Refactor to general checkQuery

Author: timokoessler

…wave-detection/containsSQLSyntax.test.ts …attack-wave-detection/checkQuery.test.tslibrary/vulnerabilities/attack-wave-detection/containsSQLSyntax.test.ts renamed to library/vulnerabilities/attack-wave-detection/checkQuery.test.ts library/vulnerabilities/attack-wave-detection/containsSQLSyntax.test.ts renamed to library/vulnerabilities/attack-wave-detection/checkQuery.test.ts

@@ -1,12 +1,12 @@
 import * as t from "tap";
-import { containsSQLSyntax } from "./containsSQLSyntax";
+import { checkQuery } from "./checkQuery";
 import type { Context } from "../../agent/Context";
 
-function getTestContext(path: string, query: string): Context {
+function getTestContext(query: string): Context {
   return {
     remoteAddress: "::1",
     method: "GET",
-    url: `http://localhost:4000${path}`,
+    url: `http://localhost:4000/test`,
     query: {
       test: query,
       utmSource: "newsletter",
@@ -21,52 +21,32 @@ function getTestContext(path: string, query: string): Context {
     cookies: {},
     routeParams: {},
     source: "express",
-    route: path,
+    route: "/test",
   };
 }
 
-t.test("it detects SQL injection patterns", async (t) => {
+t.test("it detects injection patterns", async (t) => {
   const testStrings = [
     "' or '1'='1",
     "1: SELECT * FROM users WHERE '1'='1'",
     "', information_schema.tables",
     "1' sleep(5)",
     "WAITFOR DELAY 1",
+    "../etc/passwd",
   ];
 
   for (const str of testStrings) {
-    t.ok(
-      containsSQLSyntax(getTestContext(`/test`, str)),
-      `Expected ${str} to match SQL injection patterns`
-    );
+    t.ok(checkQuery(getTestContext(str)), `Expected ${str} to match patterns`);
   }
 });
 
 t.test("it does not detect", async (t) => {
-  const nonMatchingPaths = [
-    "/",
-    "/api/user",
-    "/blog/a+blog+article",
-    "/products/1",
-    "/search?q=normal+search+term",
-    "/user/profile",
-    "/orders/1",
-    "/static/somefile.s1f56e.css",
-    "/favicon.ico",
-    "/img/mysql.svg",
-    "/get/test",
-    "/.well-known/security.txt",
-    "/robots.txt",
-    "/sitemap.xml",
-    "/manifest.json",
-    "/prototype/test.txt",
-    "/test?data=test&data2=test2",
-  ];
+  const nonMatchingQueryElements = ["google.de", "some-string", "1", ""];
 
-  for (const str of nonMatchingPaths) {
+  for (const str of nonMatchingQueryElements) {
     t.notOk(
-      containsSQLSyntax(getTestContext(str, "")),
-      `Expected ${str} to NOT match SQL injection patterns`
+      checkQuery(getTestContext(str)),
+      `Expected ${str} to NOT match patterns`
     );
   }
 });
@@ -88,7 +68,7 @@ t.test("it handles empty query object", async (t) => {
   };
 
   t.notOk(
-    containsSQLSyntax(contextWithEmptyQuery),
-    "Expected empty query to NOT match SQL injection patterns"
+    checkQuery(contextWithEmptyQuery),
+    "Expected empty query to NOT match injection patterns"
   );
 });

…tack-wave-detection/containsSQLSyntax.ts …ties/attack-wave-detection/checkQuery.tslibrary/vulnerabilities/attack-wave-detection/containsSQLSyntax.ts renamed to library/vulnerabilities/attack-wave-detection/checkQuery.ts library/vulnerabilities/attack-wave-detection/containsSQLSyntax.ts renamed to library/vulnerabilities/attack-wave-detection/checkQuery.ts

@@ -9,17 +9,21 @@ const keywords = [
   "SELECT LIKE(CHAR(",
   "INFORMATION_SCHEMA.COLUMNS",
   "INFORMATION_SCHEMA.TABLES",
-  ",MD5(",
+  "MD5(",
   "DBMS_PIPE.RECEIVE_MESSAGE",
   "SYSIBM.SYSTABLES",
   "RANDOMBLOB(",
   "SELECT * FROM",
   "1'='1",
   "PG_SLEEP(",
   "UNION ALL SELECT",
+  "../",
 ];
 
-export function containsSQLSyntax(context: Context): boolean {
+/**
+ * Check the query for some common SQL or path traversal patterns.
+ */
+export function checkQuery(context: Context): boolean {
   const queryStrings = extractStringsFromUserInputCached(context, "query");
   if (!queryStrings) {
     return false;

library/vulnerabilities/attack-wave-detection/isWebScanner.test.ts

@@ -28,10 +28,9 @@ t.test("is a web scanner", async (t) => {
   t.ok(isWebScanner(getTestContext("/../secret", "GET")));
   t.ok(isWebScanner(getTestContext("/", "BADMETHOD")));
   t.ok(
-    isWebScanner(
-      getTestContext("/", "GET", { test: "1'; DROP TABLE users; --" })
-    )
+    isWebScanner(getTestContext("/", "GET", { test: "SELECT * FROM admin" }))
   );
+  t.ok(isWebScanner(getTestContext("/", "GET", { test: "../etc/passwd" })));
 });
 
 t.test("is not a web scanner", async (t) => {
@@ -41,4 +40,5 @@ t.test("is not a web scanner", async (t) => {
   t.notOk(isWebScanner(getTestContext("/static/js/app.js", "GET")));
   t.notOk(isWebScanner(getTestContext("/uploads/image.png", "GET")));
   t.notOk(isWebScanner(getTestContext("/", "GET", { test: "1'" })));
+  t.notOk(isWebScanner(getTestContext("/", "GET", { test: "abcd" })));
 });

library/vulnerabilities/attack-wave-detection/isWebScanner.ts

@@ -1,5 +1,5 @@
 import { type Context } from "../../agent/Context";
-import { containsSQLSyntax } from "./containsSQLSyntax";
+import { checkQuery } from "./checkQuery";
 import { isWebScanMethod } from "./isWebScanMethod";
 import { isWebScanPath } from "./isWebScanPath";
 
@@ -12,7 +12,7 @@ export function isWebScanner(context: Context): boolean {
     return true;
   }
 
-  if (containsSQLSyntax(context)) {
+  if (checkQuery(context)) {
     return true;
   }