Detect SQL tokenize errors and report them as attacks

With `failed_to_tokenize: true` as metadata

Author: hansott

library/vulnerabilities/sql-injection/checkContextForSqlInjection.ts

@@ -3,7 +3,10 @@ import { InterceptorResult } from "../../agent/hooks/InterceptorResult";
 import { SOURCES } from "../../agent/Source";
 import { getPathsToPayload } from "../../helpers/attackPath";
 import { extractStringsFromUserInputCached } from "../../helpers/extractStringsFromUserInputCached";
-import { detectSQLInjection } from "./detectSQLInjection";
+import {
+  detectSQLInjection,
+  SQLInjectionDetectionResult,
+} from "./detectSQLInjection";
 import { SQLDialect } from "./dialects/SQLDialect";
 
 /**
@@ -28,16 +31,28 @@ export function checkContextForSqlInjection({
     }
 
     for (const str of userInput) {
-      if (detectSQLInjection(sql, str, dialect)) {
+      const result = detectSQLInjection(sql, str, dialect);
+
+      if (
+        result === SQLInjectionDetectionResult.INJECTION_DETECTED ||
+        result === SQLInjectionDetectionResult.FAILED_TO_TOKENIZE
+      ) {
+        const metadata: Record<string, string> = {
+          sql: sql,
+          dialect: dialect.getHumanReadableName(),
+        };
+
+        if (result === SQLInjectionDetectionResult.FAILED_TO_TOKENIZE) {
+          // eslint-disable-next-line camelcase
+          metadata.failed_to_tokenize = "true";
+        }
+
         return {
           operation: operation,
           kind: "sql_injection",
           source: source,
           pathsToPayload: getPathsToPayload(str, context[source]),
-          metadata: {
-            sql: sql,
-            dialect: dialect.getHumanReadableName(),
-          },
+          metadata: metadata,
           payload: str,
         };
       }

library/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -10,7 +10,9 @@ import { SQLDialectPostgres } from "./dialects/SQLDialectPostgres";
 import { SQLDialectSQLite } from "./dialects/SQLDialectSQLite";
 
 t.test("It ignores invalid queries", async () => {
-  isNotSqlInjection("SELECT * FROM users WHERE id = 'users\\'", "users\\");
+  isTokenizeError("SELECT * FROM users WHERE id = 'users\\'", "users\\", [
+    new SQLDialectMySQL(),
+  ]);
 });
 
 t.test("It ignores safely escaped backslash", async () => {
@@ -41,11 +43,11 @@ t.test("user input inside IN (...)", async () => {
 });
 
 t.test("It checks whether the string is safely escaped", async () => {
-  isNotSqlInjection(
+  isTokenizeError(
     `SELECT * FROM comments WHERE comment = 'I'm writting you'`,
     "I'm writting you"
   );
-  isNotSqlInjection(
+  isTokenizeError(
     `SELECT * FROM comments WHERE comment = "I"m writting you"`,
     'I"m writting you'
   );
@@ -336,7 +338,7 @@ function isSqlInjection(
   for (const dialect of dialects) {
     t.same(
       detectSQLInjection(sql, input, dialect),
-      true,
+      1,
       `${sql} (${dialect.constructor.name})`
     );
   }
@@ -356,7 +358,27 @@ function isNotSqlInjection(
   for (const dialect of dialects) {
     t.same(
       detectSQLInjection(sql, input, dialect),
-      false,
+      0,
+      `${sql} (${dialect.constructor.name})`
+    );
+  }
+}
+
+function isTokenizeError(
+  sql: string,
+  input: string,
+  dialects = [
+    new SQLDialectGeneric(),
+    new SQLDialectMySQL(),
+    new SQLDialectPostgres(),
+    new SQLDialectSQLite(),
+    new SQLDialectClickHouse(),
+  ]
+) {
+  for (const dialect of dialects) {
+    t.same(
+      detectSQLInjection(sql, input, dialect),
+      3,
       `${sql} (${dialect.constructor.name})`
     );
   }
@@ -369,3 +391,12 @@ t.test("get human readable name", async () => {
   t.same(new SQLDialectSQLite().getHumanReadableName(), "SQLite");
   t.same(new SQLDialectClickHouse().getHumanReadableName(), "ClickHouse");
 });
+
+t.test("it returns 3 if tokenize fails", async () => {
+  const result = detectSQLInjection(
+    "SELECT * FROM users WHERE id = '1",
+    "id = '1",
+    new SQLDialectGeneric()
+  );
+  t.same(result, 3);
+});

library/vulnerabilities/sql-injection/detectSQLInjection.ts

@@ -3,18 +3,39 @@ import { shouldReturnEarly } from "./shouldReturnEarly";
 // eslint-disable-next-line camelcase
 import { wasm_detect_sql_injection } from "../../internals/zen_internals";
 
+export const SQLInjectionDetectionResult = {
+  SAFE: 0,
+  INJECTION_DETECTED: 1,
+  INTERNAL_ERROR: 2,
+  FAILED_TO_TOKENIZE: 3,
+} as const;
+
+export type SQLInjectionDetectionResultType =
+  (typeof SQLInjectionDetectionResult)[keyof typeof SQLInjectionDetectionResult];
+
 export function detectSQLInjection(
   query: string,
   userInput: string,
   dialect: SQLDialect
-) {
+): SQLInjectionDetectionResultType {
   if (shouldReturnEarly(query, userInput)) {
-    return false;
+    return SQLInjectionDetectionResult.SAFE;
   }
 
-  return wasm_detect_sql_injection(
+  const code = wasm_detect_sql_injection(
     query.toLowerCase(),
     userInput.toLowerCase(),
     dialect.getWASMDialectInt()
   );
+
+  if (
+    code === SQLInjectionDetectionResult.SAFE ||
+    code === SQLInjectionDetectionResult.INJECTION_DETECTED ||
+    code === SQLInjectionDetectionResult.INTERNAL_ERROR ||
+    code === SQLInjectionDetectionResult.FAILED_TO_TOKENIZE
+  ) {
+    return code;
+  }
+
+  throw new Error("Unexpected return code from WASM: " + code);
 }

scripts/build.js

@@ -11,7 +11,7 @@ const {
 const execAsync = promisify(exec);
 
 // Zen Internals configuration
-const INTERNALS_VERSION = "v0.1.39";
+const INTERNALS_VERSION = "v0.1.41";
 const INTERNALS_URL = `https://github.com/AikidoSec/zen-internals/releases/download/${INTERNALS_VERSION}`;
 // ---