Skip to content

MFernstrom/js-sif

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
test
test
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
sif.js
sif.js
 
 
sif.png
sif.png
 
 
utils.js
utils.js
 
 

Repository files navigation

SIF / SQL Injection Finder

Scan your JavaScript code for potential SQL injection vectors

Install

npm i -g @marcusfernstrom/sif

Use

From commandline/terminal run sif <directory> where directory is the root of your project.

If a file has a potential SQL injection vector it shows up in red.

SIF will exit with error code 1 if it found any risky SQL, useful if you want to add it to a build script.

How

SIF grabs all .js files in the directory (recursively) and scans them for MySQL queries .query(, when it finds them it collects the SQL statement and analyzes it for string concatenation as well as string literals.

Notes

SIF does not follow variables. A fairly common pattern is to use constants for SQL statements, such as

connection.query(SQL_GET_ALL_USERS, function (error, results, fields) {
  if (error) throw error;
  console.log('The solution is: ', results[0].solution);
});

const SQL_GET_ALL_USERS = `
...sql here
`;

Following variables like this is planned for a future version.

This is an early version, please report false positives and false negatives along with the SQL when possible so I can improve the accuracy.

About

Scan your JS source code for potential SQL injection vectors

Topics

mysql security sql appsec injection-attacks

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages