Upgrade Zen internals to v0.1.60 (#386)

Author: hansott

.github/workflows/build.yml

@@ -163,7 +163,7 @@ jobs:
           echo $AIKIDO_VERSION
           echo "AIKIDO_VERSION=$AIKIDO_VERSION" >> $GITHUB_ENV
           echo "AIKIDO_LIBZEN=libzen_internals_${{ env.ARCH }}-unknown-linux-gnu.so" >> $GITHUB_ENV
-          echo "AIKIDO_LIBZEN_VERSION=0.1.48" >> $GITHUB_ENV
+          echo "AIKIDO_LIBZEN_VERSION=0.1.60" >> $GITHUB_ENV
 
       - name: Download artifacts
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4

tests/server/test_sql_injection_false_positives/env.json

@@ -0,0 +1,5 @@
+{
+    "AIKIDO_BLOCK": "1",
+    "AIKIDO_LOCALHOST_ALLOWED_BY_DEFAULT": "0",
+    "AIKIDO_FEATURE_COLLECT_API_SCHEMA": "1"
+}

tests/server/test_sql_injection_false_positives/index.php

@@ -0,0 +1,21 @@
+<?php
+
+$pdo = new PDO("sqlite::memory:");
+$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+$pdo->exec("CREATE TABLE IF NOT EXISTS users (
+            id INTEGER PRIMARY KEY,
+            name TEXT,
+            email TEXT,
+            status TEXT)");
+
+$pdo->exec("INSERT INTO users (name, email, status) VALUES ('John Doe', 'john@example.com', 'active')");
+
+$requestBody = file_get_contents('php://input');
+$data = json_decode($requestBody, true);
+
+$stmt = $pdo->prepare("SELECT * FROM users WHERE name = :name AND email IS NOT NULL AND status NOT IN ('SUSPENDED', 'DELETED')");
+$stmt->execute(['name' => $data['name']]);
+
+echo "Query executed!";
+
+?>

tests/server/test_sql_injection_false_positives/start_config.json

@@ -0,0 +1,10 @@
+{
+    "success": true,
+    "serviceId": 1,
+    "heartbeatIntervalInMS": 600000,
+    "endpoints": [],
+    "blockedUserIds": [],
+    "allowedIPAddresses": [],
+    "receivedAnyStats": true,
+    "block": true
+}

tests/server/test_sql_injection_false_positives/test.py

@@ -0,0 +1,25 @@
+import requests
+import time
+import sys
+from testlib import *
+
+'''
+Checks that common SQL strings like "is not", "not in" etc. do not
+trigger false positive SQL injection detections.
+'''
+
+def check_not_blocked(input):
+    response = php_server_post("/testDetection", {"name": "John", "input": input})
+    assert_response_code_is(response, 200)
+    assert_response_body_contains(response, "Query executed!")
+
+def run_test():
+    check_not_blocked("is not")
+    check_not_blocked("not in")
+    check_not_blocked("TIME ZONE")
+    check_not_blocked("IS NOT")
+    check_not_blocked(":n")
+
+if __name__ == "__main__":
+    load_test_args()
+    run_test()