github.com/lulzWill/go-agent@v2.1.2+incompatible/internal/crossagent/cross_agent_tests/sql_obfuscation/sql_obfuscation.json (about) 1 [ 2 { 3 "name": "back_quoted_identifiers.mysql", 4 "obfuscated": [ 5 "SELECT `t001`.`c2` FROM `t001` WHERE `t001`.`c2` = ? AND c3=? LIMIT ?" 6 ], 7 "dialects": [ 8 "mysql" 9 ], 10 "sql": "SELECT `t001`.`c2` FROM `t001` WHERE `t001`.`c2` = 'value' AND c3=\"othervalue\" LIMIT ?" 11 }, 12 { 13 "name": "comment_delimiters_in_double_quoted_strings", 14 "obfuscated": [ 15 "SELECT * FROM t WHERE foo=? AND baz=?" 16 ], 17 "dialects": [ 18 "mysql" 19 ], 20 "sql": "SELECT * FROM t WHERE foo=\"bar/*\" AND baz=\"whatever */qux\"" 21 }, 22 { 23 "name": "comment_delimiters_in_single_quoted_strings", 24 "obfuscated": [ 25 "SELECT * FROM t WHERE foo=? AND baz=?" 26 ], 27 "dialects": [ 28 "mysql", 29 "postgres", 30 "oracle", 31 "cassandra", 32 "sqlite" 33 ], 34 "sql": "SELECT * FROM t WHERE foo='bar/*' AND baz='whatever */qux'" 35 }, 36 { 37 "name": "double_quoted_identifiers.postgres", 38 "obfuscated": [ 39 "SELECT \"t001\".\"c2\" FROM \"t001\" WHERE \"t001\".\"c2\" = ? AND c3=? LIMIT ?" 40 ], 41 "dialects": [ 42 "postgres", 43 "oracle" 44 ], 45 "sql": "SELECT \"t001\".\"c2\" FROM \"t001\" WHERE \"t001\".\"c2\" = 'value' AND c3=1234 LIMIT 1" 46 }, 47 { 48 "name": "end_of_line_comment_in_double_quoted_string", 49 "obfuscated": [ 50 "SELECT * FROM t WHERE foo=? AND\n baz=?" 51 ], 52 "dialects": [ 53 "mysql" 54 ], 55 "sql": "SELECT * FROM t WHERE foo=\"bar--\" AND\n baz=\"qux--\"" 56 }, 57 { 58 "name": "end_of_line_comment_in_single_quoted_string", 59 "obfuscated": [ 60 "SELECT * FROM t WHERE foo=? AND\n baz=?" 61 ], 62 "dialects": [ 63 "mysql", 64 "postgres", 65 "oracle", 66 "cassandra", 67 "sqlite" 68 ], 69 "sql": "SELECT * FROM t WHERE foo='bar--' AND\n baz='qux--'" 70 }, 71 { 72 "name": "end_of_query_comment_cstyle", 73 "obfuscated": [ 74 "SELECT * FROM foo WHERE bar=? ?", 75 "SELECT * FROM foo WHERE bar=? " 76 ], 77 "dialects": [ 78 "mysql", 79 "postgres", 80 "oracle", 81 "cassandra", 82 "sqlite" 83 ], 84 "sql": "SELECT * FROM foo WHERE bar='baz' /* Hide Me */" 85 }, 86 { 87 "name": "end_of_query_comment_doubledash", 88 "obfuscated": [ 89 "SELECT * FROM foobar WHERE password=?\n?", 90 "SELECT * FROM foobar WHERE password=?\n" 91 ], 92 "dialects": [ 93 "mysql", 94 "postgres", 95 "oracle", 96 "cassandra", 97 "sqlite" 98 ], 99 "sql": "SELECT * FROM foobar WHERE password='hunter2'\n-- No peeking!" 100 }, 101 { 102 "name": "end_of_query_comment_hash", 103 "obfuscated": [ 104 "SELECT foo, bar FROM baz WHERE password=? ?", 105 "SELECT foo, bar FROM baz WHERE password=? " 106 ], 107 "dialects": [ 108 "mysql", 109 "postgres", 110 "oracle", 111 "cassandra", 112 "sqlite" 113 ], 114 "sql": "SELECT foo, bar FROM baz WHERE password='hunter2' # Secret" 115 }, 116 { 117 "name": "escape_string_constants.postgres", 118 "sql": "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E'foo\\'bar\\\\baz' AND country=e'foo\\'bar\\\\baz'", 119 "obfuscated": [ 120 "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E?", 121 "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E? AND country=e?" 122 ], 123 "dialects": [ 124 "postgres" 125 ], 126 "comments": [ 127 "PostgreSQL supports an alternate string quoting mode where backslash escape", 128 "sequences are interpreted.", 129 "See: http://www.postgresql.org/docs/9.3/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE" 130 ] 131 }, 132 { 133 "name": "multiple_literal_types.mysql", 134 "obfuscated": [ 135 "INSERT INTO `X` values(?,?, ? , ?, ?)" 136 ], 137 "dialects": [ 138 "mysql" 139 ], 140 "sql": "INSERT INTO `X` values(\"test\",0, 1 , 2, 'test')" 141 }, 142 { 143 "name": "numbers_in_identifiers", 144 "obfuscated": [ 145 "SELECT c11.col1, c22.col2 FROM table c11, table c22 WHERE value=?" 146 ], 147 "dialects": [ 148 "mysql", 149 "postgres", 150 "oracle", 151 "cassandra", 152 "sqlite" 153 ], 154 "sql": "SELECT c11.col1, c22.col2 FROM table c11, table c22 WHERE value='nothing'" 155 }, 156 { 157 "name": "numeric_literals", 158 "sql": "INSERT INTO X VALUES(1, 23456, 123.456, 99+100)", 159 "obfuscated": [ 160 "INSERT INTO X VALUES(?, ?, ?, ?+?)", 161 "INSERT INTO X VALUES(?, ?, ?.?, ?+?)" 162 ], 163 "dialects": [ 164 "mysql", 165 "postgres", 166 "oracle", 167 "cassandra", 168 "sqlite" 169 ] 170 }, 171 { 172 "name": "string_double_quoted.mysql", 173 "obfuscated": [ 174 "SELECT * FROM table WHERE name=? AND value=?" 175 ], 176 "dialects": [ 177 "mysql" 178 ], 179 "sql": "SELECT * FROM table WHERE name=\"foo\" AND value=\"don't\"" 180 }, 181 { 182 "name": "string_single_quoted", 183 "obfuscated": [ 184 "SELECT * FROM table WHERE name=? AND value = ?" 185 ], 186 "dialects": [ 187 "mysql", 188 "postgres", 189 "oracle", 190 "cassandra", 191 "sqlite" 192 ], 193 "sql": "SELECT * FROM table WHERE name='foo' AND value = 'bar'" 194 }, 195 { 196 "name": "string_with_backslash_and_twin_single_quotes", 197 "obfuscated": [ 198 "SELECT * FROM table WHERE col=?" 199 ], 200 "dialects": [ 201 "mysql", 202 "postgres", 203 "oracle", 204 "cassandra", 205 "sqlite" 206 ], 207 "sql": "SELECT * FROM table WHERE col='foo\\''bar'", 208 "comments": [ 209 "If backslashes are being ignored in single-quoted strings", 210 "(standard_conforming_strings=on in PostgreSQL, or NO_BACKSLASH_ESCAPES is on", 211 "in MySQL), then this is valid SQL." 212 ] 213 }, 214 { 215 "name": "string_with_embedded_double_quote", 216 "obfuscated": [ 217 "SELECT * FROM table WHERE col1=? AND col2=?" 218 ], 219 "dialects": [ 220 "mysql", 221 "postgres", 222 "oracle", 223 "cassandra", 224 "sqlite" 225 ], 226 "sql": "SELECT * FROM table WHERE col1='foo\"bar' AND col2='what\"ever'" 227 }, 228 { 229 "name": "string_with_embedded_newline", 230 "obfuscated": [ 231 "select * from accounts where accounts.name != ? order by accounts.name" 232 ], 233 "dialects": [ 234 "mysql", 235 "postgres", 236 "oracle", 237 "cassandra", 238 "sqlite" 239 ], 240 "sql": "select * from accounts where accounts.name != 'dude \n newline' order by accounts.name" 241 }, 242 { 243 "name": "string_with_embedded_single_quote.mysql", 244 "obfuscated": [ 245 "SELECT * FROM table WHERE col1=? AND col2=?" 