Merge pull request #509 from AikidoSec/zen-internals-0-1-36

Update Zen internals to v0.1.36

Author: willem-delbare

library/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -3,8 +3,11 @@ import * as t from "tap";
 import { readFileSync } from "fs";
 import { escapeStringRegexp } from "../../helpers/escapeStringRegexp";
 import { detectSQLInjection } from "./detectSQLInjection";
+import { SQLDialectClickHouse } from "./dialects/SQLDialectClickHouse";
+import { SQLDialectGeneric } from "./dialects/SQLDialectGeneric";
 import { SQLDialectMySQL } from "./dialects/SQLDialectMySQL";
 import { SQLDialectPostgres } from "./dialects/SQLDialectPostgres";
+import { SQLDialectSQLite } from "./dialects/SQLDialectSQLite";
 
 t.test("It ignores invalid queries", async () => {
   isNotSqlInjection("SELECT * FROM users WHERE id = 'users\\'", "users\\");
@@ -96,7 +99,8 @@ t.test("User input is multiline", async () => {
     `SELECT * FROM users WHERE id = 'a'
 OR 1=1#'`,
     `a'
-OR 1=1#`
+OR 1=1#`,
+    [new SQLDialectGeneric(), new SQLDialectMySQL()]
   );
 
   isNotSqlInjection(
@@ -314,28 +318,46 @@ for (const file of files) {
   }
 }
 
-function isSqlInjection(sql: string, input: string) {
-  t.same(
-    detectSQLInjection(sql, input, new SQLDialectMySQL()),
-    true,
-    `${sql} (mysql)`
-  );
-  t.same(
-    detectSQLInjection(sql, input, new SQLDialectPostgres()),
-    true,
-    `${sql} (postgres)`
-  );
+function isSqlInjection(
+  sql: string,
+  input: string,
+  dialects = [
+    new SQLDialectGeneric(),
+    new SQLDialectMySQL(),
+    new SQLDialectPostgres(),
+    new SQLDialectSQLite(),
+    new SQLDialectClickHouse(),
+  ]
+) {
+  if (dialects.length === 0) {
+    throw new Error("No dialects provided");
+  }
+
+  for (const dialect of dialects) {
+    t.same(
+      detectSQLInjection(sql, input, dialect),
+      true,
+      `${sql} (${dialect.constructor.name})`
+    );
+  }
 }
 
-function isNotSqlInjection(sql: string, input: string) {
-  t.same(
-    detectSQLInjection(sql, input, new SQLDialectMySQL()),
-    false,
-    `${sql} (mysql)`
-  );
-  t.same(
-    detectSQLInjection(sql, input, new SQLDialectPostgres()),
-    false,
-    `${sql} (postgres)`
-  );
+function isNotSqlInjection(
+  sql: string,
+  input: string,
+  dialects = [
+    new SQLDialectGeneric(),
+    new SQLDialectMySQL(),
+    new SQLDialectPostgres(),
+    new SQLDialectSQLite(),
+    new SQLDialectClickHouse(),
+  ]
+) {
+  for (const dialect of dialects) {
+    t.same(
+      detectSQLInjection(sql, input, dialect),
+      false,
+      `${sql} (${dialect.constructor.name})`
+    );
+  }
 }

scripts/build.js

@@ -11,7 +11,7 @@ const {
 const execAsync = promisify(exec);
 
 // Zen Internals configuration
-const INTERNALS_VERSION = "v0.1.35";
+const INTERNALS_VERSION = "v0.1.36";
 const INTERNALS_URL = `https://github.com/AikidoSec/zen-internals/releases/download/${INTERNALS_VERSION}`;
 // ---