Skip to content

Commit 2fcbdc1

Browse files
ajitpratap0Ajit Pratap Singhclaude
authored
feat: add SQL injection pattern detection (pkg/sql/security) (#121)
* feat: add SQL injection pattern detection (pkg/sql/security) (#71) Add new security package for detecting SQL injection vulnerabilities in parsed SQL AST and raw SQL strings. Detection patterns: - Tautologies: 1=1, 'a'='a', col=col, OR 1=1 - Comment-based bypass: --, /**/, # - Time-based blind: SLEEP(), pg_sleep(), WAITFOR DELAY, BENCHMARK() - UNION-based: NULL placeholders, system table access - Out-of-band: xp_cmdshell, LOAD_FILE(), INTO OUTFILE - Dangerous functions: EXEC(), sp_executesql Features: - Severity levels: CRITICAL, HIGH, MEDIUM, LOW - Configurable minimum severity threshold - AST-based scanning for accurate detection - Raw SQL regex scanning for edge cases - Helper methods: HasCritical(), HasHighOrAbove(), IsClean() Performance: - AST scan: ~30ns simple, ~175ns complex queries - Raw SQL scan: ~16μs per query Test coverage: 24 tests covering all detection patterns 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: remove unnecessary type assertions in security scanner Fix golangci-lint S1040 error - SetOperation.Left and .Right are already of type ast.Statement, so type assertions are unnecessary. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: address review feedback for SQL injection scanner - Fix severity comparison vulnerability: unknown severities now default to being included (fail-safe behavior) instead of returning 0 - Pre-compile regex patterns at package level using sync.Once for better performance (patterns compiled once instead of per-scanner) - Improve system table detection precision: use prefix/exact matching instead of strings.Contains to avoid false positives - Add input validation for NewScannerWithSeverity (returns error for invalid severity levels) - Add comprehensive tests for isSystemTable and unknown severity handling 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Ajit Pratap Singh <ajitpratapsingh@Ajits-Mac-mini.local> Co-authored-by: Claude <noreply@anthropic.com>
1 parent 76ee043 commit 2fcbdc1

2 files changed

Lines changed: 1366 additions & 0 deletions

File tree

0 commit comments

Comments
 (0)