Merge branch 'main' of github.com:AikidoSec/node-RASP into add-commen…

…ts-for-regex-escape

* 'main' of github.com:AikidoSec/node-RASP:
  Move to separate file
  Remove typedoc
  Split regex up into different smaller regex strings
  Add comments to regex
  Remove some comments

Makefile

@@ -30,10 +30,6 @@ lambda-mongodb-nosql-injection:
 lambda-mongodb-safe:
 	cd sample-apps/lambda-mongodb && npx serverless invoke local --function login --path payloads/safe-request.json
 
-.PHONY: docs
-docs:
-	npx typedoc
-
 .PHONY: install
 install:
 	npm install --workspaces

benchmarks/sql-injection/benchmark.js

@@ -1,6 +1,5 @@
 /**
  * Runs benchmarks for the detection of SQL Injections
- * @module
  */
 const fs = require("fs");
 const path = require("path");
@@ -23,6 +22,7 @@ function main() {
     );
   }
 }
+
 main();
 
 function runBenchmark(sql, input) {
@@ -55,19 +55,31 @@ function getAvgBenchmark() {
  */
 function fetchSqlStatements() {
   const auth_bypass_txt = fs.readFileSync(
-    path.join(__dirname, "./../../library/testing/sql-injection-payloads/Auth_Bypass.txt"),
+    path.join(
+      __dirname,
+      "./../../library/testing/sql-injection-payloads/Auth_Bypass.txt"
+    ),
     "utf-8"
   );
   const postgres_txt = fs.readFileSync(
-    path.join(__dirname, "./../../library/testing/sql-injection-payloads/postgres.txt"),
+    path.join(
+      __dirname,
+      "./../../library/testing/sql-injection-payloads/postgres.txt"
+    ),
     "utf-8"
   );
   const mysql_txt = fs.readFileSync(
-    path.join(__dirname, "./../../library/testing/sql-injection-payloads/mysql.txt"),
+    path.join(
+      __dirname,
+      "./../../library/testing/sql-injection-payloads/mysql.txt"
+    ),
     "utf-8"
   );
   const mssql_and_db2_txt = fs.readFileSync(
-    path.join(__dirname, "./../../library/testing/sql-injection-payloads/mssql_and_db2.txt"),
+    path.join(
+      __dirname,
+      "./../../library/testing/sql-injection-payloads/mssql_and_db2.txt"
+    ),
     "utf-8"
   );
 

library/src/agent/AgentSingleton.ts

@@ -1,8 +1,3 @@
-/**
- * This module contains a variable instance, and methods to get and set the current agent
- * @module agent/AgentSingleton
- */
-
 import { Agent } from "./Agent";
 
 let instance: Agent | undefined = undefined;

library/src/agent/Logger.ts

@@ -1,9 +1,3 @@
-/**
- * Exports 2 classes related to logging
- * + Type definition Logger
- * @module agent/Logger
- */
-
 export interface Logger {
   log(message: string): void;
 }

library/src/agent/Source.ts

@@ -1,8 +1,3 @@
-/**
- * Exports type def Source but mainly the function {@link friendlyName}
- * @module agent/Source
- */
-
 export type Source = "query" | "body" | "headers" | "cookies";
 
 /**

library/src/agent/Wrapper.ts

@@ -1,8 +1,3 @@
-/**
- * Type definitions
- * @module agent/Wrapper
- */
-
 export interface Wrapper {
   wrap(): void;
 }

library/src/helpers/getOptions.ts

@@ -1,8 +1,3 @@
-/**
- * This module contains the default options and the function {@link getOptions}
- * @module helpers/getOptions
- */
-
 /**
  * It gets the options for an Agent
  * @param partialOptions Your own values which will overwrite the default options

library/src/helpers/getPackageVersion.ts

@@ -1,8 +1,3 @@
-/**
- * The getPackageVersion module exports only one function : {@link getPackageVersion}
- * @module helpers/getPackageVersion
- */
-
 /**
  * Get the installed version of a package
  * @param pkg A package name

library/src/helpers/isPlainObject.ts

@@ -1,6 +1,5 @@
 /**
  * Grabbed from https://github.com/jonschlinkert/is-plain-object
- * @module helpers/isPlainObject
  */
 
 function isObject(o: unknown) {

library/src/helpers/satisfiesVersion.ts

@@ -1,8 +1,3 @@
-/**
- * The satisfiesVersion module exports only one function with the same name : satisfiesVersion
- * @module helpers/satisfiesVersion
- */
-
 /**
  * This function checks if a certain version satisfies a version range.
  * @param range A range of versions written in semver

library/src/helpers/tryDecodeAsJWT.ts

@@ -1,8 +1,3 @@
-/**
- * The JWT module only exports one function : tryDecodeAsJWT
- * @module helpers/JWT
- */
-
 /**
  * This function tries to decode your input as if it is a JSON Web Token, if it fails to do so it returns {jwt: false}.
  * @param jwt A (possible) JWT

library/src/vulnerabilities/sql-injection/dangerousCharsInInput.ts

@@ -0,0 +1,17 @@
+import { SQL_DANGEROUS_IN_STRING } from "./config";
+
+const dangerousInStringRegex = new RegExp(
+  SQL_DANGEROUS_IN_STRING.join("|"),
+  "im"
+);
+
+/**
+ * This function is the second step to determine if an SQL Injection is happening,
+ * If the user input contains characters that should never end up in a query, not
+ * even in a string, this function returns true.
+ * @param userInput The user input you want to check
+ * @returns True if characters are present
+ */
+export function dangerousCharsInInput(userInput: string): boolean {
+  return dangerousInStringRegex.test(userInput);
+}

