feat: detect identifier sql-injection (#501)

Author: clemgbld

.changeset/sunny-moments-jam.md

@@ -0,0 +1,7 @@
+---
+"@nodesecure/tracer": major
+"@nodesecure/estree-ast-utils": minor
+"@nodesecure/js-x-ray": minor
+---
+
+feat: detect identifier sql-injection

workspaces/estree-ast-utils/src/getCallExpressionArguments.ts

@@ -4,6 +4,7 @@ import type { ESTree } from "meriyah";
 
 // Import Internal Dependencies
 import { concatBinaryExpression } from "./concatBinaryExpression.ts";
+import { toLiteral } from "./toLiteral.ts";
 import {
   type DefaultOptions,
   noop
@@ -42,6 +43,12 @@ export function getCallExpressionArguments(
 
         break;
       }
+      case "TemplateLiteral": {
+        const literal = toLiteral(arg);
+        literalsNode.push(literal);
+
+        break;
+      }
       case "BinaryExpression": {
         const concatenatedBinaryExpr = [
           ...concatBinaryExpression(arg, { externalIdentifierLookup })

workspaces/estree-ast-utils/src/index.ts

@@ -7,4 +7,5 @@ export * from "./getMemberExpressionIdentifier.ts";
 export * from "./getVariableDeclarationIdentifiers.ts";
 export type { DefaultOptions } from "./options.ts";
 export * from "./utils/is.ts";
+export * from "./toLiteral.ts";
 

…rkspaces/js-x-ray/src/utils/toLiteral.ts …spaces/estree-ast-utils/src/toLiteral.tsworkspaces/js-x-ray/src/utils/toLiteral.ts renamed to workspaces/estree-ast-utils/src/toLiteral.ts workspaces/js-x-ray/src/utils/toLiteral.ts renamed to workspaces/estree-ast-utils/src/toLiteral.ts

@@ -4,3 +4,4 @@ import type { ESTree } from "meriyah";
 export function toLiteral(templateLiteral: ESTree.TemplateLiteral) {
   return templateLiteral.quasis.map(({ tail, value: { raw } }, i) => (tail ? raw : `${raw}\${${i}}`)).join("");
 }
+

workspaces/estree-ast-utils/test/getCallExpressionArguments.spec.ts

@@ -60,4 +60,15 @@ describe("getCallExpressionArguments", () => {
 
     assert.deepEqual(args, ["hello world"]);
   });
+
+  test("resolve the TemplateLiteral and return is Literal value", () => {
+    /* eslint-disable-next-line no-template-curly-in-string */
+    const [astNode] = codeToAst("foo(`hello ${name}`);");
+    const args = getCallExpressionArguments(
+      getExpressionFromStatement(astNode)
+    );
+
+    /* eslint-disable-next-line no-template-curly-in-string */
+    assert.deepEqual(args, ["hello ${0}"]);
+  });
 });

…es/js-x-ray/test/utils/toLiteral.spec.ts …/estree-ast-utils/test/toLiteral.spec.tsworkspaces/js-x-ray/test/utils/toLiteral.spec.ts renamed to workspaces/estree-ast-utils/test/toLiteral.spec.ts workspaces/js-x-ray/test/utils/toLiteral.spec.ts renamed to workspaces/estree-ast-utils/test/toLiteral.spec.ts

@@ -3,7 +3,7 @@ import assert from "node:assert";
 import { describe, it } from "node:test";
 
 // Import Internal Dependencies
-import { toLiteral } from "../../src/utils/toLiteral.ts";
+import { toLiteral } from "../src/toLiteral.ts";
 
 describe("toLiteral", () => {
   it("should transform a TemplateLiteral to a literal", () => {
@@ -93,3 +93,4 @@ describe("toLiteral", () => {
     }), `hello \${${0}} world \${${1}} `);
   });
 });
+

workspaces/js-x-ray/src/ProbeRunner.ts

@@ -229,7 +229,7 @@ export class ProbeRunner {
 
     if (node.type === "CallExpression") {
       const id = getCallExpressionIdentifier(node, {
-        externalIdentifierLookup: (name) => this.sourceFile.tracer.literalIdentifiers.get(name) ?? null
+        externalIdentifierLookup: (name) => this.sourceFile.tracer.literalIdentifiers.get(name)?.value ?? null
       });
       if (id !== null) {
         tracedIdentifierReport = this.sourceFile.tracer.getDataFromIdentifier(id);

workspaces/js-x-ray/src/probes/isMonkeyPatch.ts

@@ -104,7 +104,7 @@ function validateMemberExpression(
   ctx: ProbeContext
 ): [boolean, any?] {
   const iter = getMemberExpressionIdentifier(node, {
-    externalIdentifierLookup: (name: string) => ctx.sourceFile.tracer.literalIdentifiers.get(name) ?? null
+    externalIdentifierLookup: (name: string) => ctx.sourceFile.tracer.literalIdentifiers.get(name)?.value ?? null
   });
 
   const jsTypeName = iter.next().value;

workspaces/js-x-ray/src/probes/isRequire/RequireCallExpressionWalker.ts

@@ -95,7 +95,7 @@ export class RequireCallExpressionWalker {
     const nodeArguments = getCallExpressionArguments(
       node,
       {
-        externalIdentifierLookup: (name) => this.tracer.literalIdentifiers.get(name) ?? null
+        externalIdentifierLookup: (name) => this.tracer.literalIdentifiers.get(name)?.value ?? null
       }
     );
 

workspaces/js-x-ray/src/probes/isRequire/isRequire.ts

@@ -93,7 +93,7 @@ function main(
     case "Identifier":
       if (sourceFile.tracer.literalIdentifiers.has(arg.name)) {
         sourceFile.addDependency(
-          sourceFile.tracer.literalIdentifiers.get(arg.name)!,
+          sourceFile.tracer.literalIdentifiers.get(arg.name)?.value!,
           node.loc
         );
       }
@@ -115,7 +115,7 @@ function main(
     case "ArrayExpression": {
       const value = [
         ...arrayExpressionToString(arg, {
-          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null
+          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name)?.value ?? null
         })
       ]
         .join("")
@@ -143,7 +143,7 @@ function main(
 
       try {
         const iter = concatBinaryExpression(arg, {
-          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name) ?? null,
+          externalIdentifierLookup: (name) => tracer.literalIdentifiers.get(name)?.value ?? null,
           stopOnUnsupportedNode: true
         });