Add SQL injection tests.

2024-10-24 11:39:57 +01:00 · 2024-10-24 11:39:57 +01:00 · 0736812293
parent e14918c105
commit 0736812293
2 changed files with 58 additions and 6 deletions
--- a/packages/backend-core/src/sql/sql.ts
+++ b/packages/backend-core/src/sql/sql.ts
@ -887,13 +887,13 @@ class InternalBuilder {
        }

        if (lowValid && highValid) {
-          // @ts-ignore
+          // @ts-expect-error knex types are wrong, raw is fine here
          return q.whereBetween(rawKey, [low, high])
        } else if (lowValid) {
-          // @ts-ignore
+          // @ts-expect-error knex types are wrong, raw is fine here
          return q.where(rawKey, ">=", low)
        } else if (highValid) {
-          // @ts-ignore
+          // @ts-expect-error knex types are wrong, raw is fine here
          return q.where(rawKey, "<=", high)
        }
        return q
@ -1132,9 +1132,11 @@ class InternalBuilder {
        } else {
          let composite = `${aliased}.${key}`
          if (this.client === SqlClient.ORACLE) {
-            query = query.orderByRaw(
-              `${this.convertClobs(composite)} ${direction} nulls ${nulls}`
-            )
+            query = query.orderByRaw(`?? ?? nulls ??`, [
+              this.convertClobs(composite),
+              direction,
+              nulls,
+            ])
          } else {
            query = query.orderBy(composite, direction, nulls)
          }
--- a/packages/server/src/api/routes/tests/search.spec.ts
+++ b/packages/server/src/api/routes/tests/search.spec.ts
@ -3471,5 +3471,55 @@ describe.each([
          ])
        })
      })
+
+    describe("SQL injection", () => {
+      const badStrings = [
+        "1; DROP TABLE test;",
+        "1; DELETE FROM test;",
+        "1; UPDATE test SET name = 'foo';",
+        "1; INSERT INTO test (name) VALUES ('foo');",
+        "' OR '1'='1' --",
+        "'; DROP TABLE users; --",
+        "' OR 1=1 --",
+        "' UNION SELECT null, null, null; --",
+        "' AND (SELECT COUNT(*) FROM users) > 0 --",
+        "\"; EXEC xp_cmdshell('dir'); --",
+        "\"' OR 'a'='a",
+        "OR 1=1;",
+        "'; SHUTDOWN --",
+      ]
+
+      describe.only.each(badStrings)("bad string: %s", badString => {
+        it("should not allow SQL injection as a field name", async () => {
+          const tableOrViewId = await createTableOrView({
+            [badString]: {
+              name: badString,
+              type: FieldType.STRING,
+            },
+          })
+
+          await config.api.row.search(
+            tableOrViewId,
+            { query: {} },
+            { status: 200 }
+          )
+        })
+
+        it("should not allow SQL injection as a field value", async () => {
+          const tableOrViewId = await createTableOrView({
+            foo: {
+              name: "foo",
+              type: FieldType.STRING,
+            },
+          })
+
+          await config.api.row.search(
+            tableOrViewId,
+            { query: { equal: { foo: badString } } },
+            { status: 200 }
+          )
+        })
+      })
+    })
  })
 })