fix: fixed polynomial regex used on uncontrolled data in isSQLStatement validation function

alessiofrittoli · alessiofrittoli · commit 02b85f4e27e1 · 2025-03-11T16:05:37.000+01:00
diff --git a/__tests__/validation.test.ts b/__tests__/validation.test.ts
@@ -142,10 +142,38 @@ describe( 'Validation Utils', () => {
 
 
 	describe( 'isSQLStatement', () => {
-		it( 'returns `true` if the given value is a SQL statement', () => {
+		it( 'detects SQL statements', () => {
 			expect( isSQLStatement( 'SELECT * FROM users' ) ).toBe( true )
+			expect( isSQLStatement( 'DELETE FROM users WHERE id = 1' ) ).toBe( true )
+			expect( isSQLStatement( 'INSERT INTO users (name) VALUES ("John")' ) ).toBe( true )
+			expect( isSQLStatement( 'UPDATE users SET name = "John" WHERE `id` = 1' ) ).toBe( true )
+			expect( isSQLStatement( 'UNION SELECT * FROM users' ) ).toBe( true )
+			expect( isSQLStatement( 'REPLACE INTO users (id, name) VALUES (1, "John")' ) ).toBe( true )
+			expect( isSQLStatement( 'CREATE TABLE users (id INT, name VARCHAR(255))' ) ).toBe( true )
+			expect( isSQLStatement( 'DROP TABLE users' ) ).toBe( true )
+			expect( isSQLStatement( 'ALTER TABLE users ADD COLUMN age INT' ) ).toBe( true )
+			expect( isSQLStatement( 'RENAME TABLE users TO customers' ) ).toBe( true )
+			expect( isSQLStatement( 'SELECT * FROM users; --' ) ).toBe( true )
+		} )
+	
+
+		it( 'does not detect non-SQL statements', () => {
+			expect( isSQLStatement( 'This is a regular sentence.' ) ).toBe( false )
+			expect( isSQLStatement( 'SELECTING a book FROM the shelf' ) ).toBe( false )
+			expect( isSQLStatement( 'DROP the ball' ) ).toBe( false )
+			expect( isSQLStatement( 'ALTER your plans' ) ).toBe( false )
+			expect( isSQLStatement( 'RENAME the file' ) ).toBe( false )
 			expect( isSQLStatement( 'SELECT this is a normal string' ) ).toBe( false )
 		} )
+	
+
+		it('returns false for non-string values', () => {
+			expect( isSQLStatement( null ) ).toBe( false )
+			expect( isSQLStatement( undefined ) ).toBe( false )
+			expect( isSQLStatement( 123 ) ).toBe( false )
+			expect( isSQLStatement( {} ) ).toBe( false )
+			expect( isSQLStatement( [] ) ).toBe( false )
+		} )
 	} )
 
 } )
diff --git a/src/validation.ts b/src/validation.ts
@@ -125,5 +125,18 @@ export const isStrictEqual = ( a: unknown, b: unknown ) => a === b
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export const isSQLStatement = ( value: any ) => (
-	typeof value === 'string' && !! value.match( /(SELECT|DELETE|INSERT|UNION|REPLACE)\s.*(FROM|INTO|DISTINCT)|(CREATE|DROP|ALTER|RENAME)\s.*(TABLE|COLUMN|VIEW)|(;\-\-)/gi )
+	typeof value === 'string' &&
+	[
+		/\bselect\b\s+.*?\bfrom\b/,
+		/\bdelete\b\s+.*?\bfrom\b/,
+		/\binsert\b\s+.*?\binto\b/,
+		/\bupdate\b\s+.*?\bset\b/,
+		/\bunion\b\s+.*?\bselect\b/,
+		/\breplace\b\s+.*?\binto\b/,
+		/\bcreate\b\s+.*?\b(table|view|index|database)\b/,
+		/\bdrop\b\s+.*?\b(table|view|index|database)\b/,
+		/\balter\b\s+.*?\b(table|view|index|database)\b/,
+		/\brename\b\s+.*?\b(table|view|index|database)\b/,
+		/;\s*--/
+	].some( pattern => pattern.test( value.toLowerCase() ) )
 )
