Split tests

library/src/vulnerabilities/sql-injection/detectSQLInjection.mysql.test.ts

@@ -0,0 +1,40 @@
+import { basename, join } from "path";
+import * as t from "tap";
+import { readFileSync } from "fs";
+import { detectSQLInjection } from "./detectSQLInjection";
+import { SQLDialectMySQL } from "./dialect/SQLDialectMySQL";
+
+t.test("It flags MySQL bitwise operator as SQL injection", async () => {
+  isSqlInjection("SELECT 10 ^ 12", "10 ^ 12");
+});
+
+const files = [
+  join(__dirname, "payloads", "Auth_Bypass.txt"),
+  join(__dirname, "payloads", "mysql.txt"),
+];
+
+for (const file of files) {
+  const contents = readFileSync(file, "utf-8");
+  const lines = contents.split(/\r?\n/);
+  for (const sql of lines) {
+    const source = `${sql} (${basename(file)})`;
+    t.test(
+      `It flags ${sql} from ${basename(file)} as SQL injection`,
+      async () => {
+        t.same(
+          detectSQLInjection(sql, sql, new SQLDialectMySQL()),
+          true,
+          source
+        );
+      }
+    );
+  }
+}
+
+function isSqlInjection(sql: string, input: string) {
+  t.same(detectSQLInjection(sql, input, new SQLDialectMySQL()), true, sql);
+}
+
+function isNotSqlInjection(sql: string, input: string) {
+  t.same(detectSQLInjection(sql, input, new SQLDialectMySQL()), false, sql);
+}

library/src/vulnerabilities/sql-injection/detectSQLInjection.postgres.test.ts

@@ -0,0 +1,42 @@
+import { basename, join } from "path";
+import * as t from "tap";
+import { readFileSync } from "fs";
+import { dangerousCharsInInput } from "./dangerousCharsInInput";
+import { detectSQLInjection } from "./detectSQLInjection";
+import { SQLDialectPostgres } from "./dialect/SQLDialectPostgres";
+
+t.test("It flags postgres bitwise operator as SQL injection", async () => {
+  isSqlInjection("SELECT 10 # 12", "10 # 12");
+});
+
+t.test("It flags postgres type cast operator as SQL injection", async () => {
+  isSqlInjection("SELECT abc::date", "abc::date");
+});
+
+const files = [join(__dirname, "payloads", "postgres.txt")];
+
+for (const file of files) {
+  const contents = readFileSync(file, "utf-8");
+  const lines = contents.split(/\r?\n/);
+  for (const sql of lines) {
+    const source = `${sql} (${basename(file)})`;
+    t.test(
+      `It flags ${sql} from ${basename(file)} as SQL injection`,
+      async () => {
+        t.same(
+          detectSQLInjection(sql, sql, new SQLDialectPostgres()),
+          true,
+          source
+        );
+      }
+    );
+  }
+}
+
+function isSqlInjection(sql: string, input: string) {
+  t.same(detectSQLInjection(sql, input, new SQLDialectPostgres()), true, sql);
+}
+
+function isNotSqlInjection(sql: string, input: string) {
+  t.same(detectSQLInjection(sql, input, new SQLDialectPostgres()), false, sql);
+}

library/src/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -4,10 +4,10 @@ import { readFileSync } from "fs";
 import { dangerousCharsInInput } from "./dangerousCharsInInput";
 import {
   detectSQLInjection,
-  userInputOccurrencesSafelyEncapsulated,
   queryContainsUserInput,
 } from "./detectSQLInjection";
 import { SQLDialectMySQL } from "./dialect/SQLDialectMySQL";
+import { SQLDialectPostgres } from "./dialect/SQLDialectPostgres";
 
 const BAD_SQL_COMMANDS = [
   // Check for SQL Commands like : INSERT or DROP
@@ -40,10 +40,6 @@ const GOOD_SQL_COMMANDS = [
   "Roses are reddelete are blue",
   "Roses are red WHEREis blue",
   "Roses are red ORis isAND",
-  // Check for some general statements
-  `[email protected]`,
-  // Test some special characters
-  "[email protected]",
   // Test SQL Function (that should not be blocked)
   "I was benchmark ing",
   "We were delay ed",
@@ -54,9 +50,9 @@ const GOOD_SQL_COMMANDS = [
 ];
 
