16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
95 lines
2.4 KiB
Plaintext
95 lines
2.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,javascript]
|
|
----
|
|
// === MySQL ===
|
|
const mysql = require('mysql');
|
|
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
|
|
mycon.connect(function(err) {
|
|
mycon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
|
|
});
|
|
|
|
// === PostgreSQL ===
|
|
const pg = require('pg');
|
|
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
|
|
pgcon.connect();
|
|
pgcon.query('SELECT * FROM users WHERE id = ' + userinput, (err, res) => {}); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,javascript]
|
|
----
|
|
// === MySQL ===
|
|
const mysql = require('mysql');
|
|
const mycon = mysql.createConnection({ host: host, user: user, password: pass, database: db });
|
|
mycon.connect(function(err) {
|
|
mycon.query('SELECT name FROM users WHERE id = ?', [userinput], (err, res) => {});
|
|
});
|
|
|
|
// === PostgreSQL ===
|
|
const pg = require('pg');
|
|
const pgcon = new pg.Client({ host: host, user: user, password: pass, database: db });
|
|
pgcon.connect();
|
|
pgcon.query('SELECT name FROM users WHERE id = $1', [userinput], (err, res) => {});
|
|
----
|
|
|
|
== Exceptions
|
|
|
|
This rule's current implementation does not follow variables. It will only detect SQL queries which are formatted directly in the function call.
|
|
|
|
[source,javascript]
|
|
----
|
|
const sql = 'SELECT * FROM users WHERE id = ' + userinput;
|
|
mycon.query(sql, (err, res) => {}); // Sensitive but no issue is raised.
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 8 Dec 2018, 15:13:48 Lars Svensson wrote:
|
|
https://www.npmjs.com/package/mysql
|
|
|
|
https://www.npmjs.com/package/mysql2
|
|
|
|
https://www.npmjs.com/package/pg - docs: \https://node-postgres.com/features/queries
|
|
|
|
https://www.npmjs.com/package/sequelize - docs: \http://docs.sequelizejs.com/
|
|
|
|
|
|
|
|
=== on 8 Dec 2018, 19:19:56 Lars Svensson wrote:
|
|
Sequelize is currently the most popular NodeJS ORM with the module having ~285k downloads/week.
|
|
|
|
|
|
This OWASP project has a good example of an SQLi related with the sequelize module:
|
|
|
|
https://github.com/appsecco/dvna
|
|
|
|
sequelize.query() is used with user input concatenated to an SQL command
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|