-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL Injection (SQLi) Detection Operator #284
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #284 +/- ##
==========================================
+ Coverage 83.05% 83.95% +0.90%
==========================================
Files 119 127 +8
Lines 4744 5804 +1060
Branches 2249 2793 +544
==========================================
+ Hits 3940 4873 +933
- Misses 307 353 +46
- Partials 497 578 +81
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
BenchmarksBenchmark execution time: 2024-05-07 14:34:09 Comparing candidate commit 133f14d in PR branch Found 2 performance improvements and 4 performance regressions! Performance is the same for 13 metrics, 0 unstable metrics. scenario:is_xss_matcher.random
scenario:phrase_match_matcher.enforce_word_boundary.random
scenario:phrase_match_matcher.random
scenario:regex_match_matcher.case_insensitive_flag.random
scenario:regex_match_matcher.case_insensitive_option.random
scenario:regex_match_matcher.lowercase_transformer.random
|
…egex utils, add tool to simplify regexes
// The first character is / so it can be a comment or a binary operator | ||
sql_token token; | ||
token.index = index(); | ||
if (advance() && peek() == '*') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe for simplicity advance() && peek()
could be behind a function called next
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get your point, although the next()
function exists and it's used as a lookahead(1)
without advancing the cursor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comment but not critical ones
This PR introduces support for a new operator
sqli_detector
which can be used for detecting SQL injections given a set of request parameters, an SQL statement and a database dialect. The current set of dialects supported is:generic
: which provides a simple tokenizer which should work with most database dialects to a certain degree, given differences in constants and identifiers.mysql
sqlite
pgsql
Although more dialects will be supported in the future. Currently the tokenizers are manually written with the objective of extracting the most relevant tokens, they are by no means complete tokenizers. These also distinguish reserved keywords (
sql_token_type::command
) from identifiers (sql_token_type::identifier
) to aid in future improvements to the heuristics, however not all reserved keywords have been included in this distinction.Events generated from this operator have two obfuscation phases, the first one is performed by replacing all constants, strings and numeric values with a
?
. The second obfuscation step is performed using the user-provided obfuscation regular expressions.Some work still remains which will be done in a future PR:
sqli_detector
fuzzer.To use this new operator,a rule such as the following could be used:
And an input that would result in a match given the above rule could look as follows: