Merge pull request #10 from webschik/tsr-detect-sql-literal-injection

webschik · web-flow · commit e58c93f981d4 · 2018-10-13T12:41:05.000+02:00
Added tsr-detect-sql-literal-injection rule
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ Inspired by [eslint-plugin-security](https://github.com/nodesecurity/eslint-plug
 
 ## How to use
 * Install package:
-```
+```shell
 npm i tslint-config-security --save-dev  --production
 ```
 
@@ -22,6 +22,17 @@ npm i tslint-config-security --save-dev  --production
 }
 ```
 
+By default `tslint-config-security` enables [all rules](#rules), but you may disable any of them (not recommended):
+
+```json
+{
+  "extends": ["tslint-config-security"],
+  "rules": {
+    "tsr-detect-html-injection": false,
+    "tsr-detect-unsafe-regexp": false
+  }
+```
+
 
 ## Rules
 All rules start from the prefix `tsr-` (TSLint Security Rule) to prevent name collisions.
@@ -82,7 +93,7 @@ Due to the known issues in the typed TSLint rules
 
  `tslint-config-security` module will analyze methods only on **fs** variable or on **'fs' module**. E.g.:
 
-```
+```js
 const fs = require('fs');
 
 fs.open(somePath); // triggers the error
@@ -126,3 +137,16 @@ More information: http://stackoverflow.com/questions/18130254/randombytes-vs-pse
 Detects HTML injections:
 - `document.write(variable)`
 - `Element.innerHTML = variable;`
+
+#### `tsr-detect-sql-literal-injection`
+
+Detects possible SQL injections in string literals:
+```js
+const userId = 1;
+const query1 = `SELECT * FROM users WHERE id = ${userId}`;
+const query2 = `SELECT * FROM users WHERE id = ` + userId;
+const query2 = 'SELECT * FROM users WHERE id =' + userId;
+
+const columns = 'id, name';
+Users.query(`SELECT ${columns} FROM users`);
+```
diff --git a/index.js b/index.js
@@ -13,6 +13,7 @@ module.exports = {
         'tsr-detect-pseudo-random-bytes': [true],
         'tsr-detect-unsafe-regexp': [true],
         'tsr-disable-mustache-escape': [true],
-        'tsr-detect-html-injection': [true]
+        'tsr-detect-html-injection': [true],
+        'tsr-detect-sql-literal-injection': [true]
     }
 };
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "tslint-config-security",
-  "version": "1.10.0",
+  "version": "1.11.0",
   "description": "TSLint security rules",
   "main": "./index.js",
   "files": [
@@ -42,7 +42,8 @@
     "typescript": "^3.0.1"
   },
   "peerDependencies": {
-    "tslint": "^5.8.0"
+    "tslint": "^5.8.0",
+    "tslib": "^1.9.2"
   },
   "dependencies": {
     "safe-regex": "^1.1.0"
diff --git a/src/is-sql-query.ts b/src/is-sql-query.ts
@@ -0,0 +1,58 @@
+function createMainKeywordsPattern(keyword: string): RegExp {
+    return new RegExp(`(^|\\s)(${keyword})`);
+}
+
+const selectKeyword: RegExp = createMainKeywordsPattern('SELECT');
+const deleteKeyword: RegExp = createMainKeywordsPattern('DELETE');
+const insertKeyword: RegExp = createMainKeywordsPattern('INSERT');
+const updateKeyword: RegExp = createMainKeywordsPattern('UPDATE');
+const dropKeyword: RegExp = createMainKeywordsPattern('DROP');
+const createKeyword: RegExp = createMainKeywordsPattern('CREATE');
+const alterKeyword: RegExp = createMainKeywordsPattern('ALTER');
+
+/**
+ * @description Basic SQL query detection
+ * @param {string} q
+ * @returns {boolean}
+ */
+export function isSqlQuery(q: string): boolean {
+    // detect the shortest sql query
+    if (!q[11]) {
+        return false;
+    }
+
+    const query: string = q.toUpperCase();
+
+    if (selectKeyword.test(query) && (query.includes(' FROM ') || query.includes('*FROM '))) {
+        return true;
+    }
+
+    if (insertKeyword.test(query) && query.includes(' INTO ')) {
+        return true;
+    }
+
+    if (updateKeyword.test(query) && query.includes(' SET ')) {
+        return true;
+    }
+
+    if (deleteKeyword.test(query) && query.includes(' FROM ')) {
+        return true;
+    }
+
+    if (dropKeyword.test(query) && (query.includes(' TABLE ') || query.includes(' DATABASE '))) {
+        return true;
+    }
+
+    if (
+        createKeyword.test(query) &&
+        (query.includes(' INDEX ') || query.includes(' TABLE ') || query.includes(' DATABASE '))
+    ) {
+        return true;
+    }
+
+    if (alterKeyword.test(query) && query.includes(' TABLE ')) {
+        return true;
+    }
+
+    return false;
+}
diff --git a/src/rules/tsrDetectSqlLiteralInjectionRule.ts b/src/rules/tsrDetectSqlLiteralInjectionRule.ts
@@ -0,0 +1,37 @@
+import * as ts from 'typescript';
+import * as Lint from 'tslint';
+import {isSqlQuery} from '../is-sql-query';
+
+export class Rule extends Lint.Rules.AbstractRule {
+    apply(sourceFile: ts.SourceFile): Lint.RuleFailure[] {
+        return this.applyWithWalker(new RuleWalker(sourceFile, this.getOptions()));
+    }
+}
+
+const stringLiteralKinds: number[] = [ts.SyntaxKind.NoSubstitutionTemplateLiteral, ts.SyntaxKind.StringLiteral];
+const generalErrorMessage: string = 'Found possible SQL injection';
+
+class RuleWalker extends Lint.RuleWalker {
+    visitTemplateExpression(node: ts.TemplateExpression) {
+        const {parent} = node;
+
+        if (
+            (!parent || parent.kind !== ts.SyntaxKind.TaggedTemplateExpression) &&
+            isSqlQuery(node.getText().slice(1, -1))
+        ) {
+            this.addFailureAtNode(node, generalErrorMessage);
+        }
+
+        super.visitTemplateExpression(node);
+    }
+
+    visitBinaryExpression(node: ts.BinaryExpression) {
+        const {left} = node;
+
+        if (left && stringLiteralKinds.includes(left.kind) && isSqlQuery(left.getText().slice(1, -1))) {
+            this.addFailureAtNode(left, generalErrorMessage);
+        }
+
+        super.visitBinaryExpression(node);
+    }
+}
diff --git a/test/rules/tsr-detect-sql-literal-injection/default/test.ts.lint b/test/rules/tsr-detect-sql-literal-injection/default/test.ts.lint
@@ -0,0 +1,22 @@
+const userId = 1;
+let query = `SELECT * FROM users WHERE id = ${userId}`;
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found possible SQL injection]
+query = `SELECT *FROM users WHERE id = ` + userId;
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found possible SQL injection]
+query = ' SELECT * FROM users WHERE id =' + userId;
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found possible SQL injection]
+
+db.query(query);
+
+const columns = 'id, name';
+Users.query( ` SELECT ${columns} FROM users` );
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    [Found possible SQL injection]
+
+
+const query = sql`SELECT * FROM users WHERE id = ${userId}`;
+db.query(query);
+
+Users.query(`SELECT id, name FROM users`);
+
+const punctuation = '!';
+console.log(`Not SQL${punctuation}`);
diff --git a/test/rules/tsr-detect-sql-literal-injection/default/tslint.json b/test/rules/tsr-detect-sql-literal-injection/default/tslint.json
@@ -0,0 +1,6 @@
+{
+  "rulesDirectory": "../../../../dist/rules",
+  "rules": {
+    "tsr-detect-sql-literal-injection": true
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ module.exports = {`
`13`	`13`	`'tsr-detect-pseudo-random-bytes': [true],`
`14`	`14`	`'tsr-detect-unsafe-regexp': [true],`
`15`	`15`	`'tsr-disable-mustache-escape': [true],`
`16`		`- 'tsr-detect-html-injection': [true]`
	`16`	`+ 'tsr-detect-html-injection': [true],`
	`17`	`+ 'tsr-detect-sql-literal-injection': [true]`
`17`	`18`	`}`
`18`	`19`	`};`