2021-02-16 17:52:17 +01:00
|
|
|
include::../description.adoc[]
|
2020-06-30 12:48:07 +02:00
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
2022-08-04 15:12:16 +02:00
|
|
|
[source,javascript]
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
// === MySQL ===
|
|
|
|
|
const mysql = require('mysql');
|
|
|
|
|
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
|
|
|
|
|
mycon.connect(function(err) {
|
|
|
|
|
mycon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// === PostgreSQL ===
|
|
|
|
|
const pg = require('pg');
|
|
|
|
|
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
|
|
|
|
|
pgcon.connect();
|
|
|
|
|
pgcon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
// === MySQL ===
|
|
|
|
|
const mysql = require('mysql');
|
|
|
|
|
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
|
|
|
|
|
mycon.connect(function(err) {
|
|
|
|
|
mycon.query('SELECT name FROM users WHERE id = ?', [userinput], (err, res) => {});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// === PostgreSQL ===
|
|
|
|
|
const pg = require('pg');
|
|
|
|
|
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
|
|
|
|
|
pgcon.connect();
|
|
|
|
|
pgcon.query('SELECT name FROM users WHERE id = $1', [userinput], (err, res) => {});
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Exceptions
|
|
|
|
|
|
|
|
|
|
This rule's current implementation does not follow variables. It will only detect SQL queries which are formatted directly in the function call.
|
2020-06-30 14:49:38 +02:00
|
|
|
|
2022-08-04 15:12:16 +02:00
|
|
|
[source,javascript]
|
2020-06-30 12:48:07 +02:00
|
|
|
----
|
|
|
|
|
const sql = 'SELECT * FROM users WHERE id = ' + userinput;
|
|
|
|
|
mycon.query(sql, (err, res) => {}); // Sensitive but no issue is raised.
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-09-20 15:38:42 +02:00
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
|
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== on 8 Dec 2018, 15:13:48 Lars Svensson wrote:
|
|
|
|
|
https://www.npmjs.com/package/mysql
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/mysql2
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/pg - docs: \https://node-postgres.com/features/queries
|
|
|
|
|
|
|
|
|
|
https://www.npmjs.com/package/sequelize - docs: \http://docs.sequelizejs.com/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== on 8 Dec 2018, 19:19:56 Lars Svensson wrote:
|
|
|
|
|
Sequelize is currently the most popular NodeJS ORM with the module having ~285k downloads/week.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This OWASP project has a good example of an SQLi related with the sequelize module:
|
|
|
|
|
|
|
|
|
|
https://github.com/appsecco/dvna
|
|
|
|
|
|
|
|
|
|
sequelize.query() is used with user input concatenated to an SQL command
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
