input |
49 | | - | - pattern: | |
50 | | - | $<CONN>.query($<USER_INPUT>, $<_>) |
51 | | - | filters: |
52 | | - | - variable: CONN |
53 | | - | detection: javascript_express_sql_injection_pool_conn |
54 | | - | - variable: USER_INPUT |
55 | | - | detection: javascript_express_sql_injection_request_input |
56 | | - | auxiliary: |
57 | | - | - id: javascript_express_sql_injection_request_input |
58 | | - | patterns: |
59 | | - | - req.params |
60 | | - | - req.query |
61 | | - | - req.body |
62 | | - | - req.cookies |
63 | | - | - req.headers |
64 | | - | - id: javascript_express_sql_injection_pg_client |
65 | | - | patterns: |
66 | | - | - new Client() |
67 | | - | - id: javascript_express_sql_injection_sequelize_init |
68 | | - | patterns: |
69 | | - | - new Sequelize() |
70 | | - | - id: javascript_express_sql_injection_mysql_conn |
71 | | - | patterns: |
72 | | - | - mysql.createConnection() |
73 | | - | - await mysql.createConnection() |
74 | | - | - id: javascript_express_sql_injection_mysql_pool |
75 | | - | patterns: |
76 | | - | - mysql.createPool() |
77 | | - | - id: javascript_express_sql_injection_pool_conn |
78 | | - | patterns: |
79 | | - | - pattern: $<MYSQL_POOL>.getConnection(function($<_>, $<!>$<CONN:identifier>) {}) |
80 | | - | filters: |
81 | | - | - variable: MYSQL_POOL |
82 | | - | detection: javascript_express_sql_injection_mysql_pool |
83 | | - | languages: |
84 | | - | - javascript |
85 | | - | severity: high |
86 | | - | metadata: |
87 | | - | description: "SQL injection vulnerability detected." |
88 | | - | remediation_message: | |
89 | | - | ## Description |
90 | | - | Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks. |
91 | | - | |
92 | | - | ## Remediations |
93 | | - | |
94 | | - | ❌ Avoid raw queries, especially those that contain unsanitized user input |
95 | | - | |
96 | | - | ```javascript |
97 | | - | var sqlite = new Sequelize("sqlite::memory:"); |
98 | | - | sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId); |
99 | | - | ``` |
100 | | - | |
101 | | - | Instead, consider the following approaches when writing SQL queries |
102 | | - | |
103 | | - | ✅ Validate query input wherever possible |
104 | | - | |
105 | | - | ```javascript |
106 | | - | var rawId = req.params.userId |
107 | | - | if !(/[0-9]+/.test(rawId)) { |
108 | | - | // input is unexpected; don't make the query |
109 | | - | } |
110 | | - | ``` |
111 | | - | |
112 | | - | ✅ Use prepared (or parameterized) statements when querying |
113 | | - | |
114 | | - | Sequelize example - |
115 | | - | ```javascript |
116 | | - | var sqlite = new Sequelize("sqlite::memory:"); |
117 | | - | sqlite.query( |
118 | | - | "SELECT * FROM users WHERE ID = ?", |
119 | | - | { replacements: [req.params.userId] }, |
120 | | - | type: sequelize.QueryTypes.SELECT |
121 | | - | ) |
122 | | - | ``` |
123 | | - | |
124 | | - | ## Resources |
125 | | - | - [OWASP SQL injection explained](https://owasp.org/www-community/attacks/SQL_Injection) |
126 | | - | - [OWASP SQL injection prevention cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) |
127 | | - | cwe_id: |
128 | | - | - 89 |
129 | | - | id: "javascript_express_sql_injection" |
130 | | - | |