Documentation
¶
Overview ¶
Package security provides SQL injection pattern detection and security scanning. It analyzes parsed SQL AST to identify common injection patterns and vulnerabilities.
The scanner detects 8 pattern types:
- Tautologies: Always-true conditions like 1=1, 'a'='a'
- Comment-based bypasses: --, /**/, #, trailing comments
- UNION-based extraction: UNION SELECT patterns, information_schema access
- Stacked queries: Destructive statements after semicolon (DROP, DELETE, etc.)
- Time-based blind: SLEEP(), WAITFOR DELAY, pg_sleep(), BENCHMARK()
- Out-of-band: xp_cmdshell, LOAD_FILE(), UTL_HTTP, etc.
- Dangerous functions: EXEC(), sp_executesql, PREPARE FROM, etc.
- Boolean-based: Conditional logic exploitation
Example usage:
scanner := security.NewScanner()
results := scanner.Scan(ast)
for _, finding := range results.Findings {
fmt.Printf("%s: %s at line %d\n", finding.Severity, finding.Pattern, finding.Line)
}
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Finding ¶
type Finding struct {
Severity Severity `json:"severity"`
Pattern PatternType `json:"pattern"`
Description string `json:"description"`
Risk string `json:"risk"`
Line int `json:"line,omitempty"`
Column int `json:"column,omitempty"`
SQL string `json:"sql,omitempty"`
Suggestion string `json:"suggestion,omitempty"`
}
Finding represents a single security finding from the scanner.
type PatternType ¶
type PatternType string
PatternType categorizes the type of injection pattern detected.
const ( PatternTautology PatternType = "TAUTOLOGY" PatternComment PatternType = "COMMENT_BYPASS" PatternStackedQuery PatternType = "STACKED_QUERY" PatternUnionBased PatternType = "UNION_BASED" PatternTimeBased PatternType = "TIME_BASED" PatternBooleanBased PatternType = "BOOLEAN_BASED" PatternOutOfBand PatternType = "OUT_OF_BAND" PatternDangerousFunc PatternType = "DANGEROUS_FUNCTION" )
type ScanResult ¶
type ScanResult struct {
Findings []Finding `json:"findings"`
TotalCount int `json:"total_count"`
CriticalCount int `json:"critical_count"`
HighCount int `json:"high_count"`
MediumCount int `json:"medium_count"`
LowCount int `json:"low_count"`
}
ScanResult contains all findings from a security scan.
func (*ScanResult) HasCritical ¶
func (r *ScanResult) HasCritical() bool
HasCritical returns true if any critical findings exist.
func (*ScanResult) HasHighOrAbove ¶
func (r *ScanResult) HasHighOrAbove() bool
HasHighOrAbove returns true if any high or critical findings exist.
func (*ScanResult) IsClean ¶
func (r *ScanResult) IsClean() bool
IsClean returns true if no findings exist.
type Scanner ¶
type Scanner struct {
// MinSeverity filters findings below this severity level
MinSeverity Severity
}
Scanner performs security analysis on SQL AST.
func NewScanner ¶
func NewScanner() *Scanner
NewScanner creates a new security scanner with default settings.
func NewScannerWithSeverity ¶
NewScannerWithSeverity creates a scanner filtering by minimum severity. Returns an error if the severity is not valid.
func (*Scanner) Scan ¶
func (s *Scanner) Scan(tree *ast.AST) *ScanResult
Scan analyzes an AST for SQL injection patterns.
func (*Scanner) ScanSQL ¶
func (s *Scanner) ScanSQL(sql string) *ScanResult
ScanSQL analyzes raw SQL string for injection patterns. This is useful for detecting patterns that might not be in the AST.
type Severity ¶
type Severity string
Severity represents the severity level of a security finding.
const ( // SeverityCritical indicates definite injection (e.g., OR 1=1 --) SeverityCritical Severity = "CRITICAL" // SeverityHigh indicates likely injection (suspicious patterns) SeverityHigh Severity = "HIGH" // SeverityMedium indicates potentially unsafe patterns (needs review) SeverityMedium Severity = "MEDIUM" // SeverityLow indicates informational findings SeverityLow Severity = "LOW" )
Source Files