From d44da6c6ac58285d03af597ac157efc298c868b4 Mon Sep 17 00:00:00 2001 From: BitterPanda63 Date: Wed, 7 May 2025 22:16:26 +0200 Subject: [PATCH 1/4] Update test cases to include dialect --- aikido_zen/vulnerabilities/init_test.py | 1 + end2end/flask_mysql_test.py | 1 + end2end/quart_postgres_uvicorn_test.py | 1 + end2end/starlette_postgres_uvicorn_test.py | 1 + 4 files changed, 4 insertions(+) diff --git a/aikido_zen/vulnerabilities/init_test.py b/aikido_zen/vulnerabilities/init_test.py index 21d2ac9ad..0baa9470b 100644 --- a/aikido_zen/vulnerabilities/init_test.py +++ b/aikido_zen/vulnerabilities/init_test.py @@ -133,6 +133,7 @@ def test_sql_injection_with_comms(caplog, get_context, monkeypatch): call_args[1][0]["metadata"]["sql"] == "INSERT * INTO VALUES ('doggoss2', TRUE);" ) + assert call_args[1][0]["metadata"]["dialect"] == "mysql" def test_ssrf_with_comms_hostnames_add(caplog, get_context, monkeypatch): diff --git a/end2end/flask_mysql_test.py b/end2end/flask_mysql_test.py index 2365521ed..6e8d0d55f 100644 --- a/end2end/flask_mysql_test.py +++ b/end2end/flask_mysql_test.py @@ -40,6 +40,7 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"]["blocked"] == True assert attacks[0]["attack"]["kind"] == "sql_injection" assert attacks[0]["attack"]["metadata"]["sql"] == 'INSERT INTO dogs (dog_name, isAdmin) VALUES ("Dangerous bobby", 1); -- ", 0)' + assert attacks[0]["attack"]["metadata"]["dialect"] == 'mysql' assert attacks[0]["attack"]["operation"] == 'pymysql.Cursor.execute' assert attacks[0]["attack"]["pathToPayload"] == '.dog_name' assert attacks[0]["attack"]["payload"] == '"Dangerous bobby\\", 1); -- "' diff --git a/end2end/quart_postgres_uvicorn_test.py b/end2end/quart_postgres_uvicorn_test.py index ebea4a9ab..40296aa8b 100644 --- a/end2end/quart_postgres_uvicorn_test.py +++ b/end2end/quart_postgres_uvicorn_test.py @@ -38,6 +38,7 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"]["blocked"] == True assert attacks[0]["attack"]["kind"] == "sql_injection" assert attacks[0]["attack"]["metadata"]["sql"] == "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)" + assert attacks[0]["attack"]["metadata"]["dialect"] == "postgresql" assert attacks[0]["attack"]["operation"] == "asyncpg.connection.Connection.execute" assert attacks[0]["attack"]["pathToPayload"] == '.dog_name' assert attacks[0]["attack"]["payload"] == "\"Dangerous Bobby', TRUE); -- \"" diff --git a/end2end/starlette_postgres_uvicorn_test.py b/end2end/starlette_postgres_uvicorn_test.py index 331bedcd5..28c8b63e0 100644 --- a/end2end/starlette_postgres_uvicorn_test.py +++ b/end2end/starlette_postgres_uvicorn_test.py @@ -40,6 +40,7 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"]["blocked"] == True assert attacks[0]["attack"]["kind"] == "sql_injection" assert attacks[0]["attack"]["metadata"]["sql"] == "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)" + assert attacks[0]["attack"]["metadata"]["dialect"] == "postgresql" assert attacks[0]["attack"]["operation"] == "asyncpg.connection.Connection.execute" assert attacks[0]["attack"]["pathToPayload"] == ".dog_name" assert attacks[0]["attack"]["payload"] == "\"Dangerous Bobby', TRUE); -- \"" From 0f3e4bd384ed0797a13be37503daafa2846c3fc8 Mon Sep 17 00:00:00 2001 From: BitterPanda63 Date: Wed, 7 May 2025 22:16:34 +0200 Subject: [PATCH 2/4] Report back dialect as well in case of sql injection --- .../sql_injection/context_contains_sql_injection.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/aikido_zen/vulnerabilities/sql_injection/context_contains_sql_injection.py b/aikido_zen/vulnerabilities/sql_injection/context_contains_sql_injection.py index e067d97d3..6a25c49fe 100644 --- a/aikido_zen/vulnerabilities/sql_injection/context_contains_sql_injection.py +++ b/aikido_zen/vulnerabilities/sql_injection/context_contains_sql_injection.py @@ -20,7 +20,10 @@ def context_contains_sql_injection(sql, operation, context, dialect): "kind": "sql_injection", "source": source, "pathToPayload": path, - "metadata": {"sql": sql}, + "metadata": { + "sql": sql, + "dialect": dialect, + }, "payload": user_input, } return {} From ff15ad8964dcea1a361b68ebb8bd1e03a490ef0b Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Thu, 8 May 2025 09:33:43 +0200 Subject: [PATCH 3/4] "postgresql" -> "postgres" for dialect check --- end2end/quart_postgres_uvicorn_test.py | 2 +- end2end/starlette_postgres_uvicorn_test.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/end2end/quart_postgres_uvicorn_test.py b/end2end/quart_postgres_uvicorn_test.py index 40296aa8b..4732f7823 100644 --- a/end2end/quart_postgres_uvicorn_test.py +++ b/end2end/quart_postgres_uvicorn_test.py @@ -38,7 +38,7 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"]["blocked"] == True assert attacks[0]["attack"]["kind"] == "sql_injection" assert attacks[0]["attack"]["metadata"]["sql"] == "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)" - assert attacks[0]["attack"]["metadata"]["dialect"] == "postgresql" + assert attacks[0]["attack"]["metadata"]["dialect"] == "postgres" assert attacks[0]["attack"]["operation"] == "asyncpg.connection.Connection.execute" assert attacks[0]["attack"]["pathToPayload"] == '.dog_name' assert attacks[0]["attack"]["payload"] == "\"Dangerous Bobby', TRUE); -- \"" diff --git a/end2end/starlette_postgres_uvicorn_test.py b/end2end/starlette_postgres_uvicorn_test.py index 28c8b63e0..0b725ed6c 100644 --- a/end2end/starlette_postgres_uvicorn_test.py +++ b/end2end/starlette_postgres_uvicorn_test.py @@ -40,7 +40,7 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"]["blocked"] == True assert attacks[0]["attack"]["kind"] == "sql_injection" assert attacks[0]["attack"]["metadata"]["sql"] == "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)" - assert attacks[0]["attack"]["metadata"]["dialect"] == "postgresql" + assert attacks[0]["attack"]["metadata"]["dialect"] == "postgres" assert attacks[0]["attack"]["operation"] == "asyncpg.connection.Connection.execute" assert attacks[0]["attack"]["pathToPayload"] == ".dog_name" assert attacks[0]["attack"]["payload"] == "\"Dangerous Bobby', TRUE); -- \"" From 7eb99b0bfe2bbb6bc72b09826861ef7c413574f2 Mon Sep 17 00:00:00 2001 From: BitterPanda Date: Thu, 8 May 2025 09:36:47 +0200 Subject: [PATCH 4/4] Update end2end tests to check for dialect --- end2end/django_mysql_gunicorn_test.py | 5 ++++- end2end/django_mysql_test.py | 5 ++++- end2end/django_postgres_gunicorn_test.py | 5 ++++- end2end/flask_mysql_uwsgi_test.py | 5 ++++- end2end/flask_postgres_test.py | 10 ++++++++-- end2end/flask_postgres_xml_lxml_test.py | 5 ++++- end2end/flask_postgres_xml_test.py | 5 ++++- 7 files changed, 32 insertions(+), 8 deletions(-) diff --git a/end2end/django_mysql_gunicorn_test.py b/end2end/django_mysql_gunicorn_test.py index 4637a3436..d43d12677 100644 --- a/end2end/django_mysql_gunicorn_test.py +++ b/end2end/django_mysql_gunicorn_test.py @@ -39,7 +39,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'}, + 'metadata': { + 'dialect': 'mysql', + 'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")' + }, 'operation': 'MySQLdb.Cursor.execute', 'pathToPayload': '.dog_name', 'payload': '"Dangerous bobby\\", 1); -- "', diff --git a/end2end/django_mysql_test.py b/end2end/django_mysql_test.py index 95c8f456f..0520da672 100644 --- a/end2end/django_mysql_test.py +++ b/end2end/django_mysql_test.py @@ -37,7 +37,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")'}, + 'metadata': { + 'dialect': 'mysql', + 'sql': 'INSERT INTO sample_app_dogs (dog_name, dog_boss) VALUES ("Dangerous bobby", 1); -- ", "N/A")' + }, 'operation': 'MySQLdb.Cursor.execute', 'pathToPayload': '.dog_name', 'payload': '"Dangerous bobby\\", 1); -- "', diff --git a/end2end/django_postgres_gunicorn_test.py b/end2end/django_postgres_gunicorn_test.py index 4815558df..98940a942 100644 --- a/end2end/django_postgres_gunicorn_test.py +++ b/end2end/django_postgres_gunicorn_test.py @@ -39,7 +39,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE); -- ', FALSE)"}, + 'metadata': { + 'dialect': "postgres", + 'sql': "INSERT INTO sample_app_Dogs (dog_name, is_admin) VALUES ('Dangerous bobby', TRUE); -- ', FALSE)" + }, 'operation': "psycopg2.Connection.Cursor.execute", 'pathToPayload': '.dog_name', 'payload': "\"Dangerous bobby', TRUE); -- \"", diff --git a/end2end/flask_mysql_uwsgi_test.py b/end2end/flask_mysql_uwsgi_test.py index a1917a794..149582546 100644 --- a/end2end/flask_mysql_uwsgi_test.py +++ b/end2end/flask_mysql_uwsgi_test.py @@ -39,7 +39,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': 'INSERT INTO dogs (dog_name, isAdmin) VALUES ("Dangerous bobby", 1); -- ", 0)'}, + 'metadata': { + 'dialect': 'mysql', + 'sql': 'INSERT INTO dogs (dog_name, isAdmin) VALUES ("Dangerous bobby", 1); -- ", 0)' + }, 'operation': 'pymysql.Cursor.execute', 'pathToPayload': '.dog_name', 'payload': '"Dangerous bobby\\", 1); -- "', diff --git a/end2end/flask_postgres_test.py b/end2end/flask_postgres_test.py index 16be5222a..72d668da3 100644 --- a/end2end/flask_postgres_test.py +++ b/end2end/flask_postgres_test.py @@ -85,7 +85,10 @@ def test_attacks_detected(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)"}, + 'metadata': { + 'dialect': "postgres", + 'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Dangerous Bobby', TRUE); -- ', FALSE)" + }, 'operation': "psycopg2.Connection.Cursor.execute", 'pathToPayload': '.dog_name', 'payload': '"Dangerous Bobby\', TRUE); -- "', @@ -95,7 +98,10 @@ def test_attacks_detected(): assert attacks[1]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Bobby', TRUE) --', FALSE)"}, + 'metadata': { + 'dialect': "postgres", + 'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Bobby', TRUE) --', FALSE)" + }, 'operation': "psycopg2.Connection.Cursor.execute", 'pathToPayload': '.dog_name', 'payload': "\"Bobby', TRUE) --\"", diff --git a/end2end/flask_postgres_xml_lxml_test.py b/end2end/flask_postgres_xml_lxml_test.py index e44552480..4f471b86e 100644 --- a/end2end/flask_postgres_xml_lxml_test.py +++ b/end2end/flask_postgres_xml_lxml_test.py @@ -33,7 +33,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)"}, + 'metadata': { + 'dialect': "postgres", + 'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)" + }, 'operation': "psycopg2.Connection.Cursor.execute", 'pathToPayload': ".dog_name.[0]", 'payload': "\"Malicious dog', TRUE); -- \"", diff --git a/end2end/flask_postgres_xml_test.py b/end2end/flask_postgres_xml_test.py index 47b31f21d..1fceb92fe 100644 --- a/end2end/flask_postgres_xml_test.py +++ b/end2end/flask_postgres_xml_test.py @@ -39,7 +39,10 @@ def test_dangerous_response_with_firewall(): assert attacks[0]["attack"] == { "blocked": True, "kind": "sql_injection", - 'metadata': {'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)"}, + 'metadata': { + 'dialect': "postgres", + 'sql': "INSERT INTO dogs (dog_name, isAdmin) VALUES ('Malicious dog', TRUE); -- ', FALSE)" + }, 'operation': "psycopg2.Connection.Cursor.execute", 'pathToPayload': ".dog_name.[0]", 'payload': "\"Malicious dog', TRUE); -- \"",