github.com/newrelic/go-agent@v3.26.0+incompatible/internal/crossagent/cross_agent_tests/sql_obfuscation/sql_obfuscation.json (about) 1 [ 2 { 3 "name": "back_quoted_identifiers.mysql", 4 "obfuscated": [ 5 "SELECT `t001`.`c2` FROM `t001` WHERE `t001`.`c2` = ? AND c3=? LIMIT ?" 6 ], 7 "dialects": [ 8 "mysql" 9 ], 10 "sql": "SELECT `t001`.`c2` FROM `t001` WHERE `t001`.`c2` = 'value' AND c3=\"othervalue\" LIMIT ?" 11 }, 12 { 13 "name": "comment_delimiters_in_double_quoted_strings", 14 "obfuscated": [ 15 "SELECT * FROM t WHERE foo=? AND baz=?" 16 ], 17 "dialects": [ 18 "mssql", 19 "mysql" 20 ], 21 "sql": "SELECT * FROM t WHERE foo=\"bar/*\" AND baz=\"whatever */qux\"" 22 }, 23 { 24 "name": "comment_delimiters_in_single_quoted_strings", 25 "obfuscated": [ 26 "SELECT * FROM t WHERE foo=? AND baz=?" 27 ], 28 "dialects": [ 29 "mssql", 30 "mysql", 31 "postgres", 32 "oracle", 33 "cassandra", 34 "sqlite" 35 ], 36 "sql": "SELECT * FROM t WHERE foo='bar/*' AND baz='whatever */qux'" 37 }, 38 { 39 "name": "double_quoted_identifiers.postgres", 40 "obfuscated": [ 41 "SELECT \"t001\".\"c2\" FROM \"t001\" WHERE \"t001\".\"c2\" = ? AND c3=? LIMIT ?" 42 ], 43 "dialects": [ 44 "postgres", 45 "oracle" 46 ], 47 "sql": "SELECT \"t001\".\"c2\" FROM \"t001\" WHERE \"t001\".\"c2\" = 'value' AND c3=1234 LIMIT 1" 48 }, 49 { 50 "name": "end_of_line_comment_in_double_quoted_string", 51 "obfuscated": [ 52 "SELECT * FROM t WHERE foo=? AND\n baz=?" 53 ], 54 "dialects": [ 55 "mssql", 56 "mysql" 57 ], 58 "sql": "SELECT * FROM t WHERE foo=\"bar--\" AND\n baz=\"qux--\"" 59 }, 60 { 61 "name": "end_of_line_comment_in_single_quoted_string", 62 "obfuscated": [ 63 "SELECT * FROM t WHERE foo=? AND\n baz=?" 64 ], 65 "dialects": [ 66 "mssql", 67 "mysql", 68 "postgres", 69 "oracle", 70 "cassandra", 71 "sqlite" 72 ], 73 "sql": "SELECT * FROM t WHERE foo='bar--' AND\n baz='qux--'" 74 }, 75 { 76 "name": "end_of_query_comment_cstyle", 77 "obfuscated": [ 78 "SELECT * FROM foo WHERE bar=? ?", 79 "SELECT * FROM foo WHERE bar=? " 80 ], 81 "dialects": [ 82 "mysql", 83 "postgres", 84 "oracle", 85 "cassandra", 86 "sqlite" 87 ], 88 "sql": "SELECT * FROM foo WHERE bar='baz' /* Hide Me */" 89 }, 90 { 91 "name": "end_of_query_comment_doubledash", 92 "obfuscated": [ 93 "SELECT * FROM foobar WHERE password=?\n?", 94 "SELECT * FROM foobar WHERE password=?\n" 95 ], 96 "dialects": [ 97 "mysql", 98 "postgres", 99 "oracle", 100 "cassandra", 101 "sqlite" 102 ], 103 "sql": "SELECT * FROM foobar WHERE password='hunter2'\n-- No peeking!" 104 }, 105 { 106 "name": "end_of_query_comment_hash", 107 "obfuscated": [ 108 "SELECT foo, bar FROM baz WHERE password=? ?", 109 "SELECT foo, bar FROM baz WHERE password=? " 110 ], 111 "dialects": [ 112 "mysql", 113 "postgres", 114 "oracle", 115 "cassandra", 116 "sqlite" 117 ], 118 "sql": "SELECT foo, bar FROM baz WHERE password='hunter2' # Secret" 119 }, 120 { 121 "name": "escape_string_constants.postgres", 122 "sql": "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E'foo\\'bar\\\\baz' AND country=e'foo\\'bar\\\\baz'", 123 "obfuscated": [ 124 "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E?", 125 "SELECT \"col1\", \"col2\" from \"table\" WHERE \"col3\"=E? AND country=e?" 126 ], 127 "dialects": [ 128 "postgres" 129 ], 130 "comments": [ 131 "PostgreSQL supports an alternate string quoting mode where backslash escape", 132 "sequences are interpreted.", 133 "See: http://www.postgresql.org/docs/9.3/static/sql-syntax-lexical.html#SQL-SYNTAX-STRINGS-ESCAPE" 134 ] 135 }, 136 { 137 "name": "multiple_literal_types.mysql", 138 "obfuscated": [ 139 "INSERT INTO `X` values(?,?, ? , ?, ?)" 140 ], 141 "dialects": [ 142 "mysql" 143 ], 144 "sql": "INSERT INTO `X` values(\"test\",0, 1 , 2, 'test')" 145 }, 146 { 147 "name": "numbers_in_identifiers", 148 "obfuscated": [ 149 "SELECT c11.col1, c22.col2 FROM table c11, table c22 WHERE value=?" 150 ], 151 "dialects": [ 152 "mssql", 153 "mysql", 154 "postgres", 155 "oracle", 156 "cassandra", 157 "sqlite" 158 ], 159 "sql": "SELECT c11.col1, c22.col2 FROM table c11, table c22 WHERE value='nothing'" 160 }, 161 { 162 "name": "numeric_literals", 163 "sql": "INSERT INTO X VALUES(1, 23456, 123.456, 99+100)", 164 "obfuscated": [ 165 "INSERT INTO X VALUES(?, ?, ?, ?+?)", 166 "INSERT INTO X VALUES(?, ?, ?.?, ?+?)" 167 ], 168 "dialects": [ 169 "mssql", 170 "mysql", 171 "postgres", 172 "oracle", 173 "cassandra", 174 "sqlite" 175 ] 176 }, 177 { 178 "name": "string_double_quoted.mysql", 179 "obfuscated": [ 180 "SELECT * FROM table WHERE name=? AND value=?" 181 ], 182 "dialects": [ 183 "mysql" 184 ], 185 "sql": "SELECT * FROM table WHERE name=\"foo\" AND value=\"don't\"" 186 }, 187 { 188 "name": "string_single_quoted", 189 "obfuscated": [ 190 "SELECT * FROM table WHERE name=? AND value = ?" 191 ], 192 "dialects": [ 193 "mssql", 194 "mysql", 195 "postgres", 196 "oracle", 197 "cassandra", 198 "sqlite" 199 ], 200 "sql": "SELECT * FROM table WHERE name='foo' AND value = 'bar'" 201 }, 202 { 203 "name": "string_with_backslash_and_twin_single_quotes", 204 "obfuscated": [ 205 "SELECT * FROM table WHERE col=?" 206 ], 207 "dialects": [ 208 "mssql", 209 "mysql", 210 "postgres", 211 "oracle", 212 "cassandra", 213 "sqlite" 214 ], 215 "sql": "SELECT * FROM table WHERE col='foo\\''bar'", 216 "comments": [ 217 "If backslashes are being ignored in single-quoted strings", 218 "(standard_conforming_strings=on in PostgreSQL, or NO_BACKSLASH_ESCAPES is on", 219 "in MySQL), then this is valid SQL." 220 ] 221 }, 222 { 223 "name": "string_with_embedded_double_quote", 224 "obfuscated": [ 225 "SELECT * FROM table WHERE col1=? AND col2=?" 226 ], 227 "dialects": [ 228 "mssql", 229 "mysql", 230 "postgres", 231 "oracle", 232 "cassandra", 233 "sqlite" 234 ], 235 "sql": "SELECT * FROM table WHERE col1='foo\"bar' AND col2='what\"ever'" 236 }, 237 { 238 "name": "string_with_embedded_newline", 239 "obfuscated": [ 240 "select * from accounts where accounts.name != ? order by accounts.name" 241 ], 242 "dialects": [ 243 "mssql", 244 "mysql", 245 "postgres", 246 "oracle", 247 "cassandra", 248 "sqlite" 249 ], 250 "sql": "select * from accounts where accounts.name != 'dude \n newline' order by accounts.name" 251 }, 252 { 253 "name": "string_with_embedded_single_quote.mysql", 254 "obfuscated": [ 255 "SELECT * FROM table WHERE col1=? AND col2=?" 256 ], 257 "dialects": [ 258 "mysql" 259 ], 260 "sql": "SELECT * FROM table WHERE col1=\"don't\" AND col2=\"won't\"" 261 }, 262 { 263 "name": "string_with_escaped_quotes.mysql", 264 "sql": "INSERT INTO X values('', 'jim''s ssn',0, 1 , 'jim''s son''s son', \"\"\"jim''s\"\" hat\", \"\\\"jim''s secret\\\"\")", 265 "obfuscated": [ 266 "INSERT INTO X values(?, ?,?, ? , ?, ?, ?", 267 "INSERT INTO X values(?, ?,?, ? , ?, ?, ?)" 268 ], 269 "dialects": [ 270 "mysql" 271 ] 272 }, 273 { 274 "name": "string_with_trailing_backslash", 275 "sql": "SELECT * FROM table WHERE name='foo\\' AND color='blue'", 276 "obfuscated": [ 277 "SELECT * FROM table WHERE name=?", 278 "SELECT * FROM table WHERE name=? AND color=?" 279 ], 280 "dialects": [ 281 "mssql", 282 "mysql", 283 "postgres", 284 "oracle", 285 "cassandra", 286 "sqlite" 287 ], 288 "comments": [ 289 "If backslashes are being ignored in single-quoted strings", 290 "(standard_conforming_strings=on in PostgreSQL, or NO_BACKSLASH_ESCAPES is on", 291 "in MySQL), then this is valid SQL." 292 ] 293 }, 294 { 295 "name": "string_with_trailing_escaped_backslash.mysql", 296 "obfuscated": [ 297 "SELECT * FROM table WHERE foo=?" 298 ], 299 "dialects": [ 300 "mysql" 301 ], 302 "sql": "SELECT * FROM table WHERE foo=\"this string ends with a backslash\\\\\"" 303 }, 304 { 305 "name": "string_with_trailing_escaped_backslash_single_quoted", 306 "obfuscated": [ 307 "SELECT * FROM table WHERE foo=?" 308 ], 309 "dialects": [ 310 "mssql", 311 "mysql", 312 "postgres", 313 "oracle", 314 "cassandra", 315 "sqlite" 316 ], 317 "sql": "SELECT * FROM table WHERE foo='this string ends with a backslash\\\\'" 318 }, 319 { 320 "name": "string_with_trailing_escaped_quote", 321 "sql": "SELECT * FROM table WHERE name='foo\\'' AND color='blue'", 322 "obfuscated": [ 323 "SELECT * FROM table WHERE name=?", 324 "SELECT * FROM table WHERE name=? AND color=?" 325 ], 326 "dialects": [ 327 "mysql", 328 "postgres", 329 "oracle", 330 "cassandra", 331 "sqlite" 332 ] 333 }, 334 { 335 "name": "string_with_twin_single_quotes", 336 "obfuscated": [ 337 "INSERT INTO X values(?, ?,?, ? , ?)" 338 ], 339 "dialects": [ 340 "mssql", 341 "mysql", 342 "postgres", 343 "oracle", 344 "cassandra", 345 "sqlite" 346 ], 347 "sql": "INSERT INTO X values('', 'a''b c',0, 1 , 'd''e f''s h')" 348 }, 349 { 350 "name": "pathological/end_of_line_comments_with_quotes", 351 "sql": "SELECT * FROM t WHERE -- '\n bar='baz' -- '", 352 "obfuscated": [ 353 "SELECT * FROM t WHERE ?\n bar=? ?", 354 "SELECT * FROM t WHERE ?" 355 ], 356 "dialects": [ 357 "mysql", 358 "postgres", 359 "oracle", 360 "cassandra", 361 "sqlite" 362 ], 363 "pathological": true 364 }, 365 { 366 "name": "pathological/mixed_comments_and_quotes", 367 "sql": "SELECT * FROM t WHERE /* ' */ \n bar='baz' -- '", 368 "obfuscated": [ 369 "SELECT * FROM t WHERE ? \n bar=? ?", 370 "SELECT * FROM t WHERE ?" 