Module: Dbviewer::Validator::Sql::ThreatDetector

Extended by:

ThreatDetector

Included in:

ThreatDetector

Defined in:

lib/dbviewer/validator/sql/threat_detector.rb

Overview

Module for detecting various types of security threats in SQL queries This module contains all the logic for identifying SQL injection attempts, suspicious patterns, and other security vulnerabilities.

Instance Method Summary

• #detect_forbidden_keywords(normalized_sql) ⇒ String^?

  Check for forbidden keywords in the normalized SQL This method scans for keywords that could modify data or schema.

• #detect_subqueries(normalized_sql) ⇒ Boolean

  Detect subqueries in the SQL by checking for unbalanced parentheses This is a heuristic method for feature detection.

• #has_injection_patterns?(sql) ⇒ Boolean

  Check for specific SQL injection patterns This method looks for known SQL injection attack patterns that are commonly used by attackers.

• #has_multiple_statements?(normalized_sql) ⇒ Boolean

  Check for multiple SQL statements separated by semicolons Multiple statements could allow SQL injection attacks.

• #has_suspicious_patterns?(sql) ⇒ Boolean

  Check for suspicious patterns in SQL that might indicate an attack This method performs multiple checks on the raw SQL (before normalization) to catch threats that might be hidden by the normalization process.

• #pragma_statement?(normalized_sql) ⇒ Boolean

  Check if the query is a SQLite PRAGMA statement PRAGMA statements are allowed for database introspection.

• #valid_query_start?(normalized_sql) ⇒ Boolean

  Check if the query starts with an allowed statement type Only SELECT and WITH (for CTEs) are allowed as query starters.

Instance Method Details

#detect_forbidden_keywords(normalized_sql) ⇒ String^?

Check for forbidden keywords in the normalized SQL This method scans for keywords that could modify data or schema.

Parameters:

• normalized_sql (String) —

  Normalized SQL query

Returns:

• (String, nil) —

  The forbidden keyword found, or nil if none

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 55

def detect_forbidden_keywords(normalized_sql)
  ValidationConfig::FORBIDDEN_KEYWORDS.find do |keyword|
    normalized_sql =~ /\b#{keyword}\b/i
  end
end

#detect_subqueries(normalized_sql) ⇒ Boolean

Detect subqueries in the SQL by checking for unbalanced parentheses This is a heuristic method for feature detection.

Parameters:

• normalized_sql (String) —

  Normalized SQL query

Returns:

• (Boolean) —

  true if subqueries are likely present

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 94

def detect_subqueries(normalized_sql)
  # Check if there are unbalanced parentheses that likely contain subqueries
  normalized_sql.count("(") > normalized_sql.count(")")
end

#has_injection_patterns?(sql) ⇒ Boolean

Check for specific SQL injection patterns This method looks for known SQL injection attack patterns that are commonly used by attackers.

Parameters:

• sql (String) —

  Raw SQL query (before normalization)

Returns:

• (Boolean) —

  true if injection patterns found, false otherwise

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 36

def has_injection_patterns?(sql)
  patterns_to_check = ValidationConfig::INJECTION_PATTERNS

  # Filter out enhanced patterns if enhanced protection is disabled
  unless enhanced_protection_enabled?
    enhanced_patterns = [ :information_schema, :mysql_user, :pg_user ]
    patterns_to_check = patterns_to_check.reject { |name, _| enhanced_patterns.include?(name) }
  end

  patterns_to_check.any? do |_name, pattern|
    sql =~ pattern
  end
end

#has_multiple_statements?(normalized_sql) ⇒ Boolean

Check for multiple SQL statements separated by semicolons Multiple statements could allow SQL injection attacks.

Parameters:

• normalized_sql (String) —

  Normalized SQL query

Returns:

• (Boolean) —

  true if multiple statements detected

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 84

def has_multiple_statements?(normalized_sql)
  statements = normalized_sql.split(";").reject(&:blank?)
  statements.size > 1
end

#has_suspicious_patterns?(sql) ⇒ Boolean

Check for suspicious patterns in SQL that might indicate an attack This method performs multiple checks on the raw SQL (before normalization) to catch threats that might be hidden by the normalization process.

Parameters:

• sql (String) —

  Raw SQL query (before normalization)

Returns:

• (Boolean) —

  true if suspicious patterns found, false otherwise

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 20

def has_suspicious_patterns?(sql)
  return true if has_comment_injection?(sql)
  return true if has_string_concatenation?(sql)
  return true if has_excessive_quotes?(sql)
  return true if has_hex_encoding?(sql)
  return true if has_additional_suspicious_patterns?(sql)

  false
end

#pragma_statement?(normalized_sql) ⇒ Boolean

Check if the query is a SQLite PRAGMA statement PRAGMA statements are allowed for database introspection.

Parameters:

• normalized_sql (String) —

  Normalized SQL query

Returns:

• (Boolean) —

  true if query is a PRAGMA statement

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 75

def pragma_statement?(normalized_sql)
  normalized_sql =~ ValidationConfig::PRAGMA_PATTERN
end

#valid_query_start?(normalized_sql) ⇒ Boolean

Check if the query starts with an allowed statement type Only SELECT and WITH (for CTEs) are allowed as query starters.

Parameters:

• normalized_sql (String) —

  Normalized SQL query

Returns:

• (Boolean) —

  true if query starts with allowed statement

# File 'lib/dbviewer/validator/sql/threat_detector.rb', line 66

def valid_query_start?(normalized_sql)
  normalized_sql =~ ValidationConfig::VALID_QUERY_START_PATTERN
end