Add SQL injection tests.
This commit is contained in:
Sam Rose
parent
e14918c105
commit
0736812293
|
|
@ -887,13 +887,13 @@ class InternalBuilder {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (lowValid && highValid) {
|
if (lowValid && highValid) {
|
||||||
// @ts-ignore
|
// @ts-expect-error knex types are wrong, raw is fine here
|
||||||
return q.whereBetween(rawKey, [low, high])
|
return q.whereBetween(rawKey, [low, high])
|
||||||
} else if (lowValid) {
|
} else if (lowValid) {
|
||||||
// @ts-ignore
|
// @ts-expect-error knex types are wrong, raw is fine here
|
||||||
return q.where(rawKey, ">=", low)
|
return q.where(rawKey, ">=", low)
|
||||||
} else if (highValid) {
|
} else if (highValid) {
|
||||||
// @ts-ignore
|
// @ts-expect-error knex types are wrong, raw is fine here
|
||||||
return q.where(rawKey, "<=", high)
|
return q.where(rawKey, "<=", high)
|
||||||
}
|
}
|
||||||
return q
|
return q
|
||||||
|
|
@ -1132,9 +1132,11 @@ class InternalBuilder {
|
||||||
} else {
|
} else {
|
||||||
let composite = `${aliased}.${key}`
|
let composite = `${aliased}.${key}`
|
||||||
if (this.client === SqlClient.ORACLE) {
|
if (this.client === SqlClient.ORACLE) {
|
||||||
query = query.orderByRaw(
|
query = query.orderByRaw(`?? ?? nulls ??`, [
|
||||||
`${this.convertClobs(composite)} ${direction} nulls ${nulls}`
|
this.convertClobs(composite),
|
||||||
)
|
direction,
|
||||||
|
nulls,
|
||||||
|
])
|
||||||
} else {
|
} else {
|
||||||
query = query.orderBy(composite, direction, nulls)
|
query = query.orderBy(composite, direction, nulls)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3471,5 +3471,55 @@ describe.each([
|
||||||
])
|
])
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe("SQL injection", () => {
|
||||||
|
const badStrings = [
|
||||||
|
"1; DROP TABLE test;",
|
||||||
|
"1; DELETE FROM test;",
|
||||||
|
"1; UPDATE test SET name = 'foo';",
|
||||||
|
"1; INSERT INTO test (name) VALUES ('foo');",
|
||||||
|
"' OR '1'='1' --",
|
||||||
|
"'; DROP TABLE users; --",
|
||||||
|
"' OR 1=1 --",
|
||||||
|
"' UNION SELECT null, null, null; --",
|
||||||
|
"' AND (SELECT COUNT(*) FROM users) > 0 --",
|
||||||
|
"\"; EXEC xp_cmdshell('dir'); --",
|
||||||
|
"\"' OR 'a'='a",
|
||||||
|
"OR 1=1;",
|
||||||
|
"'; SHUTDOWN --",
|
||||||
|
]
|
||||||
|
|
||||||
|
describe.only.each(badStrings)("bad string: %s", badString => {
|
||||||
|
it("should not allow SQL injection as a field name", async () => {
|
||||||
|
const tableOrViewId = await createTableOrView({
|
||||||
|
[badString]: {
|
||||||
|
name: badString,
|
||||||
|
type: FieldType.STRING,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
|
||||||
|
await config.api.row.search(
|
||||||
|
tableOrViewId,
|
||||||
|
{ query: {} },
|
||||||
|
{ status: 200 }
|
||||||
|
)
|
||||||
|
})
|
||||||
|
|
||||||
|
it("should not allow SQL injection as a field value", async () => {
|
||||||
|
const tableOrViewId = await createTableOrView({
|
||||||
|
foo: {
|
||||||
|
name: "foo",
|
||||||
|
type: FieldType.STRING,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
|
||||||
|
await config.api.row.search(
|
||||||
|
tableOrViewId,
|
||||||
|
{ query: { equal: { foo: badString } } },
|
||||||
|
{ status: 200 }
|
||||||
|
)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue