-
-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #28 from tonybaloney/sql_injection
Sql Injection
- Loading branch information
Showing
9 changed files
with
317 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# SQL100 | ||
|
||
Looks for SQL injection by Python string formatting methods. Includes: | ||
|
||
- Use of "f-string" | ||
- Use for string.format() | ||
- Use of `%` formatting | ||
|
||
Will look for formatted string literals that start with: | ||
|
||
- `INSERT INTO ` | ||
- `DELETE FROM` | ||
- `ALTER TABLE ` | ||
- `DROP DATABASE ` | ||
- `CREATE DATABASE ` | ||
|
||
It will also look for strings that start with `SELECT ` and contain ` FROM `, as well as strings that start with ` UPDATE ` and contain ` SET `. | ||
|
||
Check is case-insensitive. | ||
|
||
This check does not verify that the input is sanitized. | ||
|
||
## Examples | ||
|
||
Each of the following expressions would trigger a warning for this check: | ||
|
||
```python | ||
id = get_id() # Could be a SQLi response.. | ||
|
||
query1 = f"SELECT * FROM users WHERE id = {0}" | ||
|
||
query2 = "SELECT * FROM users WHERE id = {0}" % id | ||
|
||
query3 = "SELECT * FROM users WHERE id = {0}".format(id) | ||
|
||
query4 = f"UPDATE users SET is_admin = 1 WHERE id = {0}" | ||
|
||
query5 = f"DELETE FROM users WHERE id = {0}" | ||
|
||
query6 = f"INSERT INTO users (id) VALUES ( id = {0} )" | ||
|
||
query7 = f"SELECT * FROM users WHERE id = {0}" | ||
|
||
``` | ||
|
||
## Fixes | ||
|
||
Apply input validation and escaping. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
src/main/java/security/validators/SqlInjectionInspection.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package security.validators | ||
|
||
import com.intellij.codeInspection.LocalInspectionToolSession | ||
import com.intellij.codeInspection.ProblemsHolder | ||
import com.intellij.psi.PsiElementVisitor | ||
import com.jetbrains.python.inspections.PyInspection | ||
import com.jetbrains.python.inspections.PyInspectionVisitor | ||
import com.jetbrains.python.psi.* | ||
import security.Checks | ||
|
||
class SqlInjectionInspection : PyInspection() { | ||
val check = Checks.SqlInjectionCheck; | ||
|
||
override fun getStaticDescription(): String? { | ||
return check.getDescription() | ||
} | ||
|
||
override fun buildVisitor(holder: ProblemsHolder, | ||
isOnTheFly: Boolean, | ||
session: LocalInspectionToolSession): PsiElementVisitor = Visitor(holder, session) | ||
|
||
private class Visitor(holder: ProblemsHolder, session: LocalInspectionToolSession) : PyInspectionVisitor(holder, session) { | ||
// Double-word SQL commands (high-certainty) | ||
val certainlySqlStartingStrings = arrayOf("INSERT INTO ", "DELETE FROM", "ALTER TABLE ", "DROP DATABASE ", "CREATE DATABASE ") | ||
// Double-word SQL commands (low-certainty) | ||
val possiblySqlCommandPairs = mapOf<String, String>("SELECT " to " FROM ", "UPDATE " to " SET ") | ||
|
||
fun looksLikeSql(str: String) : Boolean { | ||
// Quickly respond to double-worded SQL statements | ||
if (certainlySqlStartingStrings.any { str.toUpperCase().startsWith(it) }) return true | ||
|
||
// SELECT must contain FROM, and UPDATE must contain SET | ||
possiblySqlCommandPairs.forEach { pair -> | ||
if (str.toUpperCase().startsWith(pair.key) && str.toUpperCase().contains(pair.value)) | ||
return true | ||
} | ||
return false | ||
} | ||
|
||
override fun visitPyFormattedStringElement(node: PyFormattedStringElement?) { | ||
// F-string | ||
if (node == null) return | ||
if (!looksLikeSql(node.content)) return | ||
holder?.registerProblem(node, Checks.SqlInjectionCheck.getDescription()) | ||
} | ||
|
||
override fun visitPyStringLiteralExpression(node: PyStringLiteralExpression?) { | ||
if (node == null) return | ||
if (!looksLikeSql(node.stringValue)) return | ||
|
||
// .Format() string | ||
if (node.parent is PyReferenceExpression){ | ||
if ((node.parent as PyReferenceExpression).name != "format") return | ||
if (node.parent.parent == null) return | ||
if (node.parent.parent !is PyCallExpression) return | ||
holder?.registerProblem(node, Checks.SqlInjectionCheck.getDescription()) | ||
} | ||
|
||
// % format string | ||
if (node.parent is PyBinaryExpression) { | ||
if ((node.parent as PyBinaryExpression).operator.toString() != "Py:PERC") return | ||
holder?.registerProblem(node, Checks.SqlInjectionCheck.getDescription()) | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
149 changes: 149 additions & 0 deletions
149
src/test/java/security/validators/SqlInjectionInspectionTest.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
package security.validators | ||
|
||
import org.junit.jupiter.api.AfterAll | ||
import org.junit.jupiter.api.BeforeAll | ||
import org.junit.jupiter.api.Test | ||
import org.junit.jupiter.api.TestInstance | ||
import security.Checks | ||
import security.SecurityTestTask | ||
|
||
@TestInstance(TestInstance.Lifecycle.PER_CLASS) | ||
class SqlInjectionInspectionTest: SecurityTestTask() { | ||
@BeforeAll | ||
override fun setUp() { | ||
super.setUp() | ||
} | ||
|
||
@AfterAll | ||
override fun tearDown(){ | ||
super.tearDown() | ||
} | ||
|
||
@Test | ||
fun `verify description is not empty`(){ | ||
assertFalse(SqlInjectionInspection().staticDescription.isNullOrEmpty()) | ||
} | ||
|
||
@Test | ||
fun `test format string string select`(){ | ||
var code = """ | ||
query = "SELECT * FROM users WHERE id = {0}".format(id) | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string not select`(){ | ||
var code = """ | ||
query = "SELECT a banana {0}".format(id) | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string update`(){ | ||
var code = """ | ||
query = "UPDATE users SET id = {0} WHERE x=1".format(id) | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string string not update`(){ | ||
var code = """ | ||
query = "UPDATE a banana {0}".format(id) | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
|
||
@Test | ||
fun `test insert into format function`(){ | ||
var code = """ | ||
query = "INSERT INTO users (id) VALUES ( id = {0} )".format(id) | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string string select perc format`(){ | ||
var code = """ | ||
query = "SELECT * FROM users WHERE id = {0}" % id | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string not select perc format`(){ | ||
var code = """ | ||
query = "SELECT a banana {0}" % id | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string update perc format`(){ | ||
var code = """ | ||
query = "UPDATE users SET id = {0} WHERE x=1" % id | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string string not update perc format`(){ | ||
var code = """ | ||
query = "UPDATE a banana {0}" % id | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
|
||
@Test | ||
fun `test insert into format function perc format`(){ | ||
var code = """ | ||
query = "INSERT INTO users (id) VALUES ( id = {0} )" % id | ||
""".trimIndent() | ||
testStringLiteralExpression(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string string select fstring format`(){ | ||
var code = """ | ||
query = f"SELECT * FROM users WHERE id = {0}" | ||
""".trimIndent() | ||
testFormattedStringElement(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string not select fstring format`(){ | ||
var code = """ | ||
query = f"SELECT a banana {0}" | ||
""".trimIndent() | ||
testFormattedStringElement(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string update fstring format`(){ | ||
var code = """ | ||
query = f"UPDATE users SET id = {0} WHERE x=1" | ||
""".trimIndent() | ||
testFormattedStringElement(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
@Test | ||
fun `test format string string not update fstring format`(){ | ||
var code = """ | ||
query = f"UPDATE a banana {0}" | ||
""".trimIndent() | ||
testFormattedStringElement(code, 0, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
|
||
|
||
@Test | ||
fun `test insert into format function fstring format`(){ | ||
var code = """ | ||
query = f"INSERT INTO users (id) VALUES ( id = {0} )" | ||
""".trimIndent() | ||
testFormattedStringElement(code, 1, Checks.SqlInjectionCheck, "test.py", SqlInjectionInspection()) | ||
} | ||
} |