github.com/TeaOSLab/EdgeNode@v1.3.8/internal/waf/injectionutils/utils_sqli_test.go

github.com/TeaOSLab/EdgeNode@v1.3.8/internal/waf/injectionutils/utils_sqli_test.go (about)

     1  // Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
     2  
     3  package injectionutils_test
     4  
     5  import (
     6  	"github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils"
     7  	"github.com/TeaOSLab/EdgeNode/internal/waf/utils"
     8  	"github.com/iwind/TeaGo/assert"
     9  	"github.com/iwind/TeaGo/rands"
    10  	"github.com/iwind/TeaGo/types"
    11  	"runtime"
    12  	"strings"
    13  	"testing"
    14  )
    15  
    16  func TestDetectSQLInjection(t *testing.T) {
    17  	var a = assert.NewAssertion(t)
    18  	for _, isStrict := range []bool{true, false} {
    19  		a.IsTrue(injectionutils.DetectSQLInjection("' UNION SELECT * FROM myTable", isStrict))
    20  		a.IsTrue(injectionutils.DetectSQLInjection("id=1 ' UNION  select * from a", isStrict))
    21  		a.IsTrue(injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--", isStrict))
    22  		a.IsFalse(injectionutils.DetectSQLInjection("' UNION SELECT1 * FROM myTable", isStrict))
    23  		a.IsFalse(injectionutils.DetectSQLInjection("1234", isStrict))
    24  		a.IsFalse(injectionutils.DetectSQLInjection("", isStrict))
    25  		a.IsTrue(injectionutils.DetectSQLInjection("id=123 OR 1=1&b=2", isStrict))
    26  		a.IsTrue(injectionutils.DetectSQLInjection("id=123&b=456&c=1' or 2=2", isStrict))
    27  		a.IsFalse(injectionutils.DetectSQLInjection("?", isStrict))
    28  		a.IsFalse(injectionutils.DetectSQLInjection("/hello?age=22", isStrict))
    29  		a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1", isStrict))
    30  		a.IsTrue(injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1", isStrict))
    31  		a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/sql/injection?id=123%20or%201=1", isStrict))
    32  		a.IsTrue(injectionutils.DetectSQLInjection("id=123%20or%201=1", isStrict))
    33  		a.IsTrue(injectionutils.DetectSQLInjection("https://example.com/' or 1=1", isStrict))
    34  	}
    35  }
    36  
    37  func BenchmarkDetectSQLInjection(b *testing.B) {
    38  	runtime.GOMAXPROCS(4)
    39  
    40  	b.RunParallel(func(pb *testing.PB) {
    41  		for pb.Next() {
    42  			_ = injectionutils.DetectSQLInjection("asdf asd ; -1' and 1=1 union/* foo */select load_file('/etc/passwd')--", false)
    43  		}
    44  	})
    45  }
    46  
    47  func BenchmarkDetectSQLInjection_URL(b *testing.B) {
    48  	runtime.GOMAXPROCS(4)
    49  
    50  	b.RunParallel(func(pb *testing.PB) {
    51  		for pb.Next() {
    52  			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123 or 1=1", false)
    53  		}
    54  	})
    55  }
    56  
    57  func BenchmarkDetectSQLInjection_Normal_Small(b *testing.B) {
    58  	runtime.GOMAXPROCS(4)
    59  
    60  	b.RunParallel(func(pb *testing.PB) {
    61  		for pb.Next() {
    62  			_ = injectionutils.DetectSQLInjection("a/sql/injection?id=1234", false)
    63  		}
    64  	})
    65  }
    66  
    67  func BenchmarkDetectSQLInjection_URL_Normal_Small(b *testing.B) {
    68  	runtime.GOMAXPROCS(4)
    69  
    70  	b.RunParallel(func(pb *testing.PB) {
    71  		for pb.Next() {
    72  			_ = injectionutils.DetectSQLInjection("/sql/injection?id="+types.String(rands.Int64()%10000), false)
    73  		}
    74  	})
    75  }
    76  
    77  func BenchmarkDetectSQLInjection_URL_Normal_Middle(b *testing.B) {
    78  	runtime.GOMAXPROCS(4)
    79  
    80  	b.RunParallel(func(pb *testing.PB) {
    81  		for pb.Next() {
    82  			_ = injectionutils.DetectSQLInjection("/search?q=libinjection+fingerprint&newwindow=1&sca_esv=589290862&sxsrf=AMwHvKnxuLoejn2XlNniffC12E_xc35M7Q%3A1702090118361&ei=htvzzebfFZfo1e8PvLGggAk&ved=0ahUKEwjTsYmnq4GDAxUWdPOHHbwkCJAQ4ddDCBA&uact=5&oq=libinjection+fingerprint&gs_lp=Egxnd3Mtd2l6LXNlcnAiGIxpYmluamVjdGlvbmBmaW5nKXJwcmludTIEEAAYHjIGVAAYCBgeSiEaUPkRWKFZcAJ4AZABAJgBHgGgAfoEqgwDMC40uAEGyAEA-AEBwgIKEAFYTxjWMuiwA-IDBBgAVteIBgGQBgI&sclient=gws-wiz-serp#ip=1", false)
    83  		}
    84  	})
    85  }
    86  
    87  func BenchmarkDetectSQLInjection_URL_Normal_Small_Cache(b *testing.B) {
    88  	runtime.GOMAXPROCS(4)
    89  
    90  	b.RunParallel(func(pb *testing.PB) {
    91  		for pb.Next() {
    92  			_ = injectionutils.DetectSQLInjectionCache("/sql/injection?id="+types.String(rands.Int64()%10000), false, utils.CacheMiddleLife)
    93  		}
    94  	})
    95  }
    96  
    97  func BenchmarkDetectSQLInjection_Normal_Large(b *testing.B) {
    98  	runtime.GOMAXPROCS(4)
    99  
   100  	var s = strings.Repeat("A", 512)
   101  	b.ResetTimer()
   102  
   103  	b.RunParallel(func(pb *testing.PB) {
   104  		for pb.Next() {
   105  			_ = injectionutils.DetectSQLInjection("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s+"&v=%20", false)
   106  		}
   107  	})
   108  }
   109  
   110  func BenchmarkDetectSQLInjection_Normal_Large_Cache(b *testing.B) {
   111  	runtime.GOMAXPROCS(4)
   112  
   113  	var s = strings.Repeat("A", 512)
   114  
   115  	b.RunParallel(func(pb *testing.PB) {
   116  		for pb.Next() {
   117  			_ = injectionutils.DetectSQLInjectionCache("a/sql/injection?id="+types.String(rands.Int64()%10000)+"&s="+s, false, utils.CacheMiddleLife)
   118  		}
   119  	})
   120  }
   121  
   122  func BenchmarkDetectSQLInjection_URL_Unescape(b *testing.B) {
   123  	runtime.GOMAXPROCS(4)
   124  
   125  	b.RunParallel(func(pb *testing.PB) {
   126  		for pb.Next() {
   127  			_ = injectionutils.DetectSQLInjection("/sql/injection?id=123%20or%201=1", false)
   128  		}
   129  	})
   130  }