EdgeNode/internal/waf/injectionutils/utils_sqli_test.go

// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .

package injectionutils_test

import (
	"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"
	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
	"github.com/iwind/TeaGo/assert"
	"github.com/iwind/TeaGo/rands"
	"github.com/iwind/TeaGo/types"
	"runtime"
	"strings"
	"testing"
)

func TestDetectSQLInjection(t *testing.T) {
	var a = assert.NewAssertion(t)
	a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable"))
	a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"))
	a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable"))
	a.IsFalse(injectionutils.DetectSQLInjection("1234"))
	a.IsFalse(injectionutils.DetectSQLInjection(""))
	a.IsTrue(injectionutils.DetectSQLInjection("id=123 OR 1=1&b=2"))
	a.IsTrue(injectionutils.DetectSQLInjection("id=123&b=456&c=1' or 2=2"))
	a.IsFalse(injectionutils.DetectSQLInjection("?"))
	a.IsFalse(injectionutils.DetectSQLInjection("/hello?age=22"))
	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))
	a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))
	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))
	a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1"))
}

func BenchmarkDetectSQLInjection(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--")
		}
	})
}

func BenchmarkDetectSQLInjection_URL(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1")
		}
	})
}

func BenchmarkDetectSQLInjection_Normal_Small(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=1234")
		}
	})
}

func BenchmarkDetectSQLInjection_URL_Normal_Small(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("/sql/injection?id=" + types.String(rands.Int64()%10000))
		}
	})
}

func BenchmarkDetectSQLInjection_URL_Normal_Middle(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("/search?q=libinjection+fingerprint&newwindow=1&sca_esv=589290862&sxsrf=AMwHvKnxuLoejn2XlNniffC12E_xc35M7Q%3A1702090118361&ei=htvzzebfFZfo1e8PvLGggAk&ved=0ahUKEwjTsYmnq4GDAxUWdPOHHbwkCJAQ4ddDCBA&uact=5&oq=libinjection+fingerprint&gs_lp=Egxnd3Mtd2l6LXNlcnAiGIxpYmluamVjdGlvbmBmaW5nKXJwcmludTIEEAAYHjIGVAAYCBgeSiEaUPkRWKFZcAJ4AZABAJgBHgGgAfoEqgwDMC40uAEGyAEA-AEBwgIKEAFYTxjWMuiwA-IDBBgAVteIBgGQBgI&sclient=gws-wiz-serp#ip=1")
		}
	})
}

func BenchmarkDetectSQLInjection_URL_Normal_Small_Cache(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjectionCache("/sql/injection?id="+types.String(rands.Int64()%10000), utils.CacheMiddleLife)
		}
	})
}

func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
	runtime.GOMAXPROCS(4)

	var s = strings.Repeat("A", 512)
	b.ResetTimer()

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s)
		}
	})
}

func BenchmarkDetectSQLInjection_Normal_Large_Cache(b *testing.B) {
	runtime.GOMAXPROCS(4)

	var s = strings.Repeat("A", 512)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjectionCache("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s, utils.CacheMiddleLife)
		}
	})
}

func BenchmarkDetectSQLInjection_URL_Unescape(b *testing.B) {
	runtime.GOMAXPROCS(4)

	b.RunParallel(func(pb *testing.PB) {
		for pb.Next() {
			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1")
		}
	})
}
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .`

			`package injectionutils_test`

			`import (`
			`"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"`
WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例 2023-12-09 11:46:50 +08:00			`"github.com/TeaOSLab/EdgeNode/internal/waf/utils"`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`"github.com/iwind/TeaGo/assert"`
WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例 2023-12-09 11:46:50 +08:00			`"github.com/iwind/TeaGo/rands"`
			`"github.com/iwind/TeaGo/types"`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`"runtime"`
WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例 2023-12-09 11:46:50 +08:00			`"strings"`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`"testing"`
			`)`

			`func TestDetectSQLInjection(t *testing.T) {`
			`var a = assert.NewAssertion(t)`
			`a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable"))`
			`a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--"))`
			`a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable"))`
			`a.IsFalse(injectionutils.DetectSQLInjection("1234"))`
			`a.IsFalse(injectionutils.DetectSQLInjection(""))`
			`a.IsTrue(injectionutils.DetectSQLInjection("id=123 OR 1=1&b=2"))`
增加测试用例 2023-12-07 20:47:25 +08:00			`a.IsTrue(injectionutils.DetectSQLInjection("id=123&b=456&c=1' or 2=2"))`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`a.IsFalse(injectionutils.DetectSQLInjection("?"))`
			`a.IsFalse(injectionutils.DetectSQLInjection("/hello?age=22"))`
			`a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1"))`
			`a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1"))`
WAF SQL注入检测时支持 (http\|https):// 开头的URL 2023-12-07 20:38:06 +08:00			`a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1"))`
WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例 2023-12-09 11:46:50 +08:00			`a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1"))`
WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`}`

			`func BenchmarkDetectSQLInjection(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--")`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_URL(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1")`
			`}`
			`})`
			`}`

WAF SQL注入和XSS检测增加缓存/优化部分WAF相关测试用例 2023-12-09 11:46:50 +08:00			`func BenchmarkDetectSQLInjection_Normal_Small(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("a/sql/injection?id=1234")`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_URL_Normal_Small(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("/sql/injection?id=" + types.String(rands.Int64()%10000))`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_URL_Normal_Middle(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("/search?q=libinjection+fingerprint&newwindow=1&sca_esv=589290862&sxsrf=AMwHvKnxuLoejn2XlNniffC12E_xc35M7Q%3A1702090118361&ei=htvzzebfFZfo1e8PvLGggAk&ved=0ahUKEwjTsYmnq4GDAxUWdPOHHbwkCJAQ4ddDCBA&uact=5&oq=libinjection+fingerprint&gs_lp=Egxnd3Mtd2l6LXNlcnAiGIxpYmluamVjdGlvbmBmaW5nKXJwcmludTIEEAAYHjIGVAAYCBgeSiEaUPkRWKFZcAJ4AZABAJgBHgGgAfoEqgwDMC40uAEGyAEA-AEBwgIKEAFYTxjWMuiwA-IDBBgAVteIBgGQBgI&sclient=gws-wiz-serp#ip=1")`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_URL_Normal_Small_Cache(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjectionCache("/sql/injection?id="+types.String(rands.Int64()%10000), utils.CacheMiddleLife)`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`var s = strings.Repeat("A", 512)`
			`b.ResetTimer()`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("a/sql/injection?id=" + types.String(rands.Int64()%10000) + "&s=" + s)`
			`}`
			`})`
			`}`

			`func BenchmarkDetectSQLInjection_Normal_Large_Cache(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`var s = strings.Repeat("A", 512)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjectionCache("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s, utils.CacheMiddleLife)`
			`}`
			`})`
			`}`

WAF增加“包含SQL注入”操作符 2023-12-07 20:25:35 +08:00			`func BenchmarkDetectSQLInjection_URL_Unescape(b *testing.B) {`
			`runtime.GOMAXPROCS(4)`

			`b.RunParallel(func(pb *testing.PB) {`
			`for pb.Next() {`
			`_ = injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1")`
			`}`
			`})`
			`}`