include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,javascript]
----
// === MySQL ===
const mysql = require('mysql');
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
mycon.connect(function(err) {
  mycon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
});

// === PostgreSQL ===
const pg = require('pg');
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
pgcon.connect();
pgcon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
----

== Compliant Solution

[source,javascript]
----
// === MySQL ===
const mysql = require('mysql');
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
mycon.connect(function(err) {
  mycon.query('SELECT name FROM users WHERE id = ?', [userinput], (err, res) => {});
});

// === PostgreSQL ===
const pg = require('pg');
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
pgcon.connect();
pgcon.query('SELECT name FROM users WHERE id = $1', [userinput], (err, res) => {});
----

== Exceptions

This rule's current implementation does not follow variables. It will only detect SQL queries which are formatted directly in the function call.

[source,javascript]
----
const sql = 'SELECT * FROM users WHERE id = ' + userinput;
mycon.query(sql, (err, res) => {}); // Sensitive but no issue is raised.
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 8 Dec 2018, 15:13:48 Lars Svensson wrote:
https://www.npmjs.com/package/mysql

https://www.npmjs.com/package/mysql2

https://www.npmjs.com/package/pg - docs: \https://node-postgres.com/features/queries

https://www.npmjs.com/package/sequelize - docs: \http://docs.sequelizejs.com/



=== on 8 Dec 2018, 19:19:56 Lars Svensson wrote:
Sequelize is currently the most popular NodeJS ORM with the module having ~285k downloads/week.


This OWASP project has a good example of an SQLi related with the sequelize module:

https://github.com/appsecco/dvna

sequelize.query() is used with user input concatenated to an SQL command



include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]