371 ], 372 "dialects": [ 373 "mysql", 374 "postgres", 375 "oracle", 376 "cassandra", 377 "sqlite" 378 ], 379 "pathological": true 380 }, 381 { 382 "name": "pathological/mixed_quotes_comments_and_newlines", 383 "sql": "SELECT * FROM t WHERE -- '\n /* ' */ c2='xxx' /* ' */\n c='x\n xx' -- '", 384 "obfuscated": [ 385 "SELECT * FROM t WHERE ?\n ? c2=? ?\n c=? ?", 386 "SELECT * FROM t WHERE ?" 387 ], 388 "dialects": [ 389 "mysql", 390 "postgres", 391 "oracle", 392 "cassandra", 393 "sqlite" 394 ], 395 "pathological": true 396 }, 397 { 398 "name": "pathological/mixed_quotes_end_of_line_comments", 399 "sql": "SELECT * FROM t WHERE -- '\n c='x\n xx' -- '", 400 "obfuscated": [ 401 "SELECT * FROM t WHERE ?\n c=? ?", 402 "SELECT * FROM t WHERE ?" 403 ], 404 "dialects": [ 405 "mysql", 406 "postgres", 407 "oracle", 408 "cassandra", 409 "sqlite" 410 ], 411 "pathological": true 412 }, 413 { 414 "name": "pathological/quote_delimiters_in_comments", 415 "sql": "SELECT * FROM foo WHERE col='value1' AND /* don't */ col2='value1' /* won't */", 416 "obfuscated": [ 417 "SELECT * FROM foo WHERE col=? AND ? col2=? ?", 418 "SELECT * FROM foo WHERE col=? AND ?" 419 ], 420 "dialects": [ 421 "mysql", 422 "postgres", 423 "oracle", 424 "cassandra", 425 "sqlite" 426 ], 427 "pathological": true 428 }, 429 { 430 "name": "malformed/unterminated_double_quoted_string.mysql", 431 "sql": "SELECT * FROM table WHERE foo='bar' AND baz=\"nothing to see here'", 432 "dialects": [ 433 "mysql" 434 ], 435 "obfuscated": [ 436 "?" 437 ], 438 "malformed": true 439 }, 440 { 441 "name": "malformed/unterminated_single_quoted_string", 442 "sql": "SELECT * FROM table WHERE foo='bar' AND baz='nothing to see here", 443 "dialects": [ 444 "mysql", 445 "postgres", 446 "oracle", 447 "cassandra", 448 "sqlite" 449 ], 450 "obfuscated": [ 451 "?" 452 ], 453 "malformed": true 454 }, 455 { 456 "name": "dollar_quotes", 457 "sql": "SELECT * FROM \"foo\" WHERE \"foo\" = $a$dollar quotes can be $b$nested$b$$a$ and bar = 'baz'", 458 "obfuscated": [ 459 "SELECT * FROM \"foo\" WHERE \"foo\" = ? and bar = ?" 460 ], 461 "dialects": [ 462 "postgres" 463 ] 464 }, 465 { 466 "name": "variable_substitution_not_mistaken_for_dollar_quotes", 467 "sql": "INSERT INTO \"foo\" (\"bar\", \"baz\", \"qux\") VALUES ($1, $2, $3) RETURNING \"id\"", 468 "obfuscated": [ 469 "INSERT INTO \"foo\" (\"bar\", \"baz\", \"qux\") VALUES ($?, $?, $?) RETURNING \"id\"" 470 ], 471 "dialects": [ 472 "postgres" 473 ] 474 }, 475 { 476 "name": "non_quote_escape", 477 "sql": "select * from foo where bar = 'some\\tthing' and baz = 10", 478 "obfuscated": [ 479 "select * from foo where bar = ? and baz = ?" 480 ], 481 "dialects": [ 482 "mssql", 483 "mysql", 484 "postgres", 485 "oracle", 486 "cassandra", 487 "sqlite" 488 ] 489 }, 490 { 491 "name": "end_of_string_backslash_and_line_comment_with_quite", 492 "sql": "select * from users where user = 'user1\\' password = 'hunter 2' -- ->don't count this quote", 493 "obfuscated": [ 494 "select * from users where user = ?" 495 ], 496 "dialects": [ 497 "mysql", 498 "postgres", 499 "oracle", 500 "cassandra", 501 "sqlite" 502 ], 503 "pathological": true 504 }, 505 { 506 "name": "oracle_bracket_quote", 507 "sql": "select * from foo where bar=q'[baz's]' and x=5", 508 "obfuscated": [ 509 "select * from foo where bar=? and x=?" 510 ], 511 "dialects": [ 512 "oracle" 513 ] 514 }, 515 { 516 "name": "oracle_brace_quote", 517 "sql": "select * from foo where bar=q'{baz's}' and x=5", 518 "obfuscated": [ 519 "select * from foo where bar=? and x=?" 520 ], 521 "dialects": [ 522 "oracle" 523 ] 524 }, 525 { 526 "name": "oracle_angle_quote", 527 "sql": "select * from foo where bar=q'<baz's>' and x=5", 528 "obfuscated": [ 529 "select * from foo where bar=? and x=?" 530 ], 531 "dialects": [ 532 "oracle" 533 ] 534 }, 535 { 536 "name": "oracle_paren_quote", 537 "sql": "select * from foo where bar=q'(baz's)' and x=5", 538 "obfuscated": [ 539 "select * from foo where bar=? and x=?" 540 ], 541 "dialects": [ 542 "oracle" 543 ] 544 }, 545 { 546 "name": "cassandra_blobs", 547 "sql": "select * from foo where bar=0xabcdef123 and x=5", 548 "obfuscated": [ 549 "select * from foo where bar=? and x=?" 550 ], 551 "dialects": [ 552 "cassandra", 553 "sqlite" 554 ] 555 }, 556 { 557 "name": "hex_literals", 558 "sql": "select * from foo where bar=0x2F and x=5", 559 "obfuscated": [ 560 "select * from foo where bar=? and x=?" 561 ], 562 "dialects": [ 563 "mysql", 564 "cassandra", 565 "sqlite" 566 ] 567 }, 568 { 569 "name": "exponential_literals", 570 "sql": "select * from foo where bar=1.234e-5 and x=5", 571 "obfuscated": [ 572 "select * from foo where bar=? and x=?" 573 ], 574 "dialects": [ 575 "mysql", 576 "postgres", 577 "oracle", 578 "cassandra", 579 "sqlite" 580 ] 581 }, 582 { 583 "name": "negative_integer_literals", 584 "sql": "select * from foo where bar=-1.234e-5 and x=-5", 585 "obfuscated": [ 586 "select * from foo where bar=? and x=?" 587 ], 588 "dialects": [ 589 "mysql", 590 "postgres", 591 "oracle", 592 "cassandra", 593 "sqlite" 594 ] 595 }, 596 { 597 "name": "uuid", 598 "sql": "select * from foo where bar=01234567-89ab-cdef-0123-456789abcdef and x=5", 599 "obfuscated": [ 600 "select * from foo where bar=? and x=?" 601 ], 602 "dialects": [ 603 "postgres", 604 "cassandra" 605 ] 606 }, 607 { 608 "name": "uuid_with_braces", 609 "sql": "select * from foo where bar={01234567-89ab-cdef-0123-456789abcdef} and x=5", 610 "obfuscated": [ 611 "select * from foo where bar=? and x=?" 612 ], 613 "dialects": [ 614 "postgres" 615 ] 616 }, 617 { 618 "name": "uuid_no_dashes", 619 "sql": "select * from foo where bar=0123456789abcdef0123456789abcdef and x=5", 620 "obfuscated": [ 621 "select * from foo where bar=? and x=?" 622 ], 623 "dialects": [ 624 "postgres" 625 ] 626 }, 627 { 628 "name": "uuid_random_dashes", 629 "sql": "select * from foo where bar={012-345678-9abc-def012345678-9abcdef} and x=5", 630 "obfuscated": [ 631 "select * from foo where bar=? and x=?" 632 ], 633 "dialects": [ 634 "postgres" 635 ] 636 }, 637 { 638 "name": "booleans", 639 "sql": "select * from truestory where bar=true and x=FALSE", 640 "obfuscated": [ 641 "select * from truestory where bar=? and x=?" 642 ], 643 "dialects": [ 644 "mysql", 645 "postgres", 646 "cassandra", 647 "sqlite" 648 ] 649 } 650 ]