add more test

Author: roggenkemper

fixtures/events/performance_problems/sql-injection/sql-injection-event-non-vulnerable.json

@@ -0,0 +1,158 @@
+{
+  "event_id": "5d6401994d7949d2ac3474f472564370",
+  "platform": "node",
+  "message": "",
+  "datetime": "2025-05-12T22:42:38.642986+00:00",
+  "breakdowns": {
+    "span_ops": {
+      "ops.db": {
+        "value": 65.715075,
+        "unit": "millisecond"
+      },
+      "total.time": {
+        "value": 67.105293,
+        "unit": "millisecond"
+      }
+    }
+  },
+  "request": {
+    "url": "http://localhost:3001/vulnerable-login",
+    "method": "GET",
+    "query_string": [["username", "hello"]]
+  },
+  "spans": [
+    {
+      "timestamp": 1747089758.567536,
+      "start_timestamp": 1747089758.567,
+      "exclusive_time": 0.536203,
+      "op": "middleware.express",
+      "span_id": "4a06692f4abc8dbe",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "corsMiddleware",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "corsMiddleware",
+        "express.type": "middleware",
+        "sentry.op": "middleware.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.javascript.node",
+        "sdk.version": "9.17.0",
+        "platform": "node",
+        "os.name": "macOS",
+        "category": "middleware",
+        "op": "middleware.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "e6088cf8b370ed60"
+    },
+    {
+      "timestamp": 1747089758.568761,
+      "start_timestamp": 1747089758.568,
+      "exclusive_time": 0.761032,
+      "op": "middleware.express",
+      "span_id": "92553d2584d250b8",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "jsonParser",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "jsonParser",
+        "express.type": "middleware",
+        "sentry.op": "middleware.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.javascript.node",
+        "sdk.version": "9.17.0",
+        "platform": "node",
+        "os.name": "macOS",
+        "category": "middleware",
+        "op": "middleware.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "c81e963dad9ebc6c"
+    },
+    {
+      "timestamp": 1747089758.569093,
+      "start_timestamp": 1747089758.569,
+      "exclusive_time": 0.092983,
+      "op": "request_handler.express",
+      "span_id": "435146ab0909419d",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "/vulnerable-login",
+      "origin": "auto.http.otel.express",
+      "data": {
+        "express.name": "/vulnerable-login",
+        "express.type": "request_handler",
+        "http.route": "/vulnerable-login",
+        "sentry.op": "request_handler.express",
+        "sentry.origin": "auto.http.otel.express"
+      },
+      "sentry_tags": {
+        "user": "ip:::1",
+        "user.ip": "::1",
+        "environment": "production",
+        "transaction": "GET /vulnerable-login",
+        "transaction.method": "GET",
+        "transaction.op": "http.server",
+        "browser.name": "Chrome",
+        "sdk.name": "sentry.javascript.node",
+        "sdk.version": "9.17.0",
+        "platform": "node",
+        "os.name": "macOS",
+        "op": "request_handler.express",
+        "status": "ok",
+        "trace.status": "ok"
+      },
+      "hash": "872b0c84a6f1c590"
+    },
+    {
+      "timestamp": 1747089758.637715,
+      "start_timestamp": 1747089758.572,
+      "exclusive_time": 65.715075,
+      "op": "db",
+      "span_id": "4703181ac343f71a",
+      "parent_span_id": "91fa92ff0205967d",
+      "trace_id": "375a86eca09a4a4e91903838dd771f50",
+      "status": "ok",
+      "description": "SELECT * FROM users WHERE username = ?",
+      "origin": "auto.db.otel.mysql2",
+      "data": {
+        "db.system": "mysql",
+        "db.connection_string": "jdbc:mysql://localhost:3306/injection_test",
+        "db.name": "injection_test",
+        "db.statement": "SELECT * FROM users WHERE username = ?",
+        "db.user": "root",
+        "net.peer.name": "localhost",
+        "net.peer.port": 3306,
+        "otel.kind": "CLIENT",
+        "sentry.op": "db",
+        "sentry.origin": "auto.db.otel.mysql2"
+      },
+      "hash": "45330ba0cafa5997"
+    }
+  ]
+}

fixtures/events/performance_problems/sql-injection-event.json renamed to fixtures/events/performance_problems/sql-injection/sql-injection-event.json