 const IS_NOT_INJECTION = [
-  [`'UNION 123' UNION "UNION 123"`, "UNION 123"], // String encapsulation
-  [`'union'  is not "UNION"`, "UNION!"], // String not present in SQL
-  [`"UNION;"`, "UNION;"], // String encapsulation
+  [`'UNION 123' UNION 'UNION 123'`, "UNION 123"], // String encapsulation
+  [`'union'  is not 'UNION'`, "UNION!"], // String not present in SQL
+  [`'UNION;'`, "UNION;"], // String encapsulation
   ["SELECT * FROM table", "*"],
 ];
 
@@ -85,8 +81,6 @@ t.test("Test detectSQLInjection() function", async () => {
   }
 });
 
-// END TESTS WITH EXPLOITS FROM : https://github.com/payloadbox/sql-injection-payload-list/tree/master
-
 t.test(
   "Test the detectSQLInjection() function to see if it detects SQL Functions",
   async () => {
@@ -121,99 +115,37 @@ t.test("Test the queryContainsUserInput() function", async () => {
   t.same(queryContainsUserInput("Roses are red", "violet"), false);
 });
 
-t.test(
-  "Test the userInputOccurrencesSafelyEncapsulated() function",
-  async () => {
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        ` Hello Hello 'UNION'and also "UNION" `,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      true
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        `"UNION"`,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      true
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        ` 'UNION' `,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      true
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        `"UNION"'UNION'`,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      true
-    );
-
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        `'UNION'"UNION"UNION`,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      false
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        `'UNION'UNION"UNION"`,
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      false
-    );
-    t.same(
-      userInputOccurrencesSafelyEncapsulated(
-        "UNION",
-        "UNION",
-        new SQLDialectMySQL()
-      ),
-      false
-    );
-  }
-);
-
 t.test("Test the dangerousCharsInInput() function", async () => {
   t.ok(dangerousCharsInInput("This is not ok--"));
 });
 
-t.test("It flags postgres bitwise operator as SQL injection", async () => {
-  isSqlInjection("SELECT 10 # 12", "10 # 12");
-});
-
-t.test("It flags MySQL bitwise operator as SQL injection", async () => {
-  isSqlInjection("SELECT 10 ^ 12", "10 ^ 12");
-});
-
-t.test("It flags postgres type cast operator as SQL injection", async () => {
-  isSqlInjection("SELECT abc::date", "abc::date");
-});
-
 function isSqlInjection(sql: string, input: string) {
-  t.same(detectSQLInjection(sql, input, new SQLDialectMySQL()), true, sql);
+  t.same(
+    detectSQLInjection(sql, input, new SQLDialectMySQL()),
+    true,
+    sql + " (MySQL)"
+  );
+  t.same(
+    detectSQLInjection(sql, input, new SQLDialectPostgres()),
+    true,
+    sql + " (Postgres)"
+  );
 }
 
 function isNotSqlInjection(sql: string, input: string) {
-  t.same(detectSQLInjection(sql, input, new SQLDialectMySQL()), false, sql);
+  t.same(
+    detectSQLInjection(sql, input, new SQLDialectMySQL()),
+    false,
+    sql + " (MySQL)"
+  );
+  t.same(
+    detectSQLInjection(sql, input, new SQLDialectPostgres()),
+    false,
+    sql + " (Postgres)"
+  );
 }
 
-const files = [
-  // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
-  join(__dirname, "payloads", "Auth_Bypass.txt"),
-  join(__dirname, "payloads", "postgres.txt"),
-  join(__dirname, "payloads", "mysql.txt"),
-];
+const files = [join(__dirname, "payloads", "Auth_Bypass.txt")];
 
 for (const file of files) {
   const contents = readFileSync(file, "utf-8");
@@ -226,7 +158,12 @@ for (const file of files) {
         t.same(
           detectSQLInjection(sql, sql, new SQLDialectMySQL()),
           true,
-          source
+          source + " (MySQL)"
+        );
+        t.same(
+          detectSQLInjection(sql, sql, new SQLDialectPostgres()),
+          true,
+          source + " (Postgres)"
         );
       }
     );