Merge pull request #75 from AikidoSec/AIK-2521

Move tests to separate files
AikidoSec · Mar 11, 2024 · d4922e5 · d4922e5
2 parents ecb70ec + 44577cc
commit d4922e5
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 45 deletions.
diff --git a/library/src/vulnerabilities/sql-injection/dangerousCharsInInput.test.ts b/library/src/vulnerabilities/sql-injection/dangerousCharsInInput.test.ts
@@ -11,3 +11,7 @@ SQL_DANGEROUS_IN_STRING.forEach((char) => {
 t.test("it returns false for safe chars", async (t) => {
   t.same(dangerousCharsInInput("safe"), false);
 });
+
+t.test("it returns true if comment chars are used", async () => {
+  t.same(dangerousCharsInInput("This is not ok--"), true);
+});
diff --git a/library/src/vulnerabilities/sql-injection/detectSQLInjection.test.ts b/library/src/vulnerabilities/sql-injection/detectSQLInjection.test.ts
@@ -82,8 +82,6 @@ t.test("Test detectSQLInjection() function", async () => {
   }
 });
 
-// END TESTS WITH EXPLOITS FROM : https://github.com/payloadbox/sql-injection-payload-list/tree/master
-
 t.test(
   "Test the detectSQLInjection() function to see if it detects SQL Functions",
   async () => {
@@ -108,49 +106,6 @@ t.test(
   }
 );
 
-t.test("Test the queryContainsUserInput() function", async () => {
-  t.same(queryContainsUserInput("SELECT * FROM 'Jonas';", "Jonas"), true);
-  t.same(queryContainsUserInput("Hi I'm MJoNaSs", "jonas"), true);
-  t.same(
-    queryContainsUserInput("Hiya, 123^&*( is a real string", "123^&*("),
-    true
-  );
-  t.same(queryContainsUserInput("Roses are red", "violet"), false);
-});
-
-t.test(
-  "Test the userInputOccurrencesSafelyEncapsulated() function",
-  async () => {
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        ` Hello Hello 'UNION'and also "UNION" `,
-        "UNION"
-      ),
-      true
-    );
-    t.same(userInputOccurrencesSafelyEncapsulated(`"UNION"`, "UNION"), true);
-    t.same(userInputOccurrencesSafelyEncapsulated(` 'UNION' `, "UNION"), true);
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(`"UNION"'UNION'`, "UNION"),
-      true
-    );
-
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(`'UNION'"UNION"UNION`, "UNION"),
-      false
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(`'UNION'UNION"UNION"`, "UNION"),
-      false
-    );
-    t.same(userInputOccurrencesSafelyEncapsulated("UNION", "UNION"), false);
-  }
-);
-
-t.test("Test the dangerousCharsInInput() function", async () => {
-  t.ok(dangerousCharsInInput("This is not ok--"));
-});
-
 t.test("It flags postgres bitwise operator as SQL injection", async () => {
   isSqlInjection("SELECT 10 # 12", "10 # 12");
 });
@@ -179,6 +134,10 @@ const files = [
   join(__dirname, "payloads", "mssql_and_db2.txt"),
 ];
 
+function quote(str: string) {
+  return `'${str.replace(/'/g, "''")}'`;
+}
+
 for (const file of files) {
   const contents = readFileSync(file, "utf-8");
   const lines = contents.split(/\r?\n/);
@@ -189,5 +148,17 @@ for (const file of files) {
         t.same(detectSQLInjection(sql, sql), true, sql);
       }
     );
+
+    t.test(
+      `It does not flag ${sql} from ${basename(file)} as SQL injection (when escaped)`,
+      async () => {
+        const escaped = quote(sql);
+        t.same(
+          detectSQLInjection("SELECT * FROM users WHERE id = ${escaped}", sql),
+          false,
+          sql
+        );
+      }
+    );
   }
 }
diff --git a/library/src/vulnerabilities/sql-injection/payloads/README.md b/library/src/vulnerabilities/sql-injection/payloads/README.md
@@ -0,0 +1 @@
+These files originate from [https://github.com/payloadbox/sql-injection-payload-list](https://github.com/payloadbox/sql-injection-payload-list).
diff --git a/library/src/vulnerabilities/sql-injection/queryContainsUserInput.test.ts b/library/src/vulnerabilities/sql-injection/queryContainsUserInput.test.ts
@@ -0,0 +1,12 @@
+import * as t from "tap";
+import { queryContainsUserInput } from "./queryContainsUserInput";
+
+t.test("it checks if query contains user input", async () => {
+  t.same(queryContainsUserInput("SELECT * FROM 'Jonas';", "Jonas"), true);
+  t.same(queryContainsUserInput("Hi I'm MJoNaSs", "jonas"), true);
+  t.same(
+    queryContainsUserInput("Hiya, 123^&*( is a real string", "123^&*("),
+    true
+  );
+  t.same(queryContainsUserInput("Roses are red", "violet"), false);
+});
diff --git a/library/src/vulnerabilities/sql-injection/userInputOccurrencesSafelyEncapsulated.test.ts b/library/src/vulnerabilities/sql-injection/userInputOccurrencesSafelyEncapsulated.test.ts
@@ -0,0 +1,31 @@
+import * as t from "tap";
+import { userInputOccurrencesSafelyEncapsulated } from "./userInputOccurrencesSafelyEncapsulated";
+
+t.test(
+  "Test the userInputOccurrencesSafelyEncapsulated() function",
+  async () => {
+    t.same(
+      userInputOccurrencesSafelyEncapsulated(
+        ` Hello Hello 'UNION'and also "UNION" `,
+        "UNION"
+      ),
+      true
+    );
+    t.same(userInputOccurrencesSafelyEncapsulated(`"UNION"`, "UNION"), true);
+    t.same(userInputOccurrencesSafelyEncapsulated(` 'UNION' `, "UNION"), true);
+    t.same(
+      userInputOccurrencesSafelyEncapsulated(`"UNION"'UNION'`, "UNION"),
+      true
+    );
+
+    t.same(
+      userInputOccurrencesSafelyEncapsulated(`'UNION'"UNION"UNION`, "UNION"),
+      false
+    );
+    t.same(
+      userInputOccurrencesSafelyEncapsulated(`'UNION'UNION"UNION"`, "UNION"),
+      false
+    );
+    t.same(userInputOccurrencesSafelyEncapsulated("UNION", "UNION"), false);
+  }
+);
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		These files originate from [https://github.com/payloadbox/sql-injection-payload-list](https://github.com/payloadbox/sql-injection-payload-list).