Merge pull request #667 from AikidoSec/non-utf8

Add unit tests with non UTF-8 chars

Author: hansott

library/vulnerabilities/sql-injection/detectSQLInjection.test.ts

@@ -265,6 +265,40 @@ t.test("It does not match GROUP keyword", async () => {
   isNotSqlInjection(query, "ASC");
 });
 
+t.test("It works with non-UTF-8 characters and emojis", async () => {
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a \udce9'\nOR 1=1 --'",
+    "a \udce9'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a \uD800'\nOR 1=1 --'",
+    "a \uD800'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a \uDFFF'\nOR 1=1 --'",
+    "a \uDFFF'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a \uDFFF\uDFFF'\nOR 1=1 --'",
+    "a \uDFFF\uDFFF'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a \uDFAB'\nOR 1=1 --'",
+    "a \uDFAB'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a 😀'\nOR 1=1 --'",
+    "a 😀'\nOR 1=1 --"
+  );
+  isSqlInjection(
+    "SELECT * FROM users WHERE id = 'a 🛡️'\nOR 1=1 --'",
+    "a 🛡️'\nOR 1=1 --"
+  );
+
+  isNotSqlInjection("SELECT * FROM users WHERE id = 'a \uD800'", "a \uD800");
+  isNotSqlInjection("SELECT * FROM users WHERE id = 'a 🛡️'", "a 🛡️");
+});
+
 const files = [
   // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
   join(__dirname, "payloads", "Auth_Bypass.txt"),