library/src/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -1,8 +1,8 @@
 import * as t from "tap";
 import * as fs from "fs";
 import * as path from "path";
+import { dangerousCharsInInput } from "./dangerousCharsInInput";
 import {
-  dangerousCharsInInput,
   detectSQLInjection,
   userInputOccurrencesSafelyEncapsulated,
   queryContainsUserInput,

library/src/vulnerabilities/sql-injection/detectSQLInjection.ts

@@ -1,14 +1,11 @@
 import { Agent } from "../../agent/Agent";
 import { Context } from "../../agent/Context";
-import { Source, friendlyName } from "../../agent/Source";
+import { friendlyName, Source } from "../../agent/Source";
 import { extractStringsFromUserInput } from "../../helpers/extractStringsFromUserInput";
 
-import {
-  SQL_KEYWORDS,
-  SQL_OPERATORS,
-  SQL_DANGEROUS_IN_STRING,
-  SQL_STRING_CHARS,
-} from "./config";
+import { SQL_STRING_CHARS } from "./config";
+import { dangerousCharsInInput } from "./dangerousCharsInInput";
+import { userInputContainsSQLSyntax } from "./userInputContainsSQLSyntax";
 
 /**
  * This function executes 2 checks to see if something is or is not an SQL Injection :
@@ -46,33 +43,6 @@ export function detectSQLInjection(query: string, userInput: string) {
   return userInputContainsSQLSyntax(userInput);
 }
 
-const dangerousInStringRegex = new RegExp(
-  SQL_DANGEROUS_IN_STRING.join("|"),
-  "im"
-);
-
-const possibleSqlRegex = new RegExp(
-  "(?<![a-z])(" +
-    SQL_KEYWORDS.join("|") +
-    ")(?![a-z])|(" +
-    SQL_OPERATORS.join("|") +
-    ")|(?<=([\\s|.|" +
-    SQL_OPERATORS.join("|") +
-    "]|^)+)([a-z0-9_-]+)(?=[\\s]*\\()",
-  "im"
-);
-
-/**
- * This function is the first check in order to determine if a SQL injection is happening,
- * If the user input contains the necessary characters or words for a SQL injection, this
- * function returns true.
- * @param userInput The user input you want to check
- * @returns True when this is a possible SQL Injection
- */
-export function userInputContainsSQLSyntax(userInput: string): boolean {
-  return possibleSqlRegex.test(userInput);
-}
-
 /**
  * This function is the first step to determine if an SQL Injection is happening,
  * If the sql statement contains user input, this function returns true (case-insensitive)
@@ -87,17 +57,6 @@ export function queryContainsUserInput(query: string, userInput: string) {
   return lowercaseSql.includes(lowercaseInput);
 }
 
-/**
- * This function is the second step to determine if an SQL Injection is happening,
- * If the user input contains characters that should never end up in a query, not
- * even in a string, this function returns true.
- * @param userInput The user input you want to check
- * @returns True if characters are present
- */
-export function dangerousCharsInInput(userInput: string): boolean {
-  return dangerousInStringRegex.test(userInput);
-}
-
 /**
  * This function is the third step to determine if an SQL Injection is happening,
  * This checks if **all** occurrences of our input are encapsulated as strings.

library/src/vulnerabilities/sql-injection/userInputContainsSQLSyntax.ts

@@ -0,0 +1,32 @@
+import { SQL_KEYWORDS, SQL_OPERATORS } from "./config";
+
+const matchSqlKeywords =
+  "(?<![a-z])(" + // Lookbehind : if the keywords are preceded by one or more letters, it should not match
+  SQL_KEYWORDS.join("|") + // Look for SQL Keywords
+  ")(?![a-z])"; // Lookahead : if the keywords are followed by one or more letters, it should not match
+
+const matchSqlOperators = `(${SQL_OPERATORS.join("|")})`;
+
+const matchSqlFunctions =
+  "(?<=([\\s|.|" + // Lookbehind : A sql function should be preceded by spaces, dots,
+  SQL_OPERATORS.join("|") + // Or sql operators
+  "]|^)+)" +
+  "([a-z0-9_-]+)" + // The name of a sql function can include letters, numbers, "_" and "-"
+  "(?=[\\s]*\\()"; // Lookahead : A sql function should be followed by a "(" , spaces are allowed.
+
+const possibleSqlRegex = new RegExp(
+  // Match one or more of : sql keywords, sql operators, sql functions
+  `${matchSqlKeywords}|${matchSqlOperators}|${matchSqlFunctions}`,
+  "im"
+);
+
+/**
+ * This function is the first check in order to determine if a SQL injection is happening,
+ * If the user input contains the necessary characters or words for a SQL injection, this
+ * function returns true.
+ * @param userInput The user input you want to check
+ * @returns True when this is a possible SQL Injection
+ */
+export function userInputContainsSQLSyntax(userInput: string): boolean {
+  return possibleSqlRegex.test(userInput);
+}

library/tsconfig.json

@@ -7,9 +7,8 @@
     "outDir": "./dist",
     "declaration": true,
     "strict": true,
-    "allowJs": false,
-    "resolveJsonModule": true,
+    "allowJs": false
   },
   "include": ["src"],
-  "exclude": ["**/*.test.ts"],
+  "exclude": ["**/*.test.ts"]
 }