npm
Sign UpSign In

@marcusfernstrom/sif

1.0.2 • Public • Published

SIF / SQL Injection Finder

Scan your JavaScript code for potential SQL injection vectors

Install

npm i -g @marcusfernstrom/sif

Use

From commandline/terminal run sif <directory> where directory is the root of your project.

If a file has a potential SQL injection vector it shows up in red.

SIF will exit with error code 1 if it found any risky SQL, useful if you want to add it to a build script.

How

SIF grabs all .js files in the directory (recursively) and scans them for MySQL queries .query(, when it finds them it collects the SQL statement and analyzes it for string concatenation as well as string literals.

Notes

SIF does not follow variables. A fairly common pattern is to use constants for SQL statements, such as

connection.query(SQL_GET_ALL_USERS, function (error, results, fields) {
  if (error) throw error;
  console.log('The solution is: ', results[0].solution);
});

const SQL_GET_ALL_USERS = `
...sql here
`;

Following variables like this is planned for a future version.

This is an early version, please report false positives and false negatives along with the SQL when possible so I can improve the accuracy.

Readme

Keywords

none

Package Sidebar

Install

npm i @marcusfernstrom/sif

Repository

github.com/MFernstrom/js-sql-injection-finder

Homepage

github.com/MFernstrom/js-sql-injection-finder#readme

Weekly Downloads

0

Version

1.0.2

License

Apache-2.0

Unpacked Size

43 kB

Total Files

13

Last publish

Collaborators

  • marcusfernstrom
Try on RunKit
Report malware