@@ -18,11 +18,7 @@
   "request": {
     "url": "http://localhost:3001/vulnerable-login",
     "method": "GET",
-    "query_string": [
-      ["username", "hello"],
-      ["testing", "testing"],
-      ["testing2", "testing2"]
-    ]
+    "query_string": [["username", "hello"]]
   },
   "spans": [
     {
@@ -156,28 +152,6 @@
         "sentry.op": "db",
         "sentry.origin": "auto.db.otel.mysql2"
       },
-      "sentry_tags": {
-        "user": "ip:::1",
-        "user.ip": "::1",
-        "environment": "production",
-        "transaction": "GET /vulnerable-login",
-        "transaction.method": "GET",
-        "transaction.op": "http.server",
-        "browser.name": "Chrome",
-        "sdk.name": "sentry.javascript.node",
-        "sdk.version": "9.17.0",
-        "platform": "node",
-        "os.name": "macOS",
-        "action": "SELECT",
-        "category": "db",
-        "description": "SELECT * FROM users WHERE username = %s",
-        "domain": ",users,",
-        "group": "45330ba0cafa5997",
-        "op": "db",
-        "status": "ok",
-        "system": "mysql",
-        "trace.status": "ok"
-      },
       "hash": "45330ba0cafa5997"
     }
   ]

src/sentry/utils/performance_issues/detectors/sql_injection_detector.py

@@ -3,7 +3,6 @@
 import hashlib
 from typing import Any
 
-from sentry import features
 from sentry.issues.grouptype import SQLInjectionGroupType
 from sentry.issues.issue_occurrence import IssueEvidence
 from sentry.models.organization import Organization
@@ -20,6 +19,34 @@
 
 MAX_EVIDENCE_VALUE_LENGTH = 10_000
 
+SQL_KEYWORDS = [
+    "SELECT",
+    "WHERE",
+    "AND",
+    "OR",
+    "NOT",
+    "IN",
+    "LIKE",
+    "LIMIT",
+    "ORDER BY",
+    "GROUP BY",
+    "HAVING",
+    "DISTINCT",
+    "JOIN",
+    "ON",
+    "AS",
+    "CASE",
+    "WHEN",
+    "THEN",
+    "ELSE",
+    "END",
+    "UNION",
+    "ALL",
+    "ANY",
+    "SOME",
+    "EXISTS",
+]
+
 
 class SQLInjectionDetector(PerformanceDetector):
     __slots__ = "stored_problems"
@@ -36,7 +63,9 @@ def __init__(self, settings: dict[DetectorType, Any], event: dict[str, Any]) ->
         if not query_string:
             return
 
-        self.user_inputs = [query_value[1] for query_value in query_string]
+        self.user_inputs = [
+            query_value[1] for query_value in query_string if self.keep_query_value(query_value)
+        ]
 
     def visit_span(self, span: Span) -> None:
         if not SQLInjectionDetector.is_span_eligible(span):
@@ -49,7 +78,7 @@ def visit_span(self, span: Span) -> None:
         spans_involved = [span["span_id"]]
 
         for user_input in self.user_inputs:
-            if user_input in description and self.is_sql_injection(user_input):
+            if user_input in description:
                 self.stored_problems[fingerprint] = PerformanceProblem(
                     type=SQLInjectionGroupType,
                     fingerprint=self._fingerprint(hash),
@@ -86,26 +115,20 @@ def visit_span(self, span: Span) -> None:
                 )
 
     def is_creation_allowed_for_organization(self, organization: Organization) -> bool:
-        return features.has("organizations:sql-injection-detector", organization, actor=None)
+        return True
 
     def is_creation_allowed_for_project(self, project: Project | None) -> bool:
         return self.settings["detection_enabled"]
 
-    def is_sql_injection(self, user_input: str) -> bool:
-        if (
-            "DROP" in user_input
-            or "DELETE" in user_input
-            or "UPDATE" in user_input
-            or "INSERT" in user_input
-        ):
-            return True
-        if ";" in user_input:
-            return True
-        if "--" in user_input:
-            return True
-        if "1=1" in user_input:
-            return True
-        return False
+    def keep_query_value(self, query: tuple[str, str]) -> bool:
+        query_value = query[1].upper()
+        query_key = query[0].upper()
+
+        if query_key == query_value:
+            return False
+        if query_value in SQL_KEYWORDS:
+            return False
+        return True
 
     @classmethod
     def is_span_eligible(cls, span: Span) -> bool:

tests/sentry/utils/performance_issues/test_sql_injection_detector.py

@@ -26,6 +26,10 @@ def find_problems(self, event: dict[str, Any]) -> list[PerformanceProblem]:
         return list(detector.stored_problems.values())
 
     def test_sql_injection_detection(self):
-        injection_event = get_event("sql-injection-event")
+        injection_event = get_event("sql-injection/sql-injection-event")
 
         assert len(self.find_problems(injection_event)) == 1
+
+    def test_sql_injection_on_non_vulnerable_query(self):
+        injection_event = get_event("sql-injection/sql-injection-event-non-vulnerable")
+        assert len(self.find_problems(injection_event)) == 0