contrib.nodejsscan.sql_injection.node_sqli_injection
returntocorpAuthor
99
Download Count*
License
Untrusted input concatenated with raw SQL query can result in SQL Injection.
Run Locally
Run in CI
Defintion
rules:
- id: node_sqli_injection
patterns:
- pattern-either:
- pattern: |
$CON.query(<... $REQ.$QUERY.$VAR ...>, ...)
- pattern: |
$CON.query(<... $REQ.$QUERY ...>, ...)
- pattern: |
$SQL = <... $REQ.$QUERY.$VAR ...>;
...
$CON.query(<... $SQL ...>, ...);
- pattern: |
$SQL = <... $REQ.$QUERY ...>;
...
$CON.query(<... $SQL ...>, ...);
- pattern: |
$INP = <... $REQ.$QUERY.$VAR ...>;
...
$SQL = <... $INP ...>;
...
$CON.query(<... $SQL ...>, ...);
- pattern: |
$INP = <... $REQ.$QUERY ...>;
...
$SQL = <... $INP ...>;
...
$CON.query(<... $SQL ...>, ...);
message: Untrusted input concatenated with raw SQL query can result in SQL
Injection.
languages:
- javascript
severity: ERROR
metadata:
owasp: A01:2017 - Injection
cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')"
category: security
technology:
- node.js
- express
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/Yvn5