Added test cases for client-s v2 and v3 sql injection

2025-12-16 16:53:25 +01:00 · 2025-07-29 09:50:46 +02:00
parent 1149617f7b
commit 5e6118ef3f
1 changed files with 44 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/clients3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/clients3.js
@@ -0,0 +1,44 @@
+const { S3Client, SelectObjectContentCommand } = require("@aws-sdk/client-s3");
+const AWS = require('aws-sdk');
+const express = require('express');
+const bodyParser = require('body-parser');
+
+const app = express();
+app.use(bodyParser.json());
+
+app.post('/client/v3/execute', async (req, res) => {
+    let maliciousInput = req.body.filter; // $ MISSING: Source
+    const client = new S3Client({ region: "us-east-1" });
+    const params = {
+        Bucket: "my-bucket",
+        Key: "data.csv",
+        ExpressionType: "SQL",
+        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput,
+    };
+    await client.send(new SelectObjectContentCommand(params)); // $ MISSING: Alert
+    res.end();
+});
+
+app.post('/client/v2/execute', async (req, res) => {
+    let maliciousInput = req.body.filter; // $ MISSING: Source
+    const s3 = new AWS.S3({ region: "us-east-1" });
+    const params = {
+        Bucket: "my-bucket",
+        Key: "data.csv",
+        ExpressionType: "SQL",
+        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ MISSING: Alert
+    };
+    await s3.selectObjectContent(params).promise();
+    res.end();
+
+    const params1 = {
+        Bucket: "my-bucket",
+        Key: "data.csv",
+        ExpressionType: "SQL",
+        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ MISSING: Alert
+    };
+
+    s3.selectObjectContent(params1, (err, data) => {
+        res.end();
+    });
+});