Fix Prisma sqlite test

AikidoSec · Nov 22, 2024 · 1d349b9 · 1d349b9
1 parent 08638c1
commit 1d349b9
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 3 deletions.
diff --git a/library/sinks/Prisma.test.ts → library/sinks/Prisma.sqlite.test.ts b/library/sinks/Prisma.test.ts → library/sinks/Prisma.sqlite.test.ts
@@ -23,6 +23,8 @@ const context: Context = {
   route: "/posts/:id",
 };
 
+process.env.DATABASE_URL = "file:./dev.db";
+
 t.test("it inspects query method calls and blocks if needed", async (t) => {
   const agent = createTestAgent();
   agent.start([new Prisma()]);
@@ -31,7 +33,7 @@ t.test("it inspects query method calls and blocks if needed", async (t) => {
   const { stdout, stderr } = await execAsync(
     "npx prisma migrate reset --force", // Generate prisma client, reset db and apply migrations
     {
-      cwd: path.join(__dirname, "fixtures"),
+      cwd: path.join(__dirname, "fixtures/prisma/sqlite"),
     }
   );
 
@@ -72,4 +74,25 @@ t.test("it inspects query method calls and blocks if needed", async (t) => {
       }
     }
   });
+
+  await client.$executeRawUnsafe("DELETE FROM USER WHERE id = 1");
+
+  await runWithContext(context, async () => {
+    try {
+      await client.$executeRawUnsafe(
+        "DELETE FROM USER WHERE id = 1 -- should be blocked"
+      );
+      t.fail("Execution should be blocked");
+    } catch (error) {
+      t.ok(error instanceof Error);
+      if (error instanceof Error) {
+        t.same(
+          error.message,
+          "Zen has blocked an SQL injection: prisma.$executeRawUnsafe(...) originating from body.myTitle"
+        );
+      }
+    }
+  });
+
+  await client.$disconnect();
 });
diff --git a/library/sinks/Prisma.ts b/library/sinks/Prisma.ts
@@ -48,7 +48,10 @@ export class Prisma implements Wrapper {
     }
   }
 
-  private inspectQuery(args: unknown[], operation: string): InterceptorResult {
+  private inspectSQLQuery(
+    args: unknown[],
+    operation: string
+  ): InterceptorResult {
     const context = getContext();
 
     if (!context) {
@@ -81,7 +84,7 @@ export class Prisma implements Wrapper {
             if (typeof instance[method] === "function") {
               wrapExport(instance, method, pkgInfo, {
                 inspectArgs: (args) => {
-                  return this.inspectQuery(args, method);
+                  return this.inspectSQLQuery(args, method);
                 },
               });
             }

diff --git a/...rations/20241122110725_init/migration.sql → ...rations/20241122110725_init/migration.sql b/...rations/20241122110725_init/migration.sql → ...rations/20241122110725_init/migration.sql
diff --git a/...res/prisma/migrations/migration_lock.toml → ...sma/sqlite/migrations/migration_lock.toml b/...res/prisma/migrations/migration_lock.toml → ...sma/sqlite/migrations/migration_lock.toml
diff --git a/library/sinks/fixtures/prisma/schema.prisma → ...inks/fixtures/prisma/sqlite/schema.prisma b/library/sinks/fixtures/prisma/schema.prisma → ...inks/fixtures/prisma/sqlite/schema.prisma