FEAT-010: SQL Injection Pattern Detection

[ajitpratap0]

Summary

Add security scanner to detect common SQL injection patterns in parsed SQL.

Problem

Parser doesn't detect security patterns - need to help developers identify potential SQL injection vulnerabilities.

Action Items

1. Create security scanner package: pkg/sql/security/

2. Detect common injection patterns:

   • Tautologies: 1=1, 'a'='a', OR 1=1
   • Comment-based bypasses: --, /**/, #
   • Stacked queries: ; DROP TABLE, ; DELETE FROM
   • UNION-based extraction: UNION SELECT in suspicious contexts
   • Time-based blind: SLEEP(), WAITFOR DELAY
   • Boolean-based blind: Suspicious boolean logic patterns
   • Out-of-band: xp_cmdshell, LOAD_FILE(), etc.

3. Add severity levels:

   • CRITICAL: Definite injection (e.g., OR 1=1 --)
   • HIGH: Likely injection (suspicious patterns)
   • MEDIUM: Potentially unsafe (needs review)
   • LOW: Informational

4. CLI integration:

   gosqlx security-scan query.sql
   gosqlx security-scan --severity high *.sql

5. API integration for programmatic use

Acceptance Criteria

• 20+ injection patterns detected
• Severity scoring implemented
• CLI command working
• API for programmatic scanning
• Documentation with examples of each pattern
• Low false positive rate (< 5%)

Technical Details

Priority: Medium
Effort: Medium (32h)
Phase: Phase 4 - Feature Development
Dependencies: None

Example Output

CRITICAL: SQL Injection detected in query.sql:3
  WHERE username = 'admin' OR '1'='1'
                            ^^^^^^^^^
Pattern: Tautology (always true condition)
Risk: Authentication bypass

Related

Unique security feature vs competitors

[ajitpratap0]

✅ Implemented in PR #121

The SQL Injection Pattern Detection feature has been fully implemented with the following capabilities:

Detection Patterns

• Tautologies: 1=1, 'a'='a', col=col (CRITICAL)
• OR-based injection: OR 1=1 bypass patterns (CRITICAL)
• Time-based blind: SLEEP(), pg_sleep(), BENCHMARK(), WAITFOR DELAY (HIGH)
• UNION-based: Multiple NULL columns, system table access (HIGH/CRITICAL)
• Out-of-band: xp_cmdshell, LOAD_FILE, INTO OUTFILE (CRITICAL)
• Comment bypass: --, /* */, # patterns (LOW-HIGH)
• Dangerous functions: Dynamic SQL execution patterns (MEDIUM)

API

// AST-based scanning
scanner := security.NewScanner()
result := scanner.Scan(ast)

// Raw SQL scanning  
result := scanner.ScanSQL(sqlString)

// Severity filtering
scanner, err := security.NewScannerWithSeverity(security.SeverityHigh)

Quality Improvements (Review Feedback)

• Pre-compiled regex patterns at package level for performance
• Fail-safe severity comparison (unknown severities always included)
• Precise system table detection using prefix/exact matching

Test Coverage

• 27 tests covering all detection patterns
• Benchmarks for performance validation
• Race-condition free (validated with -race)