* Validates a WHERE clause to prevent SQL injection attacks * @param where - The WHERE clause string to validate * @throws {Error} If the WHERE clause contains potentially dangerous patterns
(where: string)
| 118 | * @throws {Error} If the WHERE clause contains potentially dangerous patterns |
| 119 | */ |
| 120 | function validateWhereClause(where: string): void { |
| 121 | const dangerousPatterns = [ |
| 122 | // DDL and DML injection via stacked queries |
| 123 | /;\s*(drop|delete|insert|update|create|alter|grant|revoke)/i, |
| 124 | // Union-based injection |
| 125 | /union\s+(all\s+)?select/i, |
| 126 | // File operations |
| 127 | /into\s+outfile/i, |
| 128 | /into\s+dumpfile/i, |
| 129 | /load_file\s*\(/i, |
| 130 | // Comment-based injection (can truncate query) |
| 131 | /--/, |
| 132 | /\/\*/, |
| 133 | /\*\//, |
| 134 | // Tautologies - always true/false conditions using backreferences |
| 135 | // Matches OR 'x'='x' or OR x=x (same value both sides) but NOT OR col='value' |
| 136 | /\bor\s+(['"]?)(\w+)\1\s*=\s*\1\2\1/i, |
| 137 | /\bor\s+true\b/i, |
| 138 | /\bor\s+false\b/i, |
| 139 | // AND tautologies (less common but still used in attacks) |
| 140 | /\band\s+(['"]?)(\w+)\1\s*=\s*\1\2\1/i, |
| 141 | /\band\s+true\b/i, |
| 142 | /\band\s+false\b/i, |
| 143 | // Time-based blind injection |
| 144 | /\bsleep\s*\(/i, |
| 145 | /\bbenchmark\s*\(/i, |
| 146 | /\bwaitfor\s+delay/i, |
| 147 | // Stacked queries (any statement after semicolon) |
| 148 | /;\s*\w+/, |
| 149 | // Information schema queries |
| 150 | /information_schema/i, |
| 151 | /mysql\./i, |
| 152 | // System functions and procedures |
| 153 | /\bxp_cmdshell/i, |
| 154 | ] |
| 155 | |
| 156 | for (const pattern of dangerousPatterns) { |
| 157 | if (pattern.test(where)) { |
| 158 | throw new Error('WHERE clause contains potentially dangerous operation') |
| 159 | } |
| 160 | } |
| 161 | } |
| 162 | |
| 163 | export function sanitizeIdentifier(identifier: string): string { |
| 164 | if (identifier.includes('.')) { |
no test coverage detected