Skip to content

Commit 61ddc28

Browse files
unnxt30unnxt30
committed
fixed the dfg approach
1 parent 2fae0da commit 61ddc28

File tree

2 files changed

+33
-32
lines changed

2 files changed

+33
-32
lines changed

checkers/javascript/sql_injection_dfg.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ var SQLInjectionDFG = &analysis.Analyzer{
1313
Description: "Using raw SQL queries with unvalidated input can lead to SQL injection vulnerabilities",
1414
Category: analysis.CategorySecurity,
1515
Severity: analysis.SeverityCritical,
16-
// Run: detectSQLInjection,
16+
Run: detectSQLInjectionDFG,
1717
}
1818

1919
// DataFlowNode represents a node in our data flow graph

checkers/javascript/sql_injection_dfg_test.go

Lines changed: 32 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -119,37 +119,38 @@ func TestSQLInjection(t *testing.T) {
119119
}
120120

121121
for _, tt := range tests {
122-
// t.Run(tt.name, func(t *testing.T) {
123-
// parseResult := parseJsCode(t, []byte(tt.code))
124-
// var reportedVulns []struct {
125-
// Pass *ana.Pass
126-
// Node *sitter.Node
127-
// Msg string
128-
// }
129-
// pass := &ana.Pass{
130-
// Analyzer: SQLInjection,
131-
// FileContext: parseResult,
132-
// Report: func(p *ana.Pass, n *sitter.Node, msg string) {
133-
// reportedVulns = append(reportedVulns, struct {
134-
// Pass *ana.Pass
135-
// Node *sitter.Node
136-
// Msg string
137-
// }{p, n, msg})
138-
// },
139-
// }
140-
141-
// _, err := detectSQLInjection(pass)
142-
143-
// require.NoError(t, err)
144-
145-
// t.Logf("detectedVulnerabilities: %v\n", len(reportedVulns))
146-
// if tt.wantVuln {
147-
// assert.Greater(t, len(reportedVulns), 0, "Expected to detect sql injection vulnerability")
148-
// } else {
149-
// assert.Equal(t, 0, len(reportedVulns), "Unexpected Sql injection vuln. reported")
150-
// }
151-
152-
// })
122+
t.Run(tt.name, func(t *testing.T) {
123+
parseResult := parseJsCode(t, []byte(tt.code))
124+
var reportedVulns []struct {
125+
Pass *ana.Pass
126+
Node *sitter.Node
127+
Msg string
128+
}
129+
pass := &ana.Pass{
130+
Analyzer: SQLInjection,
131+
FileContext: parseResult,
132+
Report: func(p *ana.Pass, n *sitter.Node, msg string) {
133+
reportedVulns = append(reportedVulns, struct {
134+
Pass *ana.Pass
135+
Node *sitter.Node
136+
Msg string
137+
}{p, n, msg})
138+
},
139+
}
140+
141+
_, err := detectSQLInjection(pass)
142+
143+
require.NoError(t, err)
144+
145+
t.Logf("detectedVulnerabilities: %v\n", len(reportedVulns))
146+
if tt.wantVuln {
147+
assert.Greater(t, len(reportedVulns), 0, "Expected to detect sql injection vulnerability")
148+
} else {
149+
assert.Equal(t, 0, len(reportedVulns), "Unexpected Sql injection vuln. reported")
150+
}
151+
152+
})
153+
153154
t.Run(tt.name+" DFG", func(t *testing.T) {
154155
parseResult := parseJsCode(t, []byte(tt.code))
155156
var reportedVulns []struct {

0 commit comments

Comments
 (0)