246 ], 247 "dialects": [ 248 "mysql" 249 ], 250 "sql": "SELECT * FROM table WHERE col1=\"don't\" AND col2=\"won't\"" 251 }, 252 { 253 "name": "string_with_escaped_quotes.mysql", 254 "sql": "INSERT INTO X values('', 'jim''s ssn',0, 1 , 'jim''s son''s son', \"\"\"jim''s\"\" hat\", \"\\\"jim''s secret\\\"\")", 255 "obfuscated": [ 256 "INSERT INTO X values(?, ?,?, ? , ?, ?, ?", 257 "INSERT INTO X values(?, ?,?, ? , ?, ?, ?)" 258 ], 259 "dialects": [ 260 "mysql" 261 ] 262 }, 263 { 264 "name": "string_with_trailing_backslash", 265 "sql": "SELECT * FROM table WHERE name='foo\\' AND color='blue'", 266 "obfuscated": [ 267 "SELECT * FROM table WHERE name=?", 268 "SELECT * FROM table WHERE name=? AND color=?" 269 ], 270 "dialects": [ 271 "mysql", 272 "postgres", 273 "oracle", 274 "cassandra", 275 "sqlite" 276 ], 277 "comments": [ 278 "If backslashes are being ignored in single-quoted strings", 279 "(standard_conforming_strings=on in PostgreSQL, or NO_BACKSLASH_ESCAPES is on", 280 "in MySQL), then this is valid SQL." 281 ] 282 }, 283 { 284 "name": "string_with_trailing_escaped_backslash.mysql", 285 "obfuscated": [ 286 "SELECT * FROM table WHERE foo=?" 287 ], 288 "dialects": [ 289 "mysql" 290 ], 291 "sql": "SELECT * FROM table WHERE foo=\"this string ends with a backslash\\\\\"" 292 }, 293 { 294 "name": "string_with_trailing_escaped_backslash_single_quoted", 295 "obfuscated": [ 296 "SELECT * FROM table WHERE foo=?" 297 ], 298 "dialects": [ 299 "mysql", 300 "postgres", 301 "oracle", 302 "cassandra", 303 "sqlite" 304 ], 305 "sql": "SELECT * FROM table WHERE foo='this string ends with a backslash\\\\'" 306 }, 307 { 308 "name": "string_with_trailing_escaped_quote", 309 "sql": "SELECT * FROM table WHERE name='foo\\'' AND color='blue'", 310 "obfuscated": [ 311 "SELECT * FROM table WHERE name=?", 312 "SELECT * FROM table WHERE name=? AND color=?" 313 ], 314 "dialects": [ 315 "mysql", 316 "postgres", 317 "oracle", 318 "cassandra", 319 "sqlite" 320 ] 321 }, 322 { 323 "name": "string_with_twin_single_quotes", 324 "obfuscated": [ 325 "INSERT INTO X values(?, ?,?, ? , ?)" 326 ], 327 "dialects": [ 328 "mysql", 329 "postgres", 330 "oracle", 331 "cassandra", 332 "sqlite" 333 ], 334 "sql": "INSERT INTO X values('', 'a''b c',0, 1 , 'd''e f''s h')" 335 }, 336 { 337 "name": "pathological/end_of_line_comments_with_quotes", 338 "sql": "SELECT * FROM t WHERE -- '\n bar='baz' -- '", 339 "obfuscated": [ 340 "SELECT * FROM t WHERE ?\n bar=? ?", 341 "SELECT * FROM t WHERE ?" 342 ], 343 "dialects": [ 344 "mysql", 345 "postgres", 346 "oracle", 347 "cassandra", 348 "sqlite" 349 ], 350 "pathological": true 351 }, 352 { 353 "name": "pathological/mixed_comments_and_quotes", 354 "sql": "SELECT * FROM t WHERE /* ' */ \n bar='baz' -- '", 355 "obfuscated": [ 356 "SELECT * FROM t WHERE ? \n bar=? ?", 357 "SELECT * FROM t WHERE ?" 358 ], 359 "dialects": [ 360 "mysql", 361 "postgres", 362 "oracle", 363 "cassandra", 364 "sqlite" 365 ], 366 "pathological": true 367 }, 368 { 369 "name": "pathological/mixed_quotes_comments_and_newlines", 370 "sql": "SELECT * FROM t WHERE -- '\n /* ' */ c2='xxx' /* ' */\n c='x\n xx' -- '", 371 "obfuscated": [ 372 "SELECT * FROM t WHERE ?\n ? c2=? ?\n c=? ?", 373 "SELECT * FROM t WHERE ?" 374 ], 375 "dialects": [ 376 "mysql", 377 "postgres", 378 "oracle", 379 "cassandra", 380 "sqlite" 381 ], 382 "pathological": true 383 }, 384 { 385 "name": "pathological/mixed_quotes_end_of_line_comments", 386 "sql": "SELECT * FROM t WHERE -- '\n c='x\n xx' -- '", 387 "obfuscated": [ 388 "SELECT * FROM t WHERE ?\n c=? ?", 389 "SELECT * FROM t WHERE ?" 390 ], 391 "dialects": [ 392 "mysql", 393 "postgres", 394 "oracle", 395 "cassandra", 396 "sqlite" 397 ], 398 "pathological": true 399 }, 400 { 401 "name": "pathological/quote_delimiters_in_comments", 402 "sql": "SELECT * FROM foo WHERE col='value1' AND /* don't */ col2='value1' /* won't */", 403 "obfuscated": [ 404 "SELECT * FROM foo WHERE col=? AND ? col2=? ?", 405 "SELECT * FROM foo WHERE col=? AND ?" 406 ], 407 "dialects": [ 408 "mysql", 409 "postgres", 410 "oracle", 411 "cassandra", 412 "sqlite" 413 ], 414 "pathological": true 415 }, 416 { 417 "name": "malformed/unterminated_double_quoted_string.mysql", 418 "sql": "SELECT * FROM table WHERE foo='bar' AND baz=\"nothing to see here'", 419 "dialects": [ 420 "mysql" 421 ], 422 "obfuscated": [ 423 "?" 424 ], 425 "malformed": true 426 }, 427 { 428 "name": "malformed/unterminated_single_quoted_string", 429 "sql": "SELECT * FROM table WHERE foo='bar' AND baz='nothing to see here", 430 "dialects": [ 431 "mysql", 432 "postgres", 433 "oracle", 434 "cassandra", 435 "sqlite" 436 ], 437 "obfuscated": [ 438 "?" 439 ], 440 "malformed": true 441 }, 442 { 443 "name": "dollar_quotes", 444 "sql": "SELECT * FROM \"foo\" WHERE \"foo\" = $a$dollar quotes can be $b$nested$b$$a$ and bar = 'baz'", 445 "obfuscated": [ 446 "SELECT * FROM \"foo\" WHERE \"foo\" = ? and bar = ?" 447 ], 448 "dialects": [ 449 "postgres" 450 ] 451 }, 452 { 453 "name": "variable_substitution_not_mistaken_for_dollar_quotes", 454 "sql": "INSERT INTO \"foo\" (\"bar\", \"baz\", \"qux\") VALUES ($1, $2, $3) RETURNING \"id\"", 455 "obfuscated": [ 456 "INSERT INTO \"foo\" (\"bar\", \"baz\", \"qux\") VALUES ($?, $?, $?) RETURNING \"id\"" 457 ], 458 "dialects": [ 459 "postgres" 460 ] 461 }, 462 { 463 "name": "non_quote_escape", 464 "sql": "select * from foo where bar = 'some\\tthing' and baz = 10", 465 "obfuscated": [ 466 "select * from foo where bar = ? and baz = ?" 467 ], 468 "dialects": [ 469 "mysql", 470 "postgres", 471 "oracle", 472 "cassandra", 473 "sqlite" 474 ] 475 }, 476 { 477 "name": "end_of_string_backslash_and_line_comment_with_quite", 478 "sql": "select * from users where user = 'user1\\' password = 'hunter 2' -- ->don't count this quote", 479 "obfuscated": [ 480 "select * from users where user = ?" 481 ], 482 "dialects": [ 483 "mysql", 484 "postgres", 485 "oracle", 486 "cassandra", 487 "sqlite" 488 ], 489 "pathological": true 490 }, 491 { 492 "name": "oracle_bracket_quote", 493 "sql": "select * from foo where bar=q'[baz's]' and x=5", 494 "obfuscated": [ 495 "select * from foo where bar=? and x=?" 496 ], 497 "dialects": [ 498 "oracle" 499 ] 500 }, 501 { 502 "name": "oracle_brace_quote", 503 "sql": "select * from foo where bar=q'{baz's}' and x=5", 504 "obfuscated": [ 505 "select * from foo where bar=? and x=?" 506 ], 507 "dialects": [ 508 "oracle" 509 ] 510 }, 511 { 512 "name": "oracle_angle_quote", 513 "sql": "select * from foo where bar=q'<baz's>' and x=5", 514 "obfuscated": [ 515 "select * from foo where bar=? and x=?" 516 ], 517 "dialects": [ 518 "oracle" 519 ] 520 }, 521 { 522 "name": "oracle_paren_quote", 523 "sql": "select * from foo where bar=q'(baz's)' and x=5", 524 "obfuscated": [ 525 "select * from foo where bar=? and x=?" 526 ], 527 "dialects": [ 528 "oracle" 529 ] 530 }, 531 { 532 "name": "cassandra_blobs", 533 "sql": "select * from foo where bar=0xabcdef123 and x=5", 534 "obfuscated": [ 535 "select * from foo where bar=? and x=?" 536 ], 537 "dialects": [ 538 "cassandra", 539 "sqlite" 540 ] 541 }, 542 { 543 "name": "hex_literals", 544 "sql": "select * from foo where bar=0x2F and x=5", 545 "obfuscated": [ 546 "select * from foo where bar=? and x=?" 547 ], 548 "dialects": [ 549 "mysql", 550 "cassandra", 551 "sqlite" 552 ] 553 }, 554 { 555 "name": "exponential_literals", 556 "sql": "select * from foo where bar=1.234e-5 and x=5", 557 "obfuscated": [ 558 "select * from foo where bar=? and x=?" 559 ], 560 "dialects": [ 561 "mysql", 562 "postgres", 563 "oracle", 564 "cassandra", 565 "sqlite" 566 ] 567 }, 568 { 569 "name": "negative_integer_literals", 570 "sql": "select * from foo where bar=-1.234e-5 and x=-5", 571 "obfuscated": [ 572 "select * from foo where bar=? and x=?" 573 ], 574 "dialects": [ 575 "mysql", 576 "postgres", 577 "oracle", 578 "cassandra", 579 "sqlite" 580 ] 581 }, 582 { 583 "name": "uuid", 584 "sql": "select * from foo where bar=01234567-89ab-cdef-0123-456789abcdef and x=5", 585 "obfuscated": [ 586 "select * from foo where bar=? and x=?" 587 ], 588 "dialects": [ 589 "postgres", 590 "cassandra" 591 ] 592 }, 593 { 594 "name": "uuid_with_braces", 595 "sql": "select * from foo where bar={01234567-89ab-cdef-0123-456789abcdef} and x=5", 596 "obfuscated": [ 597 "select * from foo where bar=? and x=?" 598 ], 599 "dialects": [ 600 "postgres" 601 ] 602 }, 603 { 604 "name": "uuid_no_dashes", 605 "sql": "select * from foo where bar=0123456789abcdef0123456789abcdef and x=5", 606 "obfuscated": [ 607 "select * from foo where bar=? and x=?" 608 ], 609 "dialects": [ 610 "postgres" 611 ] 612 }, 613 { 614 "name": "uuid_random_dashes", 615 "sql": "select * from foo where bar={012-345678-9abc-def012345678-9abcdef} and x=5", 616 "obfuscated": [ 617 "select * from foo where bar=? and x=?" 618 ], 619 "dialects": [ 620 "postgres" 621 ] 622 }, 623 { 624 "name": "booleans", 625 "sql": "select * from truestory where bar=true and x=FALSE", 626 "obfuscated": [ 627 "select * from truestory where bar=? and x=?" 628 ], 629 "dialects": [ 630 "mysql", 631 "postgres", 632 "cassandra", 633 "sqlite" 634 ] 635 } 636 ]