* Validates a WHERE clause to prevent SQL injection attacks * @param where - The WHERE clause string to validate * @throws {Error} If the WHERE clause contains potentially dangerous patterns
(where: string)
| 77 | * @throws {Error} If the WHERE clause contains potentially dangerous patterns |
| 78 | */ |
| 79 | function validateWhereClause(where: string): void { |
| 80 | const dangerousPatterns = [ |
| 81 | // DDL and DML injection via stacked queries |
| 82 | /;\s*(drop|delete|insert|update|create|alter|grant|revoke)/i, |
| 83 | // Union-based injection |
| 84 | /union\s+(all\s+)?select/i, |
| 85 | // File operations |
| 86 | /into\s+outfile/i, |
| 87 | /load_file\s*\(/i, |
| 88 | /pg_read_file/i, |
| 89 | // Comment-based injection (can truncate query) |
| 90 | /--/, |
| 91 | /\/\*/, |
| 92 | /\*\//, |
| 93 | // Tautologies - always true/false conditions using backreferences |
| 94 | // Matches OR 'x'='x' or OR x=x (same value both sides) but NOT OR col='value' |
| 95 | /\bor\s+(['"]?)(\w+)\1\s*=\s*\1\2\1/i, |
| 96 | /\bor\s+true\b/i, |
| 97 | /\bor\s+false\b/i, |
| 98 | // AND tautologies (less common but still used in attacks) |
| 99 | /\band\s+(['"]?)(\w+)\1\s*=\s*\1\2\1/i, |
| 100 | /\band\s+true\b/i, |
| 101 | /\band\s+false\b/i, |
| 102 | // Time-based blind injection |
| 103 | /\bsleep\s*\(/i, |
| 104 | /\bwaitfor\s+delay/i, |
| 105 | /\bpg_sleep\s*\(/i, |
| 106 | /\bbenchmark\s*\(/i, |
| 107 | // Stacked queries (any statement after semicolon) |
| 108 | /;\s*\w+/, |
| 109 | // Information schema / system catalog queries |
| 110 | /information_schema/i, |
| 111 | /pg_catalog/i, |
| 112 | // System functions and procedures |
| 113 | /\bxp_cmdshell/i, |
| 114 | ] |
| 115 | |
| 116 | for (const pattern of dangerousPatterns) { |
| 117 | if (pattern.test(where)) { |
| 118 | throw new Error('WHERE clause contains potentially dangerous operation') |
| 119 | } |
| 120 | } |
| 121 | } |
| 122 | |
| 123 | function sanitizeSingleIdentifier(identifier: string): string { |
| 124 | const cleaned = identifier.replace(/"/g, '') |
no test coverage detected