ajinabraham.njsscan.sql_injection.node_knex_sqli_injection
ajinabrahamAuthor
1,524
Download Count*
License
Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
Run Locally
Run in CI
Defintion
rules:
- id: node_knex_sqli_injection
patterns:
- pattern-either:
- pattern-inside: |
$KNEX = require('knex')
...
- pattern-inside: |
$KNEX = require('knex')(...)
...
- pattern-either:
- pattern: |
$K.raw(<... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
$K.raw(<... $REQ.$QUERY ...>, ...)
- pattern: |
$SQL = <... $REQ.$QUERY.$VAR ...>;
...
$K.raw(<... $SQL ...>, ...)
- pattern: |
$SQL = <... $REQ.$QUERY ...>;
...
$K.raw(<... $SQL ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
$SQL = <... $INP ...>;
...
$K.raw(<... $SQL ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
$SQL = <... $INP ...>;
...
$K.raw(<... $SQL ...>, ...)
- pattern: |
$K.whereRaw(<... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
$K.whereRaw(<... $REQ.$QUERY ...>, ...)
- pattern: |
$SQL = <... $REQ.$QUERY.$VAR ...>;
...
$K.whereRaw(<... $SQL ...>, ...)
- pattern: |
$SQL = <... $REQ.$QUERY ...>;
...
$K.whereRaw(<... $SQL ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
$SQL = <... $INP ...>;
...
$K.whereRaw(<... $SQL ...>, ...)
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
$SQL = <... $INP ...>;
...
$K.whereRaw(<... $SQL ...>, ...)
message: Untrusted input concatinated with raw SQL query using knex raw() or
whereRaw() functions can result in SQL Injection.
languages:
- javascript
severity: ERROR
metadata:
owasp: "A1: Injection"
cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')"
license: LGPL-3.0-or-later
Short Link: https://sg.run/wez6