Add isUnsafeSql / isUnsafeSqlFragment filters

Author: mythz

src/ServiceStack.OrmLite/OrmLiteUtils.cs

@@ -463,9 +463,12 @@ public static string SqlValue(this object value)
         public static Regex VerifyFragmentRegEx = new Regex("([^\\w]|^)+(--|;--|;|%|/\\*|\\*/|@@|@|char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|select|sys|sysobjects|syscolumns|table|update)([^\\w]|$)+",
             RegexOptions.Singleline | RegexOptions.Compiled | RegexOptions.IgnoreCase);
 
+        public static Regex VerifySqlRegEx = new Regex("([^\\w]|^)+(--|;--|;|%|/\\*|\\*/|@@|@|char|nchar|varchar|nvarchar|alter|begin|cast|create|cursor|declare|delete|drop|end|exec|execute|fetch|insert|kill|open|table|update)([^\\w]|$)+",
+            RegexOptions.Singleline | RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
         public static Func<string,string> SqlVerifyFragmentFn { get; set; }
 
-        public static bool isUnsafeSql(string sql)
+        public static bool isUnsafeSql(string sql, Regex verifySql)
         {
             if (sql == null)
                 return false;
@@ -482,13 +485,13 @@ public static bool isUnsafeSql(string sql)
                 .StripQuotedStrings('`')
                 .ToLower();
 
-            var match = VerifyFragmentRegEx.Match(fragmentToVerify);
+            var match = verifySql.Match(fragmentToVerify);
             return match.Success;
         }
 
         public static string SqlVerifyFragment(this string sqlFragment)
         {
-            if (isUnsafeSql(sqlFragment))
+            if (isUnsafeSql(sqlFragment, VerifyFragmentRegEx))
                 throw new ArgumentException("Potential illegal fragment detected: " + sqlFragment);
 
             return sqlFragment;

src/ServiceStack.OrmLite/TemplateDbFilters.cs

@@ -84,7 +84,8 @@ public int dbExec(TemplateScopeContext scope, string sql, Dictionary<string, obj
         public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));
         public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;
 
-        public bool isUnsafeSql(string sql) => OrmLiteUtils.isUnsafeSql(sql);
+        public bool isUnsafeSql(string sql) => OrmLiteUtils.isUnsafeSql(sql, OrmLiteUtils.VerifySqlRegEx);
+        public bool isUnsafeSqlFragment(string sql) => OrmLiteUtils.isUnsafeSql(sql, OrmLiteUtils.VerifyFragmentRegEx);
 
         private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;
     }

src/ServiceStack.OrmLite/TemplateDbFiltersAsync.cs

@@ -86,7 +86,8 @@ public Task<object> dbExec(TemplateScopeContext scope, string sql, Dictionary<st
         public string sqlTake(int? limit) => padCondition(OrmLiteConfig.DialectProvider.SqlLimit(null, limit));
         public string ormliteVar(string name) => OrmLiteConfig.DialectProvider.Variables.TryGetValue(name, out var value) ? value : null;
 
-        public bool isUnsafeSql(string sql) => OrmLiteUtils.isUnsafeSql(sql);
+        public bool isUnsafeSql(string sql) => OrmLiteUtils.isUnsafeSql(sql, OrmLiteUtils.VerifySqlRegEx);
+        public bool isUnsafeSqlFragment(string sql) => OrmLiteUtils.isUnsafeSql(sql, OrmLiteUtils.VerifyFragmentRegEx);
 
         private string padCondition(string text) => string.IsNullOrEmpty(text) ? "" : " " + text